Comprehensive AAP

Running head: COMPREHENSIVE AAP 1

Melvin Dickerson

CMIT 495

Comprehensive AAP

7/10/16

COMPREHENSIVE AAP 2

Executive Summary

WWTC is opening a new regional office in New York City and they will lease one floor

of a building on Wall Street in order to support aggressive growth in their organization. WWTC

has hired an IT director to set up a state of the art network by the end of 2016. The new network

will be designed to support the following business requirements: increase revenue from $10

billion to $40 billion in three to four years, and reduce the operating cost from 30 to 15 percent in

the next two to three years by using an automated system for buying and selling. WWTC needs a

fast, secure, and reliable network in order to support current and future growth and requirements.

WWTC needs a network that will support the following goals: providing a secure means of

customer purchase and payment over the Internet, allow WWTC’s employees to attach their

notebook (laptop) computers to the network to access WWTC’s resources, provide a state of the

art voice and data network, provide fast network services, and provide fast and secure wireless

services in the two conference rooms and lobby to accommodate WWTC’s employees and

guests.

COMPREHENSIVE AAP 3

Project Goal

The primary goal of the network design project is to design and implement a fast,

reliable, and secure network. The new network will ensure that WWTC will have increased

revenue for WWTC, reduced operating costs from using an automated system for buying and

selling, and providing a secure means of customer purchase and payment over the Internet, have

a state of the art network design at the New York City office, solves the current security

problems in order to protect sensitive information from going to the wrong hands, and the

network will be modular and scalable to accommodate for future business growth.

COMPREHENSIVE AAP 4

Project Scope

This project will design and implement a new network for WWTC’s NY office. The

extent of this project will affect all departments (VP OPR, VP NW USA, VP SW USA, VP NE

USA, VP SE USA, and VP M USA) at the new office and the design is a single LAN for single

floor at the Wall Street building. The new network will address the following issues: a new IP

addressing design, enhanced security measures on key applications and servers to mitigate or

reduce security risks, voice and data will be integrated to reduce costs, provide fast and secure

wireless network access to WWTC’s users and guests in the lobby and conference rooms in the

office, and new Active Directory design.

COMPREHENSIVE AAP 5

Design Requirements

The new network will support the following business and technical requirements:

Business Requirements Increase revenue from 10 billion to 40 billion in three to four years Reduce the operating cost from 30 to 15 percent in two to three years by using an

automated system for buying and selling.

Technical Requirements Provide secure means of customer purchase and payment over Internet. Allow employee to attach their notebook computers to the WWTC network and Internet

services. Provide state of the art VoIP and Data Network Provide faster Network services Provide fast and secure wireless services in the lobby and two large conference rooms

(100x60)

WWTC’s LAN Requirements

Provide a modular, scalable network

Provide redundancy at building core, distribution, and access layers to avoid

single point of failure.

For building access, provide redundant uplinks connection to the

distribution layer.

Provide an IP addressing redesign that optimizes IP addressing and routing

along with provisions to implement IPv6 in the future.

Provide aggregate routing protocols with hierarchal IP scheme.

Use NAT to reduce the number of assigned IP addresses

Centralize all services and servers to make the network easier to manage and

more cost-effective.

Provide LAN speed minimum 100 MB and Internet speed minimum 54 MB.

COMPREHENSIVE AAP 6

Provide extra capacity at switches so authorized users can attach their

notebook PCs to the network.

Standardize on TCP/IP protocols for the network. Macintoshes will be

accessible only on guest notebook but must use TCP/IP protocols or the

Apple Talk Filling Protocol (AFP) running on top of TCP.

Install DHCP software to support notebook PCs.

WWTC VOIP Requirements

Integrate voice and data network to reduce cost. Use IP phones to remove

reliance on phone lines as much as possible

Provide 100% connectivity with a minimum number of outside lines.

Provide provisions for video conference and multicast services.

WWTC’S Wireless Network Requirements

Provide wireless network access to network users and guest users in limited

area (Lobby and Conference room) by using directional WAPs

In conference room and the lobby, the user will get a minimum 54 Mbps of

bandwidth.

Provide fast and secure wireless services in the lobby and two large

conference rooms.

Will use open authentication for the public facing wireless access and

802.1x for wireless access in the conference rooms.

Allow employee to attach their notebook computers to the WWTC network

and Internet services.

COMPREHENSIVE AAP 7

Use the 802.1x RADIUS server to point to a NAP server to ensure that

outside computers meet certain requirements before connecting to the

network.

WWTC’s Active Directory Requirements

Implement a highly developed OU structure and implement security polices

via GPOs at all domains, OUs, and workstations.

Implement VeraCrypt drive encryption for all servers, workstations, and

laptops’ drives so that non Windows devices will be encrypted.

Create and implement GPO policies to enforce either full encryption or used

disk space only when BitLocker is enabled on a drive.

Implement BranchCache on Windows Server 2014 to enhance and improve

network performance, manageability, scalability, and availability.

Implement Cache Encryption to store encrypted data by default.

Implement Failover cluster services.

Implement File classification infrastructure feature to provide automatic

classification process and to classify files according to level of sensitivity:

top secret, secret, or confidential.

Implement IPAM to administer and manage IP addresses on WWTC’s

network.

Implement Windows Deployment Services to enables you to remotely

deploy Windows operating systems.

Implement secure backups in the event of a disaster to minimize downtime.

This would include RAID arrays on servers, volume shadow copies and

COMPREHENSIVE AAP 8

incremental backups for workstations, and remote backups for servers to

include Active Directory and file contents.

WWTC’s Security Requirements

The network design will solve the following security problems that were

identified at other WWTC offices:

E-mail had been inappropriately used at times to communicate Business

sensitive information.

Confidential business information and public data were connected to the

same physical network.

End users systems had inappropriately housed confidential data should have

resided only on servers. In addition, some of the end-user systems were

found to be laptops, which had left the facility in clear violation of security

policies.

Some logical control systems were found to rely on username and password

combinations only.

Some sensitive business information was found to be transmitted in clear

text between server and client.

These are the security requirements that will solve the issues listed above:

Internet connectivity and any other unclassified network must be physically

separate from the network.

The classified network must be physically secure to prevent any access to

the classified network’s data. Control should be put in place to prevent local

COMPREHENSIVE AAP 9

users from removing data from the systems in any way. This includes

removable media, AV recorders, pen and paper, and any form of printer.

All data transmitted on the classified network must be cryptographically

protected throughout the network.

All classified data must be centrally stored and secured in a physically

separate area from the unclassified network.

All data crossing wide-area links should undergo another layer of

cryptographic protection such as IPSec/VPN/SSL.

All public servers must be configured HTTPS connections and accept all

requests that are on valid IP addresses and pass through firewall and the

servers must ask some identity of the connecting party.

Implement a DMZ for areas that can be accessed from the internet such as

email and file servers

Use firewalls and IPS and IDS system to detect and prevent malicious traffic

For site to site VPN tunnels, all devices must be mutually authenticated and

cryptographic protection should be provided.

For PSTN dial-up, dial-up clients must authenticate with username and

OTP.

New WWTC Applications

Microsoft Office 2014 Sending and receiving e-mail Surfing the Web using Netscape or Microsoft’s Internet Explorer

applications to access information, participate in chat rooms, and use other typical Web services

Accessing the library card-catalog File Server application.

Custom/In-House Applications

COMPREHENSIVE AAP 10

Market Tracking Application: This application will provide real-time status

of stock and bond market to brokers and their clients.

Stock and Bond Analytical Application: This application will provide

analysis of stock and Bond to Brokers only.

On Line Trading: WWTC wishes to train new clients in online trading to

attract new customers. WWTC will sign up new client to receive streaming

video and instructions.

Current State of the Network


This diagram depicts the current state of WWTC’s network at other regional offices. The

current network has several issues from audits such as: (a) email had been inappropriately used

at times to communicate business sensitive information, (b) confidential business information

and public data were connected to the same physical network, (c) end user systems had

inappropriately housed confidential data should have resided only on servers. In addition, some

of the end-user systems were found to be laptops, which had left the facility in clear violation of

security policies, (d) some logical control systems were found to rely on username and password

combinations only, and (e) some sensitive business information was found to be transmitted in

clear text between server and client.


Design Solution

Proposed Network Topology


Icon Item Name Description Roles

Cisco ASR 1001 Edge

Router

These routers sit at the edge of the WWTC network connecting the company to the WANs Internet Service Provider links. Delivers high performance throughput with services turned on, enabling deployment agility in high-end enterprise branch, WAN edge, and managed services

1. Managed services, including VPN and firewall2. Provides WAN aggregation and secure,

encrypted WAN connectivity3. Provides WWTC with Deep packet Inspection

(DPI)

Cisco IPS 4270

These Intrusion Prevention Systems monitor IP traffic within WWTC's network

1. An online network security appliance2. Protect WWTC network from worms, viruses, and malicious traffic while maintaining business continuity3. Detect threats to intellectual property and WWTC customer data4. Reduce the time and effort required to implement and update security measures

KG175DHigh Assurance IP Encryption

1. Encrypts WWTC traffic from geographically separated locations. 2. Ethernet, IPv4/IPv6 Dual Stack compatible

Cisco Access Control System

WWTC's centralized identity and access policy solution with network access policy and identity strategy

1. WWTC managed access policy device that defines policy rules in both IPv4 and IPv6 networks

2. Integrates with external identity and policy databases, including WWTC's Windows Active Directory to control network access

3. Provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to the WWTC network for VPN and wireless

McAfee Server

Provide WWTC security to prevent malware, exploitations, reconnaissance, denial of service, loss of data, intrusions and is managed

1. Provides Virus Scanning Enterprise. Integrates

2. Host Intrusion Prevention (HIPS)3. Prevents data loss with Data Loss Prevention

Cisco ASA 5500

Firewall w/IPEC

The Cisco ASA firewall will protects WWTC networks and its data centers. It provides users with highly secure access to data and network resources - anytime,

1. Offers integrated IPS, VPN, and unified Communications capabilities.

2. Helps WWTC increase capacity and improve performance through high-performance, multi-site, multi-node

clustering.


Proposed Network Topology Icon Explanation

LAN Solution

WWTC will use the 172.0.0/20 address and that should be able to accommodate every

device along with the capacity for 100% growth. To begin, the designer will separate the subnets

along the division of job title, since those jobs will have resources and policies that will be

shared between them. For example, there are policies that will need to be applied to staff that

will not be applicable to brokers. The next step was to determine the number of devices that are

currently in place for the office and the four reception offices can hold a maximum of 14 devices

between wired and wireless connections. This allows for multiple devices per person there

needing access to what will be the guest network. This gives an immediate total of 56

connections. To make room for 100% growth, a subnet will be created to handle an assumed

total of 112 devices. To create this subnet, the design must use the 128 place in the octet. Since

we have started at the bottom of our address range of 172.0.0.0, we begin our division in the last

octet. We take the first three octets as network bits and then add the 128 spot as a network bit to

denote that the only changes being med are to the last 7 bits of the last octet. This gives the

address range of 172.0.0.0 – 172.0.0.127 since we cannot change the 128-bit portion. We can

also denote this by 172.0.0.0/25 since we have 25 network bits. We now repeat this process for

our other divisions.

For VOIP, a chart will be shown in the appendix and specifies that WWTC needs 94

internet connected (VoIP) phones. To double that, there are needs to accommodate room for 188

phones. We must use a full octet to accommodate this. Since keep the VOIP phones will be static

and do not want this to encroach upon other divisions that we may need to add in the future, we


place this subnet in the upper ranges of our given 172.0.0.0/20 range. The /20 range shows that

there are 20 network bits which uses the first 2 octets and the first four of the third octet. This

means that only the last 4 octets (8, 4, 2, and 1) will be changed giving the highest address of

172.0.15.255. For VOIP, we chose the range of 172.0.13.0/24 since we will need to use the final

octet for the possible number of 188 phones. For the conference room, we assume a max

capacity of 10 in each for 20 devices. We must accommodate 40 for the future. For the staff, we

counted the number of desk in the design giving us 48 connections needed. For our printers, we

are told that there are currently 20. For the servers we have a given 40 devices plus an additional

7 that will be used for DNS and DHCP and Active Directory. We must double that to 94 servers

for future networking needs. We use the given diagram to determine our needs for the managers

and brokers as well. For the executive segment, we used the given number of devices needed for

the current executive offices and extended that into the vacant offices, assuming that any new

executive will sit in one of those. This gives us a total of 26 currently needed addresses with us

needing to provide for 52 for future growth.

In order for the two core layer routers to communicate and exchange routing information,

the EIGRP routing protocol will be implemented. EIGRP is a distance vector routing protocol

that will allow the two core routers pass routing information between each other and will be able

to build their routing tables. Both of the core layer routers will be configured with EIGRP as the

routing protocol in order to keep copies of the neighboring routers’ routing table and will be able

to query these tables that will help to find the best route, with the lowest cost, for packets

transmitting over the wire. EIGRP by default, auto-summarizes the routes at each network

boundary. Such route summarization points will include: 172.16.0.0 /30, 172.16.0.4 /30,

172.16.0.8 /30, 172.16.0.12 /30, 172.16.0.16 /30, and 172.16.0.20 /30.


Wireless Solution

The design of the wireless network should provide a very fast and secure wireless

connection in the lobby as well as the two large conference rooms in the organization. For

efficient full Wireless Access Points (WAP) coverage to the lobby and the two conference rooms

and for the fact that the target areas are located apart within the office, a Cisco Aironet 1250

Series WAP will be configured in each of the rooms and the lobby. The Aironet 1250 will be an

ideal choice for the conference room due to a lot of high bandwidth usage in terms of voice, data

and video applications used in these areas. The WAP is also a dual band device with multiple

channels capable to limit channel overlapping during high traffic usage, supports rogue access

detection, able to detect malicious users and alert the administrator. A Cisco 4400 Series

Wireless LAN Controller will be added to the WAP used to provide single management point for

real-time communication to and from the WAP and will deliver centralized security policies,

intrusion detection and prevention capabilities, quality of service and efficient mobility service.

The WLC connect to the access layer PoE switches and configured with three VLANs:

WWTC employee, WWTC guest, and voice for wireless phones. In order to ensure maximum

bandwidth and reduce RF interference, these APs will be placed in the center of each location

and will be configured to use 802.11g (supports the 54 Mbps bandwidth requirement) with the

2.4 GHz frequency. The 2.4 GHz frequency is the best frequency to use since other devices such

as microwaves use the 5 GHz frequency and if the APs use the 5 GHz frequency, there will be

risk of RF interference. The APs are going to be mounted at each end of the two conference

rooms and the lobby area instead of overhead so that it does not negatively affect each of the


rooms’ aesthetics. To maximize channel and bandwidth usage, the APs will be installed at eight

feet from the floors in each room and will face downward at 40 degrees. The antennas will be

directional in order to ensure adequate coverage and the APs in the two conference rooms will

use separate channels (channels 6 and 11) in order to prevent similar channels from interfering

with each other at the overlapping point. For the lobby APs, they will be placed at each end at

eight feet from the floor and will face downward at 40 degrees. Both antennas will be directional

in order to ensure adequate coverage along with using separate channels (6 and 11) to mitigate

channel interference.

For security, all of the access points will use 802.1x (WPA2 Enterprise) authentication

where all WWTC users and guests must provide their username and password (guests will be

provided a temporary username and password) before authenticating onto the WLAN. The

802.1x standard also features encryption via EAP. This ensures confidentially since unauthorized

users, such as a war driver using a packet sniffer to view transmitted data over the WLAN,

cannot view the data. VLANs will be configured on the WLC that will separate traffic on the

WLAN. The names of the VLANS are: WWTC employees, WWTC guests, and voice.

Employees in WWTC’s NYC office will be on the WWTC employees VLAN, external users

who need to access WWTC’s WLAN any of the three locations will be on the WWTC guests

VLAN, and the voice VLAN will be configured to handle wireless phone communication.


VoIP Solution

A VoIP solution will be implemented in order to reduce costs and maintain 100% connectivity.

The VoIP implementation must also be scalable to provide for future growth and have fault

tolerance. The New York office will need to separate VoIP from the network to prevent

interference of the lines and congestion over the network. When used as a singular entity, VoIP

traffic will suffer from decreased bandwidth when there are delays or other issues over the

network. By keeping VoIP on its own dedicated VLAN, these issues will be avoided. The

VLAN will also make it easier for administrators to manage the VoIP network. Unified

Communications Manager can be used to both monitor and manage IP telephony and video

services throughout WWTC. The Cisco Business Edition 6000 offers most elements of the

Unified Communications Manager console to include VoIP and video messaging services.

Outside telephone lines will be used through public switched telephone network (PSTN)

channels. WWTC’s executive staff and brokers will be making commercial calls outside of the

organization and will need PSTN phone lines. Due to the number of users (around 28) and the

expected heavy call volumes to be made, it is estimated that executive staff and brokers will need

about six PSTN channels at a 5:1 person per channel ratio. For redundancy, voice-network dial

peers can be established to maintain 100% connectivity. To ensure PSTN redundancy, WWTC

should consider purchasing two geographically separated SIP trunk entry points from the PSTN

provider, use two IP addresses (one is the primary and the other is the secondary) for the trunks,

and both should terminate onto different devices. This will ensure that if one link fails, the other


will pick up the slack and WWTC NY branch office users will be able to continue making

outside calls regardless of a single trunk entry failure.

Security Solution

WWTC will implement a security solution that will protect their NY office’s network from the

following attacks: reconnaissance attacks, access attacks, Denial of Service (DoS), and worms,

viruses and Trojans. This solution will enable the office to provide high availability by means of

mitigating these attacks through technology and organizational practices, while maintaining

confidentiality and integrity to prevent the network from compromise. The solution will be used

to mitigate and/or reduce the following security risks:

Reconnaissance Mitigation

Unauthorized users such as hackers are looking to gain information about WWTC’s

network are a serious threat. The use of packet sniffers, port scans, ping sweeps and information

queries on the Internet are several ways in which reconnaissance of the network could occur.

Mitigation of reconnaissance attacks can be completed using several tools, such as firewall

implementation, strong authentication techniques, cryptography, switched infrastructure and

using anti-sniffer tools.

WWTC will use a firewall to prevent ping sweeps, port scans and other types of network

probing. Inclusion of a Cisco IOS based firewall provides adequate protection at this level,

however there is the possibility that other network resources may be affected to mitigate damage.

The addition of Cisco 4270 Intrusion Protection System (IPS) is also included, as it is designed

to provide countermeasures to these types of attacks.


Access Attack Mitigation

Access attacks see intruders attempt to gain access to the network or escalate privileges to

perform inside attacks. Password and man-in-the-middle attacks are common in performing

access attacks. To prevent password attacks, WWTC will use Active Directory password

policies and configurations to develop rules that will require users to create strong passwords

with at least 10 characters, adding complexity by including special characters, and a three month

password limit before it must be changed. Two-factor authentication will be integrated into the

WWTC network with username and password access and a smart card with pin number. This is

the standard for access to the network and its resources. Mitigation for man-in-the-middle

attacks requires cryptographic encryption. SHA-1 hashes will be used as its large digest size of

20 bytes makes it difficult or at the least unlikely that two messages through a secure

transmission will have the same SHA-1 signature.

DoS Mitigation

Denial of Service attacks harm networks by flooding targeted devices and components with an

overload of traffic that subsequently denies all users and customers access to network resources.

WWTC will need to be able to filter incoming traffic before it reaches the firewall or other

network devices, as they do not provide sufficient protection from such attacks. The Cisco


Guard XT device will be installed to mitigate DoS attacks through a layered five-module

process:

Filtering – Dynamic filters detail the flow of traffic and provides live updates that will

continually increase verification for suspicious traffic, and block traffic that has been

identified as suspicious.

Active Verification – Verifies that the packets entering the network have not been

spoofed. Mechanisms are also in place to validate legitimate packages and prevent

verified traffic from being discarded.

Anomaly Recognition – Monitors all traffic not stopped by the dynamic filters or active

verification, compares it to baseline behavior recorded over time, and searches for any

kind of deviations that would identify malicious packets. This is based on the principle

that the pattern of traffic originating from a "black-hat" daemon residing at a source

differs dramatically from the pattern generated by legitimate sources during normal

operation. This principle is used to identify the attack source and type, as well as to

provide guidelines for blocking traffic or performing more detailed analysis of the

suspected data.

Protocol Analysis – Will process the flows that the anomaly recognition module deemed

suspicious in an effort to identify application-based attacks, such as HTTP error attacks.

Other misbehaving protocol transactions are also identified.

Rate Limiting – Further enforcement that prevents overwhelming of a target by

misbehaving flows while performing further detailed monitoring. Traffic flow is shaped

and resource-eating sources that use up too much time are penalized.

Worms, Viruses, and Trojan Horses Mitigation


Worms, viruses and Trojan horses pose significant harm to WWTC’s network if not

protected against. All users in WWTC will be required to undergo training on how to

identify threats, to include malicious emails, phishing attempts, software downloads that

may contain worms or viruses, and use of portable devices on the network. Users are

also expected to read and understand WWTC security policies concerning worms, viruses

and Trojans as they are designed to prevent introduction of these threats to the network.

WWTC will provide a server hosting McAfee antivirus software to mitigate the threat of

worms, viruses and Trojans. In addition, regularly scheduled updates will be in place to

keep up with new, emerging threats and keep all network clients up to date. Updates and

scans will be run after work hours to prevent slowdown for WWTC users.

Active Directory Solution

WWTC’s NY office needs to have Active Directory in order to simplify day-to-day IT

support, such as password resets, since the office is largely autonomous and have few IT

personnel. This Active Directory design will be supporting the following requirements: greater

workstation, server, laptop security and simplified administration for WWTC’s IT staff. The

solution will have the following features: BitLocker drive encryption to protect sensitive

information stored on WWTC’s workstations, servers, and laptops’ hard drives from being

compromised in the event of hard drive theft. All group policy settings will be based off of the

security policies to ensure adequate user account security. Cache Encryption will be

implemented to store and encrypt sensitive information on the servers. Smart card authentication

will be implemented that will require WWTC’s NY office users to use their smart cards and


PINs to gain access to network resources. File classification system will be implemented that

will be used to classify files according to the level of sensitivity.

Network Management

A network management tool that will best suit WWTC’s NY office is Network

Performance Monitor (version 12) from Solarwinds. This tool has features such as performance

metrics for wireless networks, Web-based network monitoring dashboards, monitors network

hardware for issues such as high CPU temperature or faulty power supplies, configure network

baselines, perform packet captures to analyze and troubleshoot issues, and generate custom

network performance reports to further analyze for issues in the new network (Solarwinds, 2016,

p. 1). This tool will help to take the load off of the network administrators since it will allow

them to focus on issues such as making sure that the network continues to support and meet the

desired requirements along with gathering information of network issues before the end users

begin to call the service desk and complain. Since this tool monitors for network issues, the

number of service desk complaints will also drop since the administrators can troubleshoot in a

short amount of time.


Implementation Plan

Project Schedule

DATE COMPLETED PROJECT MILESTONE

July 8 Business and design requirements identified for network, security, and Active Directory implementation.

July 15 Preliminary network design submitted for WWTC’s review.July 22 WWTC requests network design modifications.July 29 Preliminary security design submitted for client review.August 5 WWTC receives requests for security design modification.August 12 Preliminary Active Directory design submitted for client review.

August 19 Active Directory design modification requests received from client.

August 26 Final designs (network, security, Active Directory) submitted to WWTC along with employee training plan.

September 2 Network equipment and WAN links purchased from vendors and services providers.

September 16 All network equipment will be onsite and accounted for.September 23 Installation of WAN links completed.

October 7 Installation and configuration of network infrastructure devices completed at the first floor of WWTC’s NY office. Enabled security controls on the devices.

October 15 Performance testing completed at the first floor of WWTC’s NY office.

October 22 Active Directory configuration and implementation completed. WWTC NY office’s IT personnel has been trained on new network devices.

November 4 WWTC has completed a preliminary audit of network, security, and Active Directory implementations.

November 18 Modification requests due from WWTC.November 25 WWTC’s modification requests completed.December 9 Support for network, security, and Active Directory implementations ends.


Plan with Vendors

In the weeks leading up to September 2nd in the project schedule, WWTC will begin

purchasing equipment from the following vendors: Microsoft, Cisco, HP, and Dell. From

Microsoft: 133 licenses for McAfee Anti-virus for 89 computers and 44 servers, and 87 licenses

for Microsoft Office 2014, and Microsoft Exchange. From Cisco: 94 VoIP phones, one Cisco

Unified Communications call manager system, voice gateway, three Cisco Catalyst 4510R+E

access layer switches, three Cisco Catalyst 6503-E distribution layer switches, three Cisco ASR

1001 core layer routers, one Cisco ASA 5500 firewall, four Cisco IPS 4270 Sensors, and Cisco

Access Control system. For HP: WWTC will purchase nine HP ProLiant DL380 servers and HP

Storage Works EVA4400 AG637BR Hard Drive Array SAN, 20 HP Color LaserJet Pro MFP

printers. From Dell: 87 Dell 22” monitors, 20 E-Port Plus docking stations, 20 Laptops with

Windows 10 installed, and 55 Precision Tower 3000 Series with Windows 10 installed. For

WAN links, WWTC will purchase links from Verizon (150x150 Mbps T-1 link) and AT&T (to

connect to their metro Ethernet network). After WWTC has the equipment onsite at the NY

office, they will conduct an inventory to check to see if anything is missing, if so, they will

notify the vendor of the issue.


Outsourcing Network Management

WWTC will hire Earthlink, a network services provider, who will provide network

management solutions such as (a) network threat monitoring and defense; (b) network

diagnostics to ensure that the new network will support WWTC’s business requirements; (c) use

monitoring tools such as myLink to ensure good network performance. This allows WWTC’s IT

staff to focus more resources towards strategic and critical priorities instead of daily

maintenance, and provide security diagnostics to identify and mitigate any security

vulnerabilities in the newly implemented network (Earthlink, 2016, p. 1).

Communication Plan

Since WWTC will be implementing a new network at the NY office, there must be

excellent collaboration between management, network administrators, and end users. The

network design document will be distributed to WWTC’s management, network administrators,

and end users. As the design and implementation takes place, the network administrators will

update the status of each task such as completion of configuring the network infrastructure and

testing for issues to management and the end users. If there are risks and issues, such as missing

equipment, the administrator will immediately notify first the manager in charge of the phase and

the manager will then contact the vendor. Every week, management and the network

administrators will hold meetings for items such as status updates and to maintain awareness of

the budget in order to prevent overspending.


Training Plan

During and after the network implementation, the consultant will offer training to

WWTC’s network administrators and they will be trained on specific tools, equipment, and

configuration of all devices during each implementation phase. The IT consultant will purchase

the administrators configuration manuals from the vendors and set up online classes that will

apply to each implementation phase. The administrators will be offered online classes LAN,

security, and Active Directory configuration. For example, before the end of the LAN phase, the

administrators will be trained on the configurations of routers and switches. For security, they

will be trained on configuring, implementing, and maintaining strong security measures on the

network devices. For Active Directory, they will be trained on configuring and implementing

group policies along with the Active Directory structure. WWTC’s end users, on the other hand,

will be trained before the project’s completion and it will mainly focus on security policies, such

as password complexity and proper use of computers. The consultant will work with WWTC to

establish online classes for the end users that will be on the subjects of acceptable use policies

and security best practices.

Measuring the Effectiveness of the Design after Implementation

After implementation, the network administrators will monitor the entire network, LAN,

Active Directory, and security, to check for design issues such as a misconfigured IP address or

VLAN and if such issues arise, the design and device configurations will be modified and

documented to reflect the new changes, such as a different IP address or different VLAN name.

The administrators will then conduct additional assessments to the newly implemented network


in order to verify that it meets WWTC’s requirements, such as reviewing the security

configurations on the devices to check for compliance with WWTC’s security policy.

Project Risks

The network implementation can be delayed due to the following issues;

Missing equipment;

Administrator turnover;

Executives may not support some project objectives;

Key executives may leave WWTC;

Project scope creep;

Device misconfigurations;

Budget overspent or inaccurate budget estimates;

Lack of communication between network administrators;

Faulty equipment;

Security breach occurs when a phase is implemented;

Network outages or down links;

Network does not support WWTC’s business and design requirements;

Bad vendor relationships or vendor conflicts;

Cannot negotiate acceptable prices for contracts and;

Too many end user complaints about the performance of the network


Fallback Plan if Implementation Fails

Before an implementation failure occurs, network administrators at the NY site will

perform daily backups of configurations on the routers, switches, servers, and other network

devices. After the administrators make new configuration changes to these devices, all

configurations will be backed up offsite, such as to cloud service providers Cisco (LAN and

security configurations) and Microsoft (Active Directory configurations). In the event of a failure

in the implementation, such as equipment failure or misconfiguration, the administrators can

quickly recover the previous device configurations and prevents them from starting from scratch,

and this will ensure quick recovery of configurations and minimizes network downtime.

Evolving the Network Design to Fit New Application Requirements

In order to fit new application requirements in the future, WWTC will consider

modifying their design. If WWTC develops a new in-house application or decides to outsource

them, such as email, the design has to be modified in order to support new requirements. For

example, if WWTC has an in-house email application, they will have their own email servers

and will be responsible for maintenance and upkeep. If they decide to outsource email to a third

party application such as Microsoft Office 365, they have to make design changes such as

decommissioning their in-house email servers and then configure other devices such as routers to

point to Microsoft’s email servers. The best way to handle this is for WWTC’s network

administrators to document all changes to the network design, such as network baseline

information. Having good documentation ensures that if there are application changes, there will

not be a struggle with identifying where changes should be made in the design when new

application requirements arise.


Project Budget

This budget will cover the following needs: network devices, maintenance and support

agreements, vendor service contracts, training/staffing, consulting fees, and outsourcing

expenses and its associated costs. In total, the project will cost $1,088,000.

Needs# Required

(Equipment/Software Licenses)

Description of Needs Cost

Wiring $30,000

Server Room Construction $300,000

Network Devices $640,000

Maintenance and Support Agreements Applies to all equipment

The vendors: Cisco, HP, and Dell, will be maintaining the equipment

and service warranty for the devices.

$10,000 per year

Service Contracts with Vendors Applies to all equipment There will be service contracts with:

Dell, Cisco, and HP.$30,000 per

yearMcAfee Anti-Virus Software 133 licenses Will be installed on all servers,

laptops, and workstations at WWTC$20,000 per

year

Training and StaffingThree administrators are

needed for implementation

The IT consultant has to train each administrator in the area they are

responsible for implementing (LAN, Security, and Active Directory)

along with developing an end user training awareness program.

$10,000

Outsourcing Costs (EarthLink)

Applies to network management

WWTC will outsource network management (security threat

monitoring and network diagnostics)

$50,000 per year


Network Performance Monitor from SolarWinds 1 license Used to monitor WWTC’s network

performance.$2,000 per

year


Design Document Appendix

Implementation Schedule:

LAN Implementation Tasks

Task Description

LAN Design The LAN design should efficiently connect the devices at the NY facility in a manner that allows maximum flexibility, scalability and ease of maintenance and administration.

Server Room Construction The installation of data cabling to connect all devices at the NY facility, including shielded and plenum cables where safety and performance requirements dictate. ("Alpine Communications," n.d.)

Electrical Cabling The installation of electrical cables to connect all devices at the NY facility. Distribution boards and UPS systems will be installed as well. ("Alpine Communications," n.d.)

Security Implementation Tasks

Step # Task1 Physically install Cisco ASA 5500 firewall2 Configure ASA 5500 firewall3 Setup access to the public server farm in DMZ in ASA 55004 Configure VPN for IPSEC in ASA 55005 Configure firewall rules in ASA 55006 Physically install Cisco IPS 42707 Configure IPS 4270 for “inline mode” between ASA 5500 and WWTC network8 Install and configure McAfee E-Policy Orchestrator (EPO)9 Install and configure Cisco Access Control Server (CACS) 5.410 Install and configure KG-175D11 Configure VLAN security on network devices12 Configure port security on network devices13 Configure DHCP snooping on network devices


Active Directory Implementation Tasks

Step # Task1 Create Forest Root/Parent Domain; WWTC.com2 Create the Forest Root/Parent Domain; WWTC.com3 Create a Child Domain; NY.WWTC.com4 Configure DNS suffix search list and distribute through GPOs5 Establish forest trust with WWTC and HQ Hong Kong6 Configure global catalog servers and FSMO roles7 Create sites and subnets8 Create site link objects and configure site link settings9 Create WWTC Group Formation10 Create WWTC Active Directory GPO Implementation

Network and VLAN Configuration

Segments

VLAN ID

Device quantit

y

IP addresses required including

growth SubnetNumber of

Hosts First Host - Last Host

Servers 100 47 94 172.16.12.0/25 126172.16.12.0 –172.16.12.127

VoIP 101 94 188 172.16.13.0/24 254172.16.13.0 –172.16.13.255

Reception/Guest110 56 112 172.16.0.0/25 126

172.16.0.0 – 172.16.0.127

Conference Rooms 120 20 40 172.16.0.128/2

662

172.16.0.128 –172.16.0.191

Printers 102 20 40 172.16.0.192/26

62172.16.0.192 –172.16.0.255

Executive Offices 130 26 52 172.16.1.0/26 62

172.16.1.0 – 172.16.1.63

Managers 140 20 40 172.16.1.64/26 62172.16.1.64 –172.16.1.127

Staff 150 48 96 172.16.1.128/25

126172.16.1.128 –172.16.1.255

Brokers 160 28 56 172.16.2.0/26 62172.16.2.0 – 172.16.2.63


VoIP Configuration

Task DescriptionSeparate roles For this step, we want to know how we will separate our roles

for subnets and VLANs.Create subnets After separating roles, inventory the number of users and

devices that need an IP address and create subnets around 100% growth

Create subnets on switch Now we create the subnets on our switches and define their IP address range on the switch to allow the network to reach the devices.

Setup VoIP We have to set up the voice over IP network on both the router and switches to assign DHCP and phone numbers so that phone service will work.

Create PTSN failover This allows us to make and receive calls using the public relay in the event of an internet outage using a Cisco Unified Communications Manager. The cost of this is around $1300.


VoIP Diagram

DHCP/DNS Addresses

Scope Addresses Available Subnet Mask Default

Gateway Primary DNS

Executives 62 255.255.255.192 172.16.0.2 172.16.0.93Brokers 62 255.255.255.192 172.16.0.2 172.16.0.93Managers 62 255.255.255.192 172.16.0.2 172.16.0.93Staff 126 255.255.255.128 172.16.0.2 172.16.0.93VoIP Phones 254 255.255.255.0 172.16.0.2 172.16.0.93


Wireless Network Deployment Diagram


Active Directory OU Structure

Executives Users

Workstations Brokers

Users

Workstations Finance

Users Workstations

Human Resources (HR) Users

Workstations Managers

Users Workstations

IT Users Workstations

Printers Servers Security Groups


Active Directory GPO Implementation Diagram


Active Directory Forest Structure


References

Earthlink. (2016). Network and Security Outsourcing. Retrieved July 6, 2016, from Earthlink:

https://www.earthlink.com/services-and-solutions/solutions-by-challenge/network-security-

outsourcing

Hummel, S. (2009, September 20). Effective Network Planning and Design Guide. Retrieved July 7, 2016,

from IT World: http://www.itworld.com/article/2768291/networking/effective-network-

planning-and-design-guide.html

Solarwinds. (2016). Network Performance Monitor v12. Retrieved July 8, 2016, from Solarwinds:

http://www.solarwinds.com/network-performance-monitor

Comprehensive AAP

Documents

Transcript of Comprehensive AAP