RUNNING HEAD: AUTHENTIC ASSESSMENT PLAN
CMIT 495 6381
Authentic Assessment Plan to Support WWTC
Week 8
04 March 2017
RFP Response Team 5
Table of Contents
Table of Contents 2
1 Executive Summary 3
1.1 Contact List 3
2 Project Goal 4
3 Project Scope 4
4 Design Requirements 5
4.1 Local Area Network 5
4.2 Security 6
4.3 VoIP 6
4.4 Wireless 7
4.5 Active Directory 7
5 Current State of the Network 8
6 Design Solutions 8
6.1 Local Area Network 8
6.2 Security 15
6.2.1 Roles and Responsibilities 19
6.3 VoIP and Wireless 19
6.4 Active Directory 24
7 Implementation Plan 29
7.1 LAN Implementation 30
7.2 Security 31
7.3 VoIP and Wireless 31
7.4 Active Directory 31
8 Project Budget 32
9 Summary of Proposal 32
10 Design Document Appendix 33
11 References 33
1 Executive Summary
WWTC has issued an RFP to 5 teams to design and implement a network for their New York City regional office and to ensure that it encompasses a secure and unsecure network that will allow WWTC to increase revenue. This paper provides a detailed overview of the business needs and initial design requirements to implement a state of the art, modular network encompassing LAN, Wireless, VoIP, Security Architecture and Active Directory. RFP Team 5 has provided detailed design and implementation information in previous documents. This document is a comprehensive plan of the scope of work that will be completed, which will address the concerns of stakeholders, meet business needs of WWTC, and meet all technical requirements for the WWTC New York Branch.
1.1 Contact List
Team 5 makeup is as follows:
Project Team
Project Team
VoIP Project Manager: Justin Jorden
Telephone: 703-555-1212
E-Mail: jjorden@rfp5.com
Wireless Manager: Abdul Shaat
Telephone: 703-555-1212
E-Mail: ashaat@rfp5.com
LAN Engineer: Stephen Snider
Telephone: 443-555-1212
E-mail: ssnider@rfp5.com
AD Engineer: Brian Holloway
Telephone: 703-555-1212
E-mail: bholloway@rfp5.com
Project Coordinator/Security Engineer: Troy Dahlin
Telephone: 703-555-1212
E-mail: tdahlin@rfp5.com
2 Project Goal
Based on the below business goals, this proposal should offer a modular concept to allow the company to build in phases if needed and to meet the business objectives as outlined by corporate headquarters.
· Increase revenue from $10 billion to $40 billion in three to four years
· Reduce the operating cost from 30 to 15 percent in two to three years by using an automated system for buying and selling for our clients.
· Ensure secure means of customer for purchase and payment over Internet
· Provide access for employees to attach their mobile computers to the WWTC network and Internet services
· Ensure redundant VoIP and Data Network(s)
· Ensure quick reliable Network services
· Ensure speedy and redundant wireless services in the lobby and both conference rooms (100x60)
· Double network capacity to facilitate and support the projected business growth.
3 Project Scope
This is a new network that will be installed in the WWTC New York regional office. They have obtained and leased the entire floor of a building on Wall Street and are planning to place 100 employees in the office and the company wants to have a state of the art network by years’ end. Additionally, there will need to be interconnections to other offices within the WWTC WAN and allow for remote access for their employee’s and a secure means of payment for their customers.
WWTC Corporate has also identified several security instances where they would like to enhance their current security implementation. Data confidentiality and strong authentication will need to be addressed in this plan.
There will need to be a new Active Directory Domain created under the WWTC Forest to create and manage the different OU groups that will reside in the New York office. Those groups will be comprised of, VP/C Level users, Managers, Staff, Brokers and Guests.
4 Design Requirements
WWTC has provided a very detailed list of requirements for the new LAN in the New York City regional office. The technical goals for WWTC include the ability to provide secure, fast, and reliable network services to the company, its employees, and clients. The network must also be highly scalable, to account for the expected growth of the company in the near future. Finally, the network will provide redundancy at every layer to avoid downtime in the event of equipment failure.
4.1 Local Area Network
We will meet the LAN Design Requirements of WWTC, by providing a highly modular and scalable network to allow for immediate operations and allow for growth and reduce downtime by ensuring that there are redundant connections (Mesh Topology) and by using Cisco products, there will be less product interference and technical gaps. Uplink and downlink speeds will be maximized to ensure enough bandwidth is provided to support VoIP. VTC and guests on the Wireless network and interconnection with the WWTC Headquarters and with the streaming applications that will be used to access the World Wide Web for broker’s and guests to get real-time data to perform their duties.
4.2 Security
Recent audit results have found that there are some physical, logical and personnel security concern’s that need to be addressed. Physical and logical vulnerabilities can be corrected by upgrading and making the proposed network design changes. The personnel vulnerabilities will require a change in policy and awareness, and will need top-down management support to ensure that all employees have a clear understanding of the importance of a security mindset.
WWTC needs to ensure that they review their security policies annually to adjust and grow their security program. Some of the policies that should be put into place are:
Acceptable Use, Access and Connectivity (Local and Remote), Secure Network Use, Privacy and Sensitive Data Protection, Email Use, Ethics, Password Use and Protection, Data Breach Response, Server Security, Software Installation and Use, Workstation Use and Security, and Rules of Behavior.
Additionally, all devices that are accessing the network will be isolated via VLAN’s created on the network switches with routing through VLAN’s controlled via OU and AD GPO’s, and the use of the Cisco ASA Firewalls and Cisco FirePOWER NIDS coupled with HIDS (McAfee) will provide a defense in depth solution to better protect the network.
4.3 VoIP
VOIP is a combination of hardware and software that allows the user to make phone calls via internet transmission. Packets of data containing the voice transmission are sent using IP. Here at WWTC, we are seeking to use this very same technology to reduce operating cost by tapping into a pool of power and communication we already utilize on a daily basis, networking.
In order for us to implement VOIP, we need to consider a few things. First, we need to implement Session Initiation Protocol (SIP). "SIP is a signaling protocol and widely used for setting up and tearing down multimedia communication sessions such as voice and video calls. SIP is merely an initiation protocol for establishing multimedia sessions and SIP uses Session Description Protocol (SDP) that describes the set of media formats, addresses, and ports to negotiate an agreement between the two communication terminals as to the types of media, they’re willing to share." (Chang & Wang, 2009).
4.4 Wireless
A wireless LAN must meet the same sort of requirements typical of any LAN, including high capacity, ability to cover short distances, full connectivity among attached stations, and broadcast capability. (Singh, 2014) In addition, several prerequisites are specific to the environment of wireless LAN. The wireless LAN must be able to accommodate upwards of 80 users with a bandwidth of 54Mbps and using 802.11g standards on the 2.4Ghz frequency to prevent interference. The 802.1x (WPA2 Enterprise) authentication that will be implemented will ensure that only authorized users are accessing the WLAN, and preventing unauthorized users from gaining access to, not only the WWTC network, but also authorized guests having their devices exposed to malicious users.
4.5 Active Directory
When it comes to a company as large as WWTC Active Directory is going to play a large role in order to help manage computer and user policies. The easiest way to implement plans and policy requirements would be to distribute these by using group policy. The Active Directory structure will comprise of a New York Domain that will be broken down into OU Groups and will allow for access to and from the WWTC headquarters and remote users. This Domain will provide for security within the Domain to protect information from those employee’s that do not have a need to know for certain information. This will also allow for the enforcement of GPO’s which will enhance management of security and configuration policies.
5 Current State of the Network
The current state of the network infrastructure is solid and gigabit networking can be set up on existing network wiring. Also, the existing power supply will meet their current and future demand. This current infrastructure should be able to provide LAN speed minimum 100 MB and Internet speed minimum 54 MB. We will also need to provide wireless network access to network users and guest users in limited area (Lobby and Conference room). In conference room and the lobby, the user will get a minimum 54 Mbps of bandwidth.
6 Design Solutions
6.1 Local Area Network
According to our requirements, we have been given the 172.2.0.0/22 network and that should be able to accommodate every device along with the capacity for 100% growth. To begin, we separated the subnets and VLANS along the division of OU groups, since those groups will have resources and policies that will be shared between them. For example, there are policies that will need to be applied to staff that won’t be applicable to brokers and policies that will be applied to servers, but not printers etc. This estimate is based on the unclassified network only.
GUEST NETWORK:
I have assumed the each of the four reception offices can hold a maximum of 10 devices on the Guest wireless connections. This allows for multiple devices per person there needing access to what will be the guest network via a wireless AP that is connected to the DMZ. This will prevent Guest users from having access to company network services, but will allow for external connectivity. This gives an immediate total of 40 connections. To make room for 100% growth, we must create our subnet for an assumed total of 80 devices. We need to create a 172.2.30.0/25 subnet giving us 126 available IP Addresses
VOIP/ VTC/CONFERENCE ROOMS:
For VOIP/VTC, we can look at the chart given and count that we have a current need for 100 Internet connected phones and 6 VTCs. To double that, we need to accommodate room for 200 phones and 12 VTCs. We must use a full octet to accommodate this. Since we will allow the VOIP/VTC to use DHCP and we want to make sure the VoIP are on their own subnet, 172.2.10.0/24 giving us 254 available IP addresses. For the conference room, we assume a max capacity of 10 in each for 20 devices. We must accommodate 40 for the future. That range will be 172.2.4.0/26 giving us 62 available IP addresses.
STAFF:
For the staff, we counted the number of desks in the design giving us 53 connections needed (staff, receptionist, EA). For our printers, we are told that there are currently 20.
SERVERS/NETWORK:
For the servers we have a given 43 servers that will be used to provide web services, custom applications available to brokers and clients, an internal Email Server, DNS, DHCP, and Active Directory and 12 network devices. We must double that to 86 servers for future Active Directory needs and 24 network devices.
EXECUTIVE LEVEL:
For the executive segment, we used the given number of devices needed for the current executive offices and extended that into the vacant offices, assuming that any new executive will sit in one of those. This gives us a total of 10 workstations currently needing addresses (4 CEO and above level with 6 vacant offices) with us needing to provide for 20 for future growth.
CLASSIFIED NETWORK:
For the classified network, we will have 12 network devices, XX servers and 18 workstations, in addition to 18 VoIP phones, and 13 VTC’s. We will not have a DMZ, and will replace one of the ASA’s with a Dell Sonicwall 3600 (Firewall appliance with VPN capability). We will maintain the same addressing and VLAN scheme since this is a separate network and this will allow for ease of management from the Administrators.
Unclassified Network Diagrams, VLANS, and IP Addresses:
image1.jpg
Unclassified VLAN’s
VLAN Name
VLAN ID
Network
Network Range
Available IP Addresses
Guest
101
172.2.30.0/25
172.2.30.1 – 172.2.30.126
126
Servers/Network
201
172.2.20.0/23
172.2.20.1 – 172.2.21.254
510
VoIP
301
172.2.10.0/24
172.2.10.1 – 172.2.20.254
254
Staff
401
172.2.2.0/23
172.2.2.1 – 172.2.3.254
510
Executive
501
172.2.1.0/25
172.2.1.1 – 172.2.1.126
126
Unclassified IP Addresses and Subnets
Segments
VLAN
ID
Device
quantity
IP addresses required including growth
Subnet
Number of Hosts
First Host - Last Host
Servers/Network
201
71
142
172.2.20.0/23
510
172.2.20.1 – 172.2.21.254
DMZ
N/A
6
62
172.2.40.0/26
62
172.2.40.1 – 172.2.40.64
VoIP/VTC
301
106
212
172.2.10.0/24
254
172.2.10.1 – 172.2.10.254
Guest
101
40
80
172.2.30.0/25
126
172.2.30.1 – 172.2.30.126
Conference Rooms
401
20
40
172.2.2.192/26
62
172.2.2.193 – 172.2.2.254
Printers
401
20
40
172.2.3.0/26
62
172.2.3.1 – 172.2.3.62
Executive Offices
501
4
8
172.2.1.0/26
62
172.2.1.0 – 172.2.1.62
Managers/ Vacant
501
13
26
172.2.1.64/26
62
172.2.1.64 – 172.2.2.128
Staff
401
53
106
172.2.2.0/25
126
172.2.2.1 – 172.2.6.126
Brokers
401
28
56
172.2.2.128/26
62
172.2.5.128 – 172.2.5.190
Classified Network Diagram, VLANs, and IP Addresses
image2.jpg
Classified VLAN’s
VLAN Name
VLAN ID
Network
Network Range
Available IP Addresses
Servers/Network
201
172.2.20.0/24
172.2.20.1 – 172.2.20.254
254
VoIP
301
172.2.10.0/24
172.2.10.1 – 172.2.10.254
254
Staff
401
172.2.2.0/27
172.2.2.1 – 172.2.2.190
190
Executive
501
172.2.1.0/25
172.2.1.1 – 172.2.1.126
126
Classified IP Addresses and Subnets
Segments
VLAN
ID
Device
quantity
IP addresses required including growth
Subnet
Number of Hosts
First Host - Last Host
DMZ
N/A
4
32
172.2.40.0/27
8
172.2.40.1-172.2.40.30
Servers/Network
201
71
142
172.2.20.0/24
254
172.2.20.1 – 172.2.20.254
VoIP/VTC
301
83
166
172.2.10.0/24
254
172.2.10.1 – 172.2.10.254
Printers
401
10
20
172.2.2.128/26
62
172.2.2.129 – 172.2.2.192
Executive Offices
501
4
8
172.2.1.0/26
62
172.2.1.0 – 172.2.1.62
Managers/ Vacant
501
13
26
172.2.1.64/26
62
172.2.1.65 – 172.2.2.126
Staff
401
53
106
172.2.2.0/25
126
172.2.2.1 – 172.2.2.126
Equipment List
image3.jpg
6.2 Security
The scope of this universal policy covers the security and use and protection of all WWTC information and information systems applications and network devices. Each section of the policy is broken down into each defined area, and updates or changes to the policy will be communicated to all employees as soon as those changes are made. RFP Team 5 will include Security Policies as enclosures attached to this outline.
Security Design
image4.png
Certain company assets are going to be ranked more important than others and will need better security for more efficient protection. Assets for the World Wide Training Company include employees, clients, market tracking application, stock and bond analytical application, the online trading application, physical network infrastructure for examples switches and servers.
World Wide Trading Company will also have application servers in place in order to run the companies offered client services. These servers include their Market Tracking application, Stock and Bond Analytical application and their Online Trading Platform. The services are available through the web making it important that they using the Secure Hyper Text Transfer Protocol in order to transmit data over the internet. Using HTTPS will allow encryption of the data be transferred though using Secure Sockets layer protocol or Transport Layer Protocol these protocols encrypt data transfer over and unsecure network.
It is necessary to create a distinct management VLAN from the rest of the network by a firewall or access lists for the reason that the foundation of our network management security will be based on these servers. Only traffic from managed devices or those protected by encryption will gain permission in the management VLAN.
To get rid of the possibility that it could be intercepted in transit, the management traffic will be kept off the production network. Each device will be configured with a physical port on the management VLAN through SSH or IPSEC encryption. Based on the policy of that subnet, only appropriate incoming packets will be permitted. To eliminate spoofing and minimize any malicious or illegitimate activities, outbound traffic will be filtered. Spoofing will be prevented by filtering traffic leaving each subnet. Incorrect source address is an indicator of possible attempt to initiate a DDOS/similar attack or a compromised or a misconfigured machine. One-time password server with RSA Security’s ACE server will be used as a strong authentication.
If over the production network communication will be necessary, SSH among other encrypted communication protocols will be used. Audit requirements will be met by logging to the syslog servers located on the management network. Other techniques can be used to enhance security because most busy network admins may not be able to monitor every unused port. This could be requiring user authentication through RADIUS or LDAP before they are given access to any resources a technology instigated in Cisco’s User Registration Tool (URT) that, depending on the credentials supplied, grants users ability to be assigned to different VLANs.
Layer 2 securities will be enforced by limiting the MAC addressed that is permitted to communicate on the ports. Intrusion or ARP spoofing activities such as sniff utility will be indicated by a flood of MAC addresses or even a single new MAC address. To ensure frames for the designated Ethernet address are always forwarded to the specified port and it can present ARP spoofing attacks, a static MAC assignment will be created. Set cam permanent aa-bb-cc-11-22-22 6/1 is used to set a static port on a Cisco switch.
The MAC addresses appearing on each port will be limited to one or a small number. Configuration of a time out will help prevent a new MAC from appearing until the elapse of a certain time period which can be configured with the set port security statement on a Cisco switch. To establish MAC address forwarding tables and establish a tree-like topology which forwards frames via the faster’s path and eliminate loops switches and bridges will make use of Spanning-Tree Protocol (STP).
The root bridge of the spanning tree will be located near the core of the network on the highest bandwidth links to achieve optimum performance. To enforce the STP topology and prevent the root bridge from appearing on an edge segment or on a lower bandwidth connection we will make use of the STP root guard feature that will be allowed on ports we do not want to see the root. The port will change from forwarding to listening state until the superior BPDU announcements are stopped on the condition that superior BPDUs are received from a port with root guard enabled.
On ports where end stations are attached and slows the port to immediately transition the forwarding state without the delay caused by the STP calculation, the spanning tree portfast command is configured. Upon accessing public server, hackers may logically launch attacks against other hosts on the public segment. This makes it ideal to recommend a private VLAN that provide a means to prevent hosts on the same subnet from communication with each other granting access to required communication to their router and hosts on other network connections.
Implementing security at the network level crowns our security strategies. To prevent the most determined attacker able to penetrate the set perimeter defense walls from compromising our hosts, a strong encryption and authentication will be implemented at the network level. IPSEC IP security, an enhancement to the IP protocol documented in various RFCs by IETF ensures that every packet transmitted to the LAN is encrypted with strong encryption algorithms.
6.2.1 Roles and Responsibilities
· President – Will ensure that all policies are communicated, understood and enforced by the departments that are responsible for maintaining them.
· CIO – Will ensure that there are proper resources and support to enable the IT department to manage and effectively support the company, their clients and employees as directed by the President.
· CISO – Will ensure there is an effective Information Security department to handle all aspects of IT Security within the Company, and address any concerns on management of the IT Security program.
· Administrators – Will follow the Corporate Policies by managing and supporting the Policies in a technical manner.
· Security - Will ensure that all policies are able to be met, and that all employees are complying with the policies in place.
· Users – Will ensure they are working in compliance with all policies and will bring to the attention of management when there are potential questions or deviations from the Corporate Policy.
6.3 VoIP and Wireless
For a productive and functional Wireless Access Points (WAP), it is determined a Cisco Aironet 1250 Series WAP must be designed in each of the rooms and the entryway. The Aironet 1250 will be a perfect decision for the Lobby, because of a great deal of high transfer speed use as far as voice, information and video applications utilized as a part of these regions. The WAP is additionally a double band device with numerous channels able to break point channel covering amid high activity use, bolsters proper location, and ready to distinguish malicious clients and frighten an attacker. A secure Cisco 4400 Series Wireless LAN Controller must be utilized for the WAP to give single administration indicate ongoing correspondence to and from the WAP and will convey incorporated security approaches, interruption recognition and avoidance capacities, nature of administration and proficient versatility benefit.
The WLC interface with the PoE switches are arranged with three VLANs: WWTC representative, WWTC visitor, and voice for remote telephones . Keeping in mind the end goal to guarantee most extreme transfer speed and lessen RF impedance, these APs will be set in the focal point of every area and will be designed to utilize 802.11g (backings the 54 Mbps transmission capacity prerequisite) with the 2.4 GHz recurrence. The 2.4 GHz is the best option to use for different devices, for example, microwaves utilize the 5 GHz, and if the APs utilize the 5 GHz, there will be danger of RF obstruction. The APs will be mounted at every end of the two meeting rooms and the entryway territory rather than overhead with the goal that it doesn't contrarily influence each of the rooms' feel. To boost channel and transfer speed use, the APs will be introduced at eight feet from the floors in every room and will confront descending at 40 degrees. The receiving wires will be directional keeping in mind the end goal to guarantee sufficient scope and the APs in the two rooms will isolate (channels 6 and 11) so as to keep comparative channels from interfering with each other at the covering point. For the entryway APs, they will be put at every end at eight feet from the floor and will confront descending at 40 degrees. Both receiving wires will be directional keeping in mind the end goal to guarantee sufficient scope alongside utilizing separate channels (6 and 11) to relieve channel impedance.
For security, we will utilize 802.1x (WPA2 Enterprise) authentication where all WWTC clients and visitors must give their username and secret key (visitors will be given a transitory username and watchword) before confirming onto the WLAN. The 802.1x standard additionally includes encryption by means of EAP. This guarantees secretly since unapproved clients, for example, a war driver utilizing a bundle sniffer to see transmitted information over the WLAN, can't see the information. VLANs will be arranged on the WLC that will isolate movement on the WLAN. The names of the VLANS are: WWTC workers, WWTC visitors, and voice. Representatives in WWTC's NYC office will be on the WWTC workers VLAN, external clients who need to get to WWTC's WLAN any of the three areas will be on the WWTC visitors VLAN, and the voice VLAN will be designed to deal with remote telephone correspondence.
Wireless Access Point Configuration with Installation
Location of AP
Name of APs
AP Configuration Summary
Lobby
WWTC_Lobby1.1
Our AP locations is determined to be mounted at each end of our rooms, eight feet from the floor, specifically in the focal point of the room. The receiving wire will be directional for the satisfactory scope of the clients. The APs will utilize isolate diverts keeping in mind the end goal to forestall channel impedance alongside utilizing 802.11g for data transfer capacity and 2.4 GHz recurrence.
Conference Room 1
WWTC_Conf1.1,
Our AP locations is determined to be mounted at each end of our rooms, eight feet from the floor, specifically in the focal point of the room. The receiving wire will be directional for the satisfactory scope of the clients. The APs will utilize isolate diverts keeping in mind the end goal to forestall channel impedance alongside utilizing 802.11g for data transfer capacity and 2.4 GHz recurrence.
Conference Room 2
WWTC_Conf2.1,
Our AP locations is determined to be mounted at each end of our rooms, eight feet from the floor, specifically in the focal point of the room. The receiving wire will be directional for the satisfactory scope of the clients. The APs will utilize isolate diverts keeping in mind the end goal to forestall channel impedance alongside utilizing 802.11g for data transfer capacity and 2.4 GHz recurrence.
WWTC requires a Voice over IP (VoIP) game plan that will decrease expenses and keep up 100% accessibility. The VoIP utilization must be flexible to oblige future advancement and have adjustment to inward adjustments. The New York office must separate VoIP from the framework to expect impedance of the lines and obstruct over the framework. Right when used as a singular substance, VoIP action will encounter the evil impacts of reduced information exchange limit when there are deferrals or diverse issues over the framework. By keeping VoIP isolated in our VLAN, network problems will be avoided. Our VLAN will make it simple & secure for employees to manage VoIP. Communications Manager can be used to both screen and regulate IP correspondence and video benefits. For sufficient use of the Unified Communications Manager support to consolidate VoIP and video illuminating organizations, we will use A Cisco 6000 Business Edition.
Outside telephone lines will be used through open traded telephone sort out (PSTN) stations. WWTC's legitimate staff and authorities will make business calls outside of the affiliation and will require PSTN phone lines. Because of the number of customers (around 28) and the typical considerable call volumes to be made, it is evaluated that official staff and middle people will require around six PSTN channels at a 5:1 man for each channel extent. For redundancy, voice-sort out dial mates can be set up to keep up 100% redundancy.
Utilizing the VoIP transfer speed adding machine, with the G.729 codec the data transfer capacity for a solitary VoIP call will require 12 Kbps. The aggregate data transmission for voice calls should be no less than 840 Kbps, on the presumption that that 70% of the WWTC staff are utilizing VoIP telephones at pinnacle hours.
image5.png
6.4 Active Directory
Setting up Active Directory requires the set up of both a Domain Name Services server and a Dynamic Host Configuration Protocol Server. The DNS server is put into place in order to resolve host names on the network. The DHCP Server will be put into place in order to assign hosts on the network with an IP Address in order to allow them to communicate with other network devices.
Create forest root domain
To begin creating the forest root domain you must deploy the first forest root domain controller. To do this you will log into your server and install Active Directory Domain Services on the server by running Active Directory Domain Services Installation wizard. You should also enable the Group Policy Try Next Closest Site in order to allow clients to locate the closest domain controller. Next you should install a second Domain controller as a backup and follow the same steps above. Next you will reconfigure the DNS server by enabling aging and scavenging in order to eliminate stale DNS records from the server. In the final step you will configure site topology, to do this your start by creating an administration group for the AD DS. Once you create a group you will open AD Sites and Services, go to Administrative Tools, choose Active Directory Sites and Services, right click the sites node and select Delegate control and assign the proper admin group to the site.
Create Top Tier Organization Units
During this step your will be creating the top tier organization units these OU’s consist of New York office, President, Administrators, CEO’s, VP’s, Managers, Brokers, IT Dept, FIN Dept, and HR Dept. To Create these Organizational units will open up Active Directory Users and Computers. Select the domain under which you are creating the OU and right click and select New then click Organizational Unit. We will follow these steps for each of the OU’s listed above and they will be created for each child domain.
Create Second Tier Organization Units
Creating the second tier Organizational Units follows the similar steps as above but for these we will create an Employee OU, a computer OU and a Printer OU for each of the above already created top tier OU’s. In order to do this, we will select the top tier OU we wish to create a second tier OU for and Right Click that select New and choose Organization Unit.
In this section we will be creating security groups for the each of the above organizational unit’s users. Here we will have groups listed as follows:
New York – NY_GRP
President – NY_Pres_R, NY_Pres_W
Administrators – NY_Admin_R, NY_Admin_W
CEO’s – NY_CEO_R, NY_CEO_W
VP’s – NY_VP_R, NY_VP_W
Managers – NY_Mgr_R, NY_Mgr_W
IT – NY_IT_R, NY_IT_W
Brokers – NY_Brokers_R, NY_Brokers_W
Finance – NY_Fin_R, NY_Fin_W
HR – NY_HR_R, NY_HR_W
The above groups are created in order to help better keep track of resources that are accessible to each department and it also allows for group policies to be added to each department separately or as whole. The First group NY_GRP is used to apply as a group for all users in the New York area. The next groups are broken down by department or job role each department has an _R and _W these mean read in write I have done this to be able to separate groups that should be able to view data on share drives and groups that will be able to make changes to any data that is stored. Everyone in all departments will be placed in the read only group automatically and those users which require write access will be added to the _W group.
To create the groups, it is very simple you start by opening up your Active directory users and groups snap in. After the snap in has been opened you navigate to the create OU and department, from here you will right click hit new and choose group. For example, for the New York Group you will go right into the first OU and right click and select new then choose group.
Group Policies
Below are the policies required by WWTC:
· Enable BitLocker on all servers and workstations
· Set BitLocker to automatically unlock when connected to internal network
· Enable encryption on drive only if space is used
· Enable branch cache on file servers
· Enable cache encryption
· Enable Smart Card with Pins to access network resources
Active Directory
Below are the requirements for Active Directory Users and Groups
· Must have OU levels for users and computers
· Three types of OU levels Global, Universal and Local Groups
· Restrict Universal group membership must be assigned
· Groups are based on OU’s
· Single forest with multiple domains
Here is a comprehensive list of additional GPO’s that will be configured to ensure a secure computing environment within both WWTC and the WWTC classified LAN. The settings will be altered to adjust different security and protection schemes, but these are the general settings that will be applied and linked throughout the Domain.
GPO Administrative Settings:
· Control Panel
· Desktop (User Configuration only)
· Network
· Domain Controllers
· Domain Member Servers
· Printers (Computer Configuration only)
· Shared Folders (User Configuration only)
· Start Menu and Taskbar (User Configuration only)
· System
· Windows Components
Security Settings:
· Account Policies
· Audit Policy
· User Rights
· Security Options
· Event Logs
Preferences Settings:
· Applications
· Drive Maps
· Files
· Folders
· Registry
· Network shares
· Devices
· Folder Options
· Internet Settings
· Local Users and Groups
· Network Options
· Power Options
· Printers
· Scheduled Tasks
7 Implementation Plan
With the approval of this RFP, the IT department will coordinate with purchasing to identify the third party vendor that will provide all the equipment that was annotated in the equipment list. They will then consult with the RFP team to start the implementation prior to the New York office being staffed. This will allow for receiving, unboxing and performing any installation tasks while not disturbing employee’s or guests during the implementation. Additionally, this will allow the IT department to ensure that all connectivity is achieved prior to causing disruptions or outages.
The IT department will provide the below implementation plan to all Managers and above to allow for proper communication of status and timelines being completed. With the scope of the plan, and the modular and scalable nature of the network, growth should be seamless and transparent to the end users and the need for network upgrades and expansion should not be seen in the first 3-4 years. If it is determined that there needs to be greater capacity, then the IT department will conduct a network upgrade evaluation to expand the existing infrastructure.
Training for administrators will be minimal as they will be involved in the installation, configuration and deployment of the network. End users will be trained as needed to access their personal share drives and email, but all mapping and access will already be established and should be transparent to the end user. Guests and visitors that are accessing the network via the WLAN will have a quick training session on connecting and accessing the WLAN.
A contingency plan, in the case of network failure, will need to be addressed. This plan should begin with shifting access and resources to connect directly to the WWTC headquarters Domain by replicating the OU directory to the WWTC headquarters Domain and providing an internet connection via VPN to headquarters while troubleshooting takes place. Once the issue/s have been resolved, all users will then be shifted back to the New York Domain for continued access.
7.1 LAN Implementation
STEP
TASK
1
Install the racks for network equipment and servers and run power to racks.
2
Mount required networking equipment and servers in racks and connect power.
3
Run and label Cat 6 cabling for all networking equipment and servers.
4
Configure Unclassified routers and switches, including VLAN configurations.
5
Configure Classified routers and switches, including VLAN configurations.
6
Verify connectivity between all networking equipment on both the unclassified and classified networks, using VLAN 201. Troubleshoot and repair any connectivity issues.
7
Run and label all Cat 6 cabling for Desktop Clients
8
Connect all Servers and Desktop Clients to switches and verify communication between all VLANs.
9
Set-up Classified and Unclassified connections between Cisco ASAs located at WWTC NY Office and WWTC Headquarters. Create connection between core routers at each location after ASA connections are made. Troubleshoot and repair any issues.
7.2 Security
STEP
TASK
1
Asset Protection
2
Install Configure Firewall and Rules
3
Configure DMZ
4
Encrypted Communications
5
VLAN/ Port Security
6
Security Technologies
7
Security Policies Outline
7.3 VoIP and Wireless
STEP
TASK
1
Prepare Reliable Internet connection between offices
2
Introduce a game plan for VoIP
3
Determine VoIP Redundancy
4
Determine best location for WAPs
5
Install Cisco Aironet 1250 Series WAP in appropriate locations
6
Install Cisco 4400 Series Wireless LAN Controller in appropriate location
7
Prepare, Plan, and configure A Wireless Security Plan
8
Use 802.1x (WPA2 Enterprise) authentication
7.4 Active Directory
STEP
TASK
1
Create DNS Server
2
Create DHCP Server
3
Create AD Forrest Root Domain
4
Create forest root domain
5
Create Top Tier OU
6
Create Second Tier OU
7
Create AD Security Groups
8
Create GPO’s based on Groups
8 Project Budget
The goal set forth by WWTC was to reduce overall costs from 30 to 15 percent within the next four years. With the network plans that we have laid out in this document that goal will be achieved in a cost effective and timely manner. Overall cost for the project range around 45 to 50k. The gap is added to somewhat account for labor charges of the workers who will put the plan in motion.
ITEM
COST
Equipment
$30,000
Software
$10,000
Labor
$10 – 25 per hour
Total
$45,000 to 50,000
9 Summary of Proposal
This proposal has discussed the business goals for WWTC and how the goals will be accomplished by setting forth the business requirements specified for this project. This proposal covers the technical capabilities Team 5 will provide to WWTC in order to provide them all of the necessary components of a Local Area Network to enable them to be successful in achieving their goals. Team 5 will improve security, provide faster and more reliable network speeds, wireless and VoIP access, a more redundant network that is built in a modular manner to support future growth, and a classified network for sharing sensitive information with the WWTC Headquarters in Hong Kong and other branch offices. This proposal has also addressed the budget that Team 5 will be working with and an implementation plan providing a timeline for task and project completion.
10 Design Document Appendix
Switch and router configurations
Firewall configurations
Security Policies
11 References
Chang, P & Wang, T. (October 2009) Design and implementation of an integrated RFID and VoIP system for supporting personal mobility. International Journal of Computer Network and Communications. Retrieved from: http://www.academia.edu/17291393/DESIGN_AND_IMPLEMENTATION_OF_AN_INTEGRATED_RFID_AND_VOIP_SYSTEM_FOR_SUPPORTING_PERSONAL_MOBILITY
Cisco Aironet 1250 Series Access Point Data Sheet. (n.d.). Retrieved June 2, 2016, from http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1250-series/product_data_sheet0900aecd806b7c5c.html
Cisco ASA 5500-X Series Next-Generation Firewalls - Products & Services. (n.d.). Retrieved June 1, 2016, from http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/index.html?.
Cisco ASR 1001 Router. (n.d.). Retrieved June 1, 2016, from http://www.cisco.com/c/en/us/products/routers/asr-1001-router/index.html
Cisco Catalyst 3560 Series Switches - Products & Services. (n.d.). Retrieved June 2, 2016, from http://www.cisco.com/c/en/us/products/switches/catalyst-3560-series-switches/index.html
Cisco IPS 4270-20 Sensor. (n.d.). Retrieved June 2, 2016, from http://www.cisco.com/c/en/us/support/security/ips-4270-20-sensor/model.html
Cisco Secure Access Control System - Products & Services. (n.d.). Retrieved June 3, 2016, from http://www.cisco.com/c/en/us/products/security/secure-access-control-system/index.htmlhttp://www.cisco.com/c/en/us/products/collateral/unified-communications/unity-express/reference_guide_c07-566560.html.
Cisco Unified Communications 500 Series Model 560 for Small Business: Platform Reference Guide. (n.d.). Retrieved June 3, 2016, from Technet. (2016). Windows Deployment Services
Cisco Unified IP Phone 7942G Data Sheet. (n.d.). Retrieved June 3, 2016, from http://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7942g/product_data_sheet0900aecd8069bb68.html
Cisco Wireless LAN Controllers. (n.d.). Retrieved June 2, 2016, from http://www.cisco.com/c/en/us/products/collateral/wireless/4100-series-wireless-lan-controllers/product_data_sheet0900aecd802570b0.htm
Cisco. (2011). Wireless LAN Design Guide for High Density Client Environments in HigherEducation. Retrieved June 2, 2016, from Cisco:http://www.cisco.com/c/dam/en_us/solutions/industries/docs/education/cisco_wlan_design_guie.pdf.
Data Communications and computer Networks. Singh, B. (2014). From
https://books.google.com/books?id=p7B2BAAAQBAJ&pg=PA211&lpg=PA211&dq=A
Dell Precision Tower 3000 Series (3420). (n.d.). Retrieved June 5, 2016, from http://www.dell.com/us/business/p/precision-t3x20-series-workstation/pd?&-t3x20-series-workstation&&
HP Color LaserJet Pro MFP M527n. (n.d.). Retrieved June 2, 2016, from http://store.hp.com/webapp/wcs/stores/servlet/us/en/pdp/printers/hp-color-laserjet-pro-mfp-m176n
HP NC365T 4-port Ethernet Server Adapter. (n.d.). Retrieved June 2, 2016, from http://h18004.www1.hp.com/products/servers/networking/nc365t/index.html
TestOut. (n.d.). DHCP Subnetting [Video file]. Retrieved from http://cdn.testout.com/client v5-1-8-81/startlabsim.html?-us.
�Wrong date
�Improper English
�This has been changed.
�So we need 3 more VLAN’s than are created on our VLAN template?
�Yes, you already so this and it has already been graded with an 89%
�???
�This has be modified alrady.
�Use “interfering”
�I used obstruction instead of interfering
�I changed it to interfering