Authentic Assessment Project (AAP) Jan 2017
Background Information for World-Wide Trading Company
World-Wide Trading Company (WWTC) is a large online broker firm in the Hong Kong. The trading company has a staff of 9,000 who are scattered around the globe. Due to aggressive growth in business, they want to establish a regional office in New York City. They leased the entire floor of a building on Wall Street. You were selected as a contractor (your group) to build a state of the art high availability, secure network. The President of the company asked you to set up the state of the art network by end of this year. He shared with you the organizational structure and a list of the 100 employees. The current floor of the new site is solid and gigabit network can be set up on existing network wiring. Also, the existing power supply will meet the client’s current and future demand. The President has required these business goals:
Business and Technical Goals
· Increase revenue from 10 billion to 40 billion in three to four years
· Reduce the operating cost from 30 to 15 percent in two to three years by using an automated system for buying and selling.
· Provide secure means of customer purchase and payment over Internet.
· Build a high availability, moderate confidentiality and moderate integrity unclassified network (based on The National Institute of Standards and Technology- NIST)
· Build a classified network with high confidentiality, moderate integrity, and moderate availability (based on NIST)
· Allow employee to attach their notebook computers to the WWTC network and wireless Internet services.
· Provide state of the art VoIP and Data Network
· Provide Active Directory, DNS, and DCHP services
· Provide faster Network services
· Provide fast and secure wireless services in the lobby, conference rooms (100x60), and the cubical areas.
On the basis of these business goals, your group is responsible for designing, configuring, and implementing fast, reliable and secure networks (classified and unclassified).
WWTC LAN/WLAN/VoIP
· Propose a secure network design that solves the network and security challenges, to meet business needs, and the other technical goals. You are also required to provide a modular and scalable network. Provide redundancy at building core layer, building distribution layer, and access layer to avoid single point of failure. For Building Access layer provide redundant uplinks connection.
· Select appropriate Cisco switch model for each part of your enterprise campus model design from the Cisco Products Link, and use the following assumptions in your selection process:
1. Selecting the Access layers’ switches:
0. Provide one port to each device
0. Make provision for 100% growth
1. Server farm switches
a. Assume 6 NIC cards in each server and one NIC card uses one port of switch
b. Dual processors and dual power supply
· Propose an IP addressing redesign that optimizes IP addressing and IP routing (including the use of route summarization). Provide migration provision to IPv6 protocol in future.
· Propose a High Level security plans to secure key applications and servers but encryption of all application is not acceptable. Develop security policy to stop sniffing and man-in-the-middle attack. Your security plan must be based on current industry standards. Multilayer security or defense-in-depth.
· Integrate voice and data network to reduce cost. For dialing outside, the World-Wide Trading Company proposes a plan for 100% connectivity with a minimum number of outside lines. For telephone requirements, see the Organization Chart and Telephone Equipment Table.
· Provide state of the art VoIP and Data Network.
· Provide aggregate routing protocols with hierarchal IP scheme.
· Centralize all services and servers to make the network easier to manage and more cost-effective.
· Provide LAN speed minimum 100 MB and Internet speed minimum 54 MB.
· Provide wireless network access to network users and guest users with a minimum 54 Mbps of bandwidth. (You can assume that site survey is done and no sources of interference or RF were discovered.)
· Provide provisions for video conference and multicast services.
· Standardize on TCP/IP protocols for the network. Macintoshes will be accessible only on guest notebook but must use TCP/IP protocols or the Apple Talk Filling Protocol (AFP) running on top of TCP.
· Provide extra capacity at switches so authorized users can attach their notebook PCs to the network
· Configure DHCP on notebook PCs
· The World-Wide Trading Company will use the following applications/services:
· Microsoft Office 365 plan (Office 2016, Exchange, Active Directory, SharePoint, One Drive, and Skype for Business)
· Sending and receiving e-mail
· Accessing the library card-catalog
· File Server application.
· Adobe Pro
· Secure Zip
· Associate will use the following Custom Applications
· Market Tracking Application. This application will provide real-time status of stock and bond market to brokers and their clients.
· Stock and Bond Analytical Application. This application will provide analysis of stock and Bond to Brokers only.
· On Line Trading. The Company wishes to train new clients in online trading to attract new customer. The Company will sign up new client to receive streaming video and instructions
Assume any information (with proper justification) which you think is missing and critical to the development of the design.
WWTC Security
WWTC has strong security requirements to ensure strong authentication, data confidentiality and separations between internal protected server and public server.
Classified Network
In addition to the required unclassified network, WWTC is requiring a classified network:
0. The classified network must be physically separated from the unclassified network.
0. Only VPs and Department heads are allowed to access the classified network
0. Control should be put in place to prevent local users from accessing the classified network or removing data in any way. This includes removing media, AV recorders, pen and paper, and any form of printer.
0. All data transmitted on the classified network must be cryptographically protected throughout the network (Crypto devices are highly recommended).
0. All classified data must be centrally stored and secured in a physically separate area from the unclassified network.
0. The classified network is used for classified email only. WWTC needs to be able to send classified email from the NYC office to their HQ office.
0. No redundancy, AD, Wireless, or VoIP required for the classified network – just a simple network for classified email only.
Unclassified Network:
The security design must ensure:
· Confidentiality, Integrity, and Availability of the data
· Physical, Logical, and Administrative security controls
· Secure e-mail used to communicate business sensitive information.
· Confidential business information and public data are not connected to the same physical network.
· the use of two-factor authentication mechanism is enabled.
· Sensitive business information must not be transmitted in clear text between server and client.
Secure WAN Connectivity
In addition to the cryptographic protections of the data within the classified network, all data crossing wide-area links should undergo another layer of cryptographic protection such as IPSec/VPN/SSL.
Public Servers
All public servers must be configured HTTPS connections and accept all requests that are on valid IP addresses and pass through firewall. Server must ask some identity of the connecting party.
Site-to-site VPN tunnels
All devices must be mutually authenticated and cryptographic protection should be provided.
User Education
All users should undergo periodic user awareness security training program on network threats and good security practices.
Other Security Deliverables:
1. Determine the most important assets of the company, which must be protected
1. Determine general security architecture for the company
1. Develop a list of 12 specific security policies that could be applied.
1. Write specific details along with the rationale for each policy
1. Integrate and write up the final version of the Security Policy Document for submittal
1. Develop a High availability secure design for this locations addressing above considerations and mitigating 4 primary networks attacks categories mentioned below.
Protect the Network from Four Primary Attack Categories:
1. Reconnaissance attacks: An intruder attempts to discover and map systems, services, and vulnerabilities.
2. Access attacks: An intruder attacks networks and systems to retrieve data, or gain access, or escalate access privileges
3. Denial of Service attacks: An intruder attacks your network in a way that damages or corrupts your computer system or denies you and others access to your networks, system, or services.
4. Worms, viruses, and Trojan horses: Malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself, or deny services or access to networks, system or services.
Sample Security Policies:
1. Policies defining acceptable use
2. Policies governing connections to remote network
3. Polices outlining the sensitivity level of the various types of information held within an organization
4. Policies protecting the privacy of the network’s user and any customer data
5. Policies defining security baselines to be met by devices before connecting them to the network.
6. Policies for incident response handling
WWTC Active Directory Design
WWTC office at New York is largely autonomous and few IT personnel to take care of day-to-day IT support activities such as password resets troubleshoot virus problems. You are concerned about sensitive data store in this location. You want to deploy a highly developed OU structure to implement security policies uniformly through GPO automatically at all domains, OU, and workstations.
At this location Windows Server 2012 R2 is required providing the following 10 AD features :
1. Use BitLocker encryption technology for devices (server and Work station) disc space and volume.
2. Enables a BitLocker system on a wired network to automatically unlock the system volume during boot (on capable Windows Server 2012 R2 networks), reducing internal help desk call volumes for lost PINs.
3. Create group policies settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive.
4. Enable BranchCache in Windows Server 2012 for substantial performance, manageability, scalability, and availability improvements
5. Implement Cache Encryption to store encrypted data by default. This allows you to ensure data security without using drive encryption technologies.
6. Implement Failover cluster services
7. Implement File classification infrastructure feature to provide automatic classification process.
8. IP Address Management (IPAM) is an entirely new feature in Windows Server 2012 that provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network.
9. Smart cards and their associated personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources.
10. Implement Windows Deployment Services to enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation.
Other AD Deliverables:
· Create Active directory infrastructure to include recommended features
· Create OU level for users and devices in their respective OU
· Create Global, Universal, Local group. Each global group will contain all users in the corresponding department. Membership in the universal group is restrictive and membership can be assigned on the basis of least privileged principle. (For design purpose, you can assume that WTC as a Single Forest with multiple domains).
· Create appropriate GPO and GPO policies and determine where they will be applied.
Reference:
WWTC Organization Chart
VP of Operation (CIO, CFO, CHRO) Regional VPs: VP NW USA, VP SW USA, VP NE USA, VP SE USA, VP M USA
Note: WWTC is opening an office only at New York location. Please do not confuse Office holder’s title (VP NW USA) with the location.
Table: -1 Sample Equipment Inventory (this is just a sample; you would need to insert your own equipment and comments)
Subnet
Offices
Telephone
Devices
Comment
VP OPR
VP OPR Office
2
1
Work Stations
CEO IT
2
1
Work Stations
CEO FIN
2
1
Work Stations
CEO HR
2
1
Work Stations
CEO IT’s Staff
2
1
Work Stations
CEO FIN’s Staff
2
1
Work Stations
CEO HR’s Staff
2
1
Work Stations
VP NW USA,
VP Office
2
2
Work Stations
Manager 1
2
2
Work Stations
Manager 2
2
2
Work Stations
Broker 1
2
2
Work Stations
Broker 2
2
2
Work Stations
Broker 3
2
2
Work Stations
Broker 4
2
2
Work Stations
Staff
2
2
Work Stations
VP SW USA
VP SW Office
2
2
Work Stations
Manager 1
2
2
Work Stations
Manager 2
2
2
Work Stations
Broker 1
2
2
Work Stations
Broker 2
2
2
Work Stations
Broker 3
2
2
Work Stations
Broker 4
2
2
Work Stations
Staff
2
2
Work Stations
VP NE USA
VP NE Office
2
2
Work Stations
Manager 1
2
2
Work Stations
Manager 2
2
2
Work Stations
Broker 1
2
2
Work Stations
Broker 2
2
2
Work Stations
Broker 3
2
2
Work Stations
Broker 4
2
2
Work Stations
Staff
2
2
Work Stations
VP SE USA
VP SE Office
2
2
Work Stations
Manager 1
2
2
Work Stations
Manager 2
2
2
Work Stations
Broker 1
2
2
Work Stations
Broker 2
2
2
Work Stations
Broker 3
2
2
Work Stations
Broker 4
2
2
Work Stations
Staff
2
2
Work Stations
VP M USA
VP M Offices
2
2
Work Stations
Manager 1
2
2
Work Stations
Manager 2
2
2
Work Stations
Broker 1
2
2
Work Stations
Broker 2
2
2
Work Stations
Broker 3
2
2
Work Stations
Broker 4
2
2
Work Stations
Staff
2
2
Work Stations
Printer
20
At various offices. Exact location to be determined.
Server
WLC and AP ordering Guide
Table 4. Sample Ordering Information for Cisco Wireless LAN Controllers (you need to provide your own list)
Product
Features
Customer Requirements
Part Number
Wireless LAN Controllers
Cisco 4400 Series Wireless LAN Controller
• Modular support of 12, 25, 50, or 100 Cisco Aironet access points
• The Cisco 4402 with 2 Gigabit Ethernet ports supports configurations for 12, 25, and 50 access points
• The Cisco 4404 with 4 Gigabit Ethernet ports supports configurations for 100 access points
• IEEE 802.1D Spanning Tree Protocol for higher availability
• IPSec encryption
• Industrial-grade resistance to electromagnetic interferences (EMI)
• For midsize to large deployments
• High availability
• AIR-WLC4402-12-K9
• AIR-WLC4402-25-K9
• AIR-WLC4402-50-K9
• AIR-WLC4404-100-K9
See the Cisco Wireless LAN Controllers Data Sheet for more information.
Cisco 2100 Series Wireless LAN Controller
• Supports up to 6, 12 or 25 Cisco Aironet access points
• Eight Ethernet ports, two of which can provide power directly to Cisco APs
• Desk mountable
• For retail, enterprise branch offices, or SMB deployments
• AIR-WLC2106-K9
• AIR-WLC2112-K9
• AIR-WLC2125-K9
See the Cisco 2106 Wireless LAN Controller Data Sheet for more information.
Cisco Catalyst® 6500 Series /7600 Series Wireless Services Module (WiSM)
• Wireless LAN Controller for Cisco Catalyst 6500 or Cisco 7600 Series Router
• Supports 300 Cisco Aironet access points
• IPSec encryption
• Industrial-grade resistance to electromagnetic interferences (EMI)
• Intrachassis and interchassis failover
• Interoperable with Cisco Catalyst 6500 Series Firewall and IDS services modules
• Embedded system for the Cisco Catalyst 6500 Series and Cisco 7600 Series Router infrastructure
• For large-scale deployments
• High availability
• WS-SVC-WISM-1-K9
• WS-SVC-WISM-1-K9= (spare)
See the Cisco Catalyst Wireless Services Module Data Sheet for more information.
Cisco Catalyst 3750G Integrated WLAN Controller
• Cisco Catalyst 3750G Series Switch with wireless LAN controller capabilities
• Modular support of 25 or 50 Cisco Aironet access points per switch (and up to 200 access points per stack*)
• IPSec encryption
• Industrial-grade resistance to electromagnetic interferences (EMI)
• For midsize to large deployments
• High availability
• WS-C3750G-24WS-S25
• WS-C3750G-24WS-S50
See the Cisco Catalyst 3750G Integrated Wireless LAN Controller Data Sheet for more information.
Cisco Wireless LAN Controller Module for Cisco Integrated Services Routers
• Wireless LAN controller integrated into Cisco integrated services routers
• Supports 6, 8, 12, or 25 Cisco Aironet access points
• Embedded system for Cisco 2800/3800 Series and Cisco 3700 Series routers
• For retail, small to medium-sized deployments or branch offices
• NME-AIR-WLC6-K9
• NME-AIR-WLC6-K9= (spare)
• NME-AIR-WLC8-K9
• NME-AIR-WLC8-K9= (spare)
• NME-AIR-WLC12-K9
• NME-AIR-WLC12-K9= (spare)
• NME-AIR-WLC25-K9
• NME-AIR-WLC25-K9= (spare)
See the Cisco WLAN Controller Modules Data Sheet for more information.
Please refer to the Cisco Wireless LAN Controller Ordering Guide supplement to learn when to add the following SKUs to track the deployment of voice and context-aware mobility applications.
Table 2. Cisco Aironet Indoor Rugged, Indoor, Wireless Mesh, and Outdoor Rugged Access Points
Product
Features
Customer Requirements
Part Number
Indoor Rugged Access Points
Cisco Aironet 1250 Series
• Industry's first business-class access point based on the IEEE 802.11n draft 2.0 standard
• Provides reliable and predictable WLAN coverage to improve the end-user experience for both existing 802.11a/b/g clients and new 802.11n clients
• Offers combined data rates of up to 600 Mbps to meet the most rigorous bandwidth requirements
• Designed for both office and challenging RF environments
• Especially beneficial for environments with the following characteristics:
• Challenging RF environments (for example, manufacturing plants, warehouses, clinical environments)
• Bandwidth-intensive applications (for example, digital imaging, file transfers, network backup)
• Real-time, latency-sensitive applications such as voice and video
• Need to support existing 802.11a/b/g and new 802.11n wireless clients
Access point platform with pre-installed radio modules:
• AIR-AP1252AG-x-K9: 802.11a/g/n-draft 2.0 2.4/5-GHz Modular Autonomous Access Point; 6 RP-TNC
• AIR-AP1252G-x-K9: 802.11g/n-draft 2.0 2.4-GHz Modular Autonomous Access Point; 3 RP-TNC
• AIR-LAP1252AG-x-K9: 802.11a/g/n-draft 2.0 2.4/5-GHz Modular Unified Access Point; 6 RP-TNC
• AIR-LAP1252G-x-K9: 802.11g/n-draft 2.0 2.4-GHz Modular Unified Access Point; 3 RP-TNC
See the Cisco Aironet 1250 Series Ordering Guide for more information.
Cisco Aironet 1240AG Series
• Second-generation 802.11a/g dual-band indoor rugged access point
• 2.4-GHz and 5-GHz antenna connectors for greater range or coverage versatility and more flexible installation options using the broad selection of Cisco antennas available
• Ideal for challenging indoor RF environments
• Recommended for offices and similar environments
• Ideal for deployments above suspended ceilings
• Recommended for outdoors when deployed in a weatherproof NEMA-rated enclosure
• AIR-AP1242AG-x-K9: 802.11a/g Nonmodular Cisco IOS Software- Based Access Point; RP-TNC
• AIR-LAP1242AG-x-K9: 802.11a/g Nonmodular LWAPP Access Point; RP-TNC
See the Cisco Aironet 1240AG Series 802.11a/b/g Data Sheet for more information.
Indoor Access Points
Cisco Aironet 1130AG Series
Low-profile, enterprise-class 802.11a/g access point with integrated antennas for easy deployment in offices and similar RF environments
Ideal for offices and similar environments
• AIR-AP1131AG-*X-K9
See the Cisco Aironet 1130AG Series Ordering Guide for more information.