Comprehensive Authentic Assessment Plan Deliverables

A: Executive Summary (ES)

Background Information for World-Wide Trading Company

World-Wide Trading Company (WWTC) is a large online broker firm in the Singapore. The trading company has a staff of 9,000 who are scattered around the globe. Due to aggressive growth in business, they want to establish a regional office in New York City. They leased the entire floor of a building on Wall Street. You were selected as a contractor (your group) to build a state of the art high availability, secure network. The President of the company asked you to set up the state of the art network by end of this year. He shared with you the organizational structure and a list of the 100 employees. The current floor of the new site is solid and gigabit network can be set up on existing network wiring. Also, the existing power supply will meet the client’s current and future demand. The President has required these business goals:

Business and Technical Goals

Increase revenue from 5 billion to 35 billion in three to four years Reduce the operating cost from 28 to 16 percent in two to three years by using an

automated system for buying and selling. Provide secure means of customer purchase and payment over Internet. Build a high availability, moderate confidentiality and moderate integrity unclassified

network (based on The National Institute of Standards and Technology- NIST) Build a classified network with high confidentiality, moderate integrity, and moderate

availability (based on NIST) Allow employee to attach their notebook computers to the WWTC network and wireless

Internet services. Provide state of the art VoIP and Data Network Provide faster Network services Provide fast and secure wireless services in the lobby, conference rooms (100x60), and

the cubical areas.

On the basis of these business goals, your group is responsible for designing, configuring, and implementing a fast, reliable and secure networks (classified and unclassified).

WWTC LAN/WLAN/VoIP:

Propose a Network design that solves the current security audit problems (see security sections), to meet business and technical goals. You are also required to provide a modular, scalable network. Provide redundancy at building core layer and building distribution layer and access

layer and at workstation level to avoid failure at one point. For Building Access layer provide redundant uplinks connection to Building Distribution layer.

Select appropriate Cisco switch model for each part of your enterprise campus model design from the Cisco Products Link, and use the following assumptions in your selection process.

Selecting the Access layers switches:

a. Provide one port to each deviceb. Make provision for 100% growth

Server farm switches

Assume 6 NIC cards in each server and one NIC card uses one port of switch Dual processors and dual power supply

Propose an IP addressing redesign that optimizes IP addressing and IP routing (including the use of route summarization). Provide migration provision to IPv6 protocol in future.

Propose a High Level security plans to secure key applications and servers but encryption of all application is not acceptable. Develop security policy to stop sniffing and man-in-the-middle attack. Your security plan must be based on current industry standards. Multilayer security or defense-in-depth.

Integrate voice and data network to reduce cost. For dialing outside, the World-Wide Trading Company proposes a plan for 100% connectivity with a minimum number of outside lines. For telephone requirements, see the Organization Chart and Telephone Equipment Table.

Provide state of the art VoIP and Data Network.

Provide aggregate routing protocols with hierarchal IP scheme.

Centralize all services and servers to make the network easier to manage and more cost-effective.

Provide LAN speed minimum 100 MB and Internet speed minimum 54 MB.

Provide wireless network access to network users and guest users with a minimum 54 Mbps of bandwidth. (You can assume that site survey is done and no sources of interference or RF were discovered.)

Provide provisions for video conference and multicast services.

Standardize on TCP/IP protocols for the network. Macintoshes will be accessible only on guest notebook but must use TCP/IP protocols or the Apple Talk Filling Protocol (AFP) running on top of TCP.

Provide extra capacity at switches so authorized users can attach their notebook PCs to the network

Install DHCP software to support notebook PCs

The World-Wide Trading Company will use the following applications/services:

Microsoft Office 365 plan (Office 2016, Exchange, Active Directory, SharePoint, One Drive, and Skype for Business)

Sending and receiving e-mail Accessing the library card-catalog File Server application. Adobe Pro Secure Zip

Associate will use the following Custom Applications

Market Tracking Application. This application will provide real-time status of stock and bond market to brokers and their clients.

Stock and Bond Analytical Application. This application will provide analysis of stock and Bond to Brokers only.

On Line Trading. The Company wishes to train new clients in online trading to attract new customer. The Company will sign up new client to receive streaming video and instructions

Assume any information (with proper justification) which you think is missing and critical to the development of the design.

WWTC Security:

WWTC has strong security requirements to ensure strong authentication, data confidentiality and separations between internal protected server and public server.

The security design must ensure:

Internet connectivity and any other unclassified network must be physically separate from the network

E-mail appropriately used to communicate business sensitive information. Confidential business information and public data are not connected to the same physical

network. the use of two-factor authentication mechanism is enabled. Sensitive business information must not be transmitted in clear text between server and

client.

The following is a sample network diagram at another WWTC site

Classified Network

In addition to the required unclassified network, WWTC is requiring a classified network:

1. The classified network must be physically separated from the unclassified network.

2. Only VPs and Department heads are allowed to access the classified network

3. Control should be put in place to prevent local users from accessing the classified network or removing data in any way. This includes removing media, AV recorders, pen and paper, and any form of printer.

4. All data transmitted on the classified network must be cryptographically protected throughout the network (Crypto devices are highly recommended).

5. All classified data must be centrally stored and secured in a physically separate area from the unclassified network.

6. The classified network is used for classified email only. WWTC needs to be able to send classified email from the NYC office to their HQ office.

7. No redundancy, AD, Wireless, or VoIP required for the classified network.

WAN Connectivity

In addition to the cryptographic protections of the data within the classified network, all data crossing wide-area links should undergo another layer of cryptographic protection such as IPSec/VPN/SSL.

Public Servers

All public servers must be configured HTTPS connections and accept all requests that are on valid IP addresses and pass through firewall. Server must ask some identity of the connecting party.

Site-to-site VPN tunnels

All devices must be mutually authenticated and cryptographic protection should be provided.

PSTN dial-up

Dial-up client must authenticate with username and OTP

User Education

All users should undergo periodic user awareness training program on network threats and good security practices.

Other Security Deliverables:

These are only recommendations on the general approach you might take for this project. 1. Determine the most important assets of the company, which must be protected 2. Determine general security architecture for the company 3. Develop a list of 12specific security policies that could be applied.4. Write specific details along with the rationale for each policy 5. Integrate and write up the final version of the Security Policy Document for submittal6. Develop a High availability secure design for this locations addressing above

considerations and mitigating 4 primary networks attacks categories mentioned below.

Project the Network from Four Primary Attack Categories:

Reconnaissance attacks: An intruder attempts to discover and map systems, services, and vulnerabilities.

Access attacks: An intruder attacks networks and systems to retrieve data, or gain access, or escalate access privileges

Denial of Service attacks: An intruder attacks your network in a way that damages or corrupts your computer system or denies you and others access to your networks, system, or services.

Worms, viruses, and Trojan horses: Malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself, or deny services or access to networks, system or services.

Sample Security Policies:

Policies defining acceptable use Policies governing connections to remote network Polices outlining the sensitivity level of the various types of information held within an

organization Policies protecting the privacy of the network’s user and any customer data Policies defining security baselines to be met by devices before connecting them to the

network. Policies for incident response handling

WWTC Active Directory Design:

WWTC office at New York is largely autonomous and few IT personnel to take care of day-to-day IT support activities such as password resets troubleshoot virus problems. You are concerned about sensitive data store in this location. You want to deploy a highly developed OU structure to implement security policies uniformly through GPO automatically at all domains, OU, and workstations.

At this location Windows Server 2012 R2 is required providing the following 10 AD features:

1. Use BitLocker encryption technology for devices (server and Work station) disc space and volume.

2. Enables a BitLocker system on a wired network to automatically unlock the system volume during boot (on capable Windows Server 2012 R2 networks), reducing internal help desk call volumes for lost PINs.

3. Create group policies settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive.

4. Enable BranchCache in Windows Server 2012 for substantial performance, manageability, scalability, and availability improvements

5. Implement Cache Encryption to store encrypted data by default. This allows you to ensure data security without using drive encryption technologies.

6. Implement Failover cluster services7. Implement File classification infrastructure feature to provide automatic classification

process. 8. IP Address Management (IPAM) is an entirely new feature in Windows Server 2012 that

provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network.

9. Smart cards and their associated personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources.

10. Implement Windows Deployment Services to enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation.

Other AD Deliverables:

Create Active directory infrastructure to include recommended features

Create OU level for users and devices in their respective OU Create Global, Universal, Local group. Each global group will contain all users in the

corresponding department. Membership in the universal group is restrictive and membership can be assigned on the basis of least privileged principle. (For design purpose, you can assume that WTC as a Single Forest with multiple domains).

Create appropriate GPO and GPO policies and determine where they will be applied.

Reference:

WWTC Organization Chart

VP of Operation(CIO, CFO, CHRO)Regional VPs: VP NW USA, VP SW USA, VP NE USA, VP SE USA, VP M USA

Note: WWTC is opening an office only at New York location. Please do not confuse Office holder’s title (VP NW USA) with the location.

Table:-1 Sample Equipment Inventory

Subnet Offices Telephone Devices Comment

VP OPR VP OPR Office 2 1 Work Stations

CEO IT 2 1 Work Stations

CEO FIN 2 1 Work Stations

CEO HR 2 1 Work Stations

CEO IT’s Staff 2 1 Work Stations

CEO FIN’s Staff 2 1 Work Stations

CEO HR’s Staff 2 1 Work Stations

VP NW USA, VP Office 2 2 Work Stations

Manager 1 2 2 Work Stations

Manager 2 2 2 Work Stations

Broker 1 2 2 Work Stations

Broker 2 2 2 Work Stations

Broker 3 2 2 Work Stations

Broker 4 2 2 Work Stations

Staff 2 2 Work Stations

VP SW USA VP SW Office 2 2 Work Stations

Manager 1 2 2 Work Stations

Manager 2 2 2 Work Stations

Broker 1 2 2 Work Stations

Broker 2 2 2 Work Stations

Broker 3 2 2 Work Stations

Broker 4 2 2 Work Stations

Staff 2 2 Work Stations

VP NE USA VP NE Office 2 2 Work Stations

Manager 1 2 2 Work Stations

Manager 2 2 2 Work Stations

Broker 1 2 2 Work Stations

Broker 2 2 2 Work Stations

Broker 3 2 2 Work Stations

Broker 4 2 2 Work Stations

Staff 2 2 Work Stations

VP SE USA VP SE Office 2 2 Work Stations

Manager 1 2 2 Work Stations

Manager 2 2 2 Work Stations

Broker 1 2 2 Work Stations

Broker 2 2 2 Work Stations

Broker 3 2 2 Work Stations

Broker 4 2 2 Work Stations

Staff 2 2 Work Stations

VP M USA VP M Offices 2 2 Work Stations

Manager 1 2 2 Work Stations

Manager 2 2 2 Work Stations

Broker 1 2 2 Work Stations

Broker 2 2 2 Work Stations

Broker 3 2 2 Work Stations

Broker 4 2 2 Work Stations

Staff 2 2 Work Stations

Printer 20 At various offices. Exact location to be determined.

Server

WLC and AP ordering Guide

Table 4. Sample Ordering Information for Cisco Wireless LAN Controllers

Product Features Customer Requirements

Part Number

Wireless LAN Controllers

Cisco 4400 Series Wireless LAN Controller

• Modular support of 12, 25, 50, or 100 Cisco Aironet access points

• The Cisco 4402 with 2 Gigabit Ethernet ports supports configurations for

• For midsize to large deployments

• High availability

• AIR-WLC4402-12-K9

• AIR-WLC4402-25-K9

• AIR-WLC4402-50-K9

12, 25, and 50 access points

• The Cisco 4404 with 4 Gigabit Ethernet ports supports configurations for 100 access points

• IEEE 802.1D Spanning Tree Protocol for higher availability

• IPSec encryption

• Industrial-grade resistance to electromagnetic interferences (EMI)

• AIR-WLC4404-100-K9

See the Cisco Wireless LAN Controllers Data Sheet for more information.

Cisco 2100 Series Wireless LAN Controller

• Supports up to 6, 12 or 25 Cisco Aironet access points

• Eight Ethernet ports, two of which can provide power directly to Cisco APs

• Desk mountable

• For retail, enterprise branch offices, or SMB deployments

• AIR-WLC2106-K9

• AIR-WLC2112-K9

• AIR-WLC2125-K9

See the Cisco 2106 Wireless LAN Controller Data Sheet for more information.

Cisco Catalyst® 6500 Series /7600 Series Wireless Services Module (WiSM)

• Wireless LAN Controller for Cisco Catalyst 6500 or Cisco 7600 Series Router

• Supports 300 Cisco Aironet access points

• IPSec encryption

• Industrial-grade resistance to electromagnetic interferences (EMI)

• Intrachassis and interchassis failover

• Interoperable with Cisco Catalyst 6500 Series Firewall

• Embedded system for the Cisco Catalyst 6500 Series and Cisco 7600 Series Router infrastructure

• For large-scale deployments

• High availability

• WS-SVC-WISM-1-K9

• WS-SVC-WISM-1-K9= (spare)

See the Cisco Catalyst Wireless Services Module Data Sheet for more information.

and IDS services modules

Cisco Catalyst 3750G Integrated WLAN Controller

• Cisco Catalyst 3750G Series Switch with wireless LAN controller capabilities

• Modular support of 25 or 50 Cisco Aironet access points per switch (and up to 200 access points per stack*)

• IPSec encryption

• Industrial-grade resistance to electromagnetic interferences (EMI)

• For midsize to large deployments

• High availability

• WS-C3750G-24WS-S25

• WS-C3750G-24WS-S50

See the Cisco Catalyst 3750G Integrated Wireless LAN Controller Data Sheet for more information.

Cisco Wireless LAN Controller Module for Cisco Integrated Services Routers

• Wireless LAN controller integrated into Cisco integrated services routers

• Supports 6, 8, 12, or 25 Cisco Aironet access points

• Embedded system for Cisco 2800/3800 Series and Cisco 3700 Series routers

• For retail, small to medium-sized deployments or branch offices

• NME-AIR-WLC6-K9

• NME-AIR-WLC6-K9= (spare)

• NME-AIR-WLC8-K9

• NME-AIR-WLC8-K9= (spare)

• NME-AIR-WLC12-K9

• NME-AIR-WLC12-K9= (spare)

• NME-AIR-WLC25-K9

• NME-AIR-WLC25-K9= (spare)

See the Cisco WLAN Controller Modules Data Sheet for more information.

Please refer to the Cisco Wireless LAN Controller Ordering Guide supplement to learn when to add the following SKUs to track the deployment of voice and context-aware mobility applications.

Table 2. Cisco Aironet Indoor Rugged, Indoor, Wireless Mesh, and Outdoor Rugged Access Points

Product Features Customer Requirements

Part Number

Indoor Rugged Access Points

Cisco Aironet 1250 Series

• Industry's first business-class access point based on the IEEE 802.11n draft 2.0 standard

• Provides reliable and predictable WLAN coverage to improve the end-user experience for both existing 802.11a/b/g clients and new 802.11n clients

• Offers combined data rates of up to 600 Mbps to meet the most rigorous bandwidth requirements

• Designed for both office and challenging RF environments

• Especially beneficial for environments with the following characteristics:

• Challenging RF environments (for example, manufacturing plants, warehouses, clinical environments)

• Bandwidth-intensive applications (for example, digital imaging, file transfers, network backup)

• Real-time, latency-sensitive applications such as voice and video

• Need to support existing 802.11a/b/g and new 802.11n wireless clients

Access point platform with pre-installed radio modules:

• AIR-AP1252AG-x-K9: 802.11a/g/n-draft 2.0 2.4/5-GHz Modular Autonomous Access Point; 6 RP-TNC

• AIR-AP1252G-x-K9: 802.11g/n-draft 2.0 2.4-GHz Modular Autonomous Access Point; 3 RP-TNC

• AIR-LAP1252AG-x-K9: 802.11a/g/n-draft 2.0 2.4/5-GHz Modular Unified Access Point; 6 RP-TNC

• AIR-LAP1252G-x-K9: 802.11g/n-draft 2.0 2.4-GHz Modular Unified Access Point; 3 RP-TNC

See the Cisco Aironet 1250 Series Ordering Guide for more information.

Cisco • Second-generation • Ideal for challenging • AIR-AP1242AG-

Aironet 1240AG Series

802.11a/g dual-band indoor rugged access point

• 2.4-GHz and 5-GHz antenna connectors for greater range or coverage versatility and more flexible installation options using the broad selection of Cisco antennas available

indoor RF environments

• Recommended for offices and similar environments

• Ideal for deployments above suspended ceilings

• Recommended for outdoors when deployed in a weatherproof NEMA-rated enclosure

x-K9: 802.11a/g Nonmodular Cisco IOS Software- Based Access Point; RP-TNC

• AIR-LAP1242AG-x-K9: 802.11a/g Nonmodular LWAPP Access Point; RP-TNC

See the Cisco Aironet 1240AG Series 802.11a/b/g Data Sheet for more information.

Indoor Access Points

Cisco Aironet 1130AG Series

Low-profile, enterprise-class 802.11a/g access point with integrated antennas for easy deployment in offices and similar RF environments

Ideal for offices and similar environments

• AIR-AP1131AG-*X-K9

See the Cisco Aironet 1130AG Series Ordering Guide for more information.

Wireless Mesh Access Points

Cisco Aironet 1520 Series

• Next-generation outdoor wireless mesh access point

• Integrated dual band 802.11 a/b/g radios, Ethernet, fiber and cable modem interface

• Provides easy and flexible deployments for outdoor wireless network

• Available in a lightweight version only

• Ideal for outdoors

• Recommended for industrial deployments and local government, public safety, and transit agencies

• AIR-LAP1522AG-X*-K9:

See the Cisco Aironet 1520 Series Lightweight Outdoor Mesh Access Point Ordering Guide for more information.

Cisco Aironet

• Mesh access point that enables cost-effective,

• Ideal for outdoors • AIR-LAP1510AG-*X-K9:

1500 Series

scalable deployment of secure outdoor wireless LANs for metropolitan networks or enterprise campuses

• Available in a lightweight version only

• Recommended for providing wireless services and applications to local government, public safety, and transit agencies

• Cisco Aironet 1510AG Lightweight Outdoor Mesh Access Point, FCC configuration

See the Cisco Aironet 1500 Series Ordering Guide for more information.

Outdoor Rugged Access Points

Cisco Aironet 1400 Series

• High-speed, high-performance outdoor bridging solution for line-of-sight applications

• Offers affordable alternative to leased-line services

• Available in a standalone version only

• High-speed building-to-building or campus connectivity

• Share LAN/Internet access between two or more sites

• Fast installation

• AIR-BR1410A-*X-K9: With integrated antenna

• AIR-BR1410A-A-K9-N: With N-Type connector for use with external antennas

See the Cisco Aironet 1400 Series Bridge Data Sheet for more information.

Cisco Aironet 1300 Series

Outdoor access point/bridge offers high-speed and cost-effective wireless connectivity between multiple fixed or mobile networks and clients

Ideal for outdoor areas, network connections within a campus area, temporary networks for portable or military operations, or outdoor infrastructure for mobile networks

● AIR-BR1310G-X-K9: With integrated antenna

● AIR-BR1310G-X-K9-R: With RP-TNC connector for use with external antennas

● AIR-BR1310G-A-K9-T: For transportation applications

See the Cisco Aironet 1300 Series Ordering Guide for more

information.

*X = regulatory domain

(Source: Curtsy Cisco Web site

http://cisco.com/en/US/prod/collateral/wireless/ps5679/ps6548/prod_brochure0900aecd80565e00_ps2706_Products_Brochure.html)

WLC and AP Placement Templates

Suggested Placement Table Wireless Network

Building Access Point

Requirements

Wireless LAN Controller

Requirements

Total AP Total WLC

Building

Lobby

Cafeteria

Conference room

Suggested Product Table (WLC)

WLC Cisco Part Number Quantity Cost

Cisco 2100 Series Wireless LAN Controller

AIR-WLC2106-K9 2

Suggested Product Table (AP)

AP Cisco Part Number Quantity Cost

Cisco Aironet 1250 Series

AIR-AP1252AG-x-K9: 802.11a/g/n-draft 2.0 2.4/5-GHz Modular Autonomous Access Point; 6 RP-TNC

20

B: Project Goal

IntroductionA top notch security program starts with security policies as the foundation, along with

processes and procedures for updating the security policies to meet ever changing cyber security

policies faced by all organizations, including WWTC. The following policies are intended as a

starting point. Additional policies must be developed that ensure all information security

concerns are addressed by the company resulting in a secure, defense in depth based security

program. Violation of any security policy is grounds for dismissal.

Information ClassificationOne often overlooked aspect of an all-encompassing security program is the need to

properly classify information so that each type of information is handled properly and according

to best practice (based upon the sensitivity of the information).

Scope: Includes all information stored, processed and/or transported over the WWTC networks.

Public Information: Information that can be safely released outside WWTC without risk of

damage to WWTC.

Confidential: Information that requires controlled release and may be damaging to WWTC if

accessed by unintended audiences.

Minimal Sensitivity: General company information that should stay within the company however

will cause minimal damage if accessed by unintended audiences. Can be transported inside the

company in any format. Only U.S. mail, courier, encrypted file transfer and encrypted email

allowed outside WWTC.

Moderate Sensitivity: Information that would cause serious damage to WWTC if accessed by

unintended audiences. Only encrypted transport approved within the company and only private

courier,

encrypted email and file transfer outside WWTC are permissible. Access is on a need to know

basis, auditing is mandatory, and improper disclosure is grounds for termination.

High Sensitivity: Unintended access of high sensitivity information can result in unrecoverable

damage to WWTC. Only highly encrypted transport including non-repudiation allowed inside

and outside the company. Only private courier allowed outside the company. Need to know

access and auditing mandatory. Improper disclosure is grounds for termination.

Network/InternetScope: Applies to all WWTC personnel and management and systems.

Policy: All web based access must be via secure TLS connections only. Clear text HTTP by

management approval only. Unlicensed copyrighted material not permitted. Password/access

credential sharing not permitted. Network scanning, sniffing and monitoring not permitted.

Bypassing user authentication not permitted. Malware and software that is not approved by

management not permitted.

Acceptable UseThe acceptable use security policy outlines what activities are and are not permitted on

the WWTC networks and systems by employees, partners, and management.

Scope: Applies to all personnel, employees, partners and management that use WWTC networks

and systems.

Policy: All information created using WWTC networks and systems is the property of WWTC.

Personal use of WWTC networks is prohibited. Sharing authentication credentials is prohibited.

All displays/user interfaces must be protected with an automatic lock that triggers after 10

minutes of non-use. All systems must be protected with malware that includes definitions that

are updated daily. System and network protection bypasses of any kind are strictly prohibited.

WAN

AuditScope: Applies to all WWTC owned networks and systems and systems that connect to WWTC

networks.

Policy: WWTC information security team will perform automated scan audits randomly once per

week, manual audits quarterly, and access logging on a continuous basis. Audit logs must be

reviewed immediately following each audit.

High Security Network The WWTC network includes an enclave that stores and processes highly sensitive

information. This network is known as the “high security network.”

Scope: Applies to all systems and network infrastructure within the high security network.

Policy: Systems and network infrastructure within the high security network must comply with

all configuration requirements mandatory for WWTC DMZ networks. Access from remote

networks is prohibited. All systems must comply with 99.99% up time availability. The network

must be protected with ACLs that allow access only from management approved hosts.

Ingress/egress protection must include firewalls with deep packet inspection and IDS sensors.

Access controls must use multi-factor authentication.

Network Infrastructure VPNScope: Applies to all virtual network WAN connections supported by WWTC.

Policy: All virtual network WAN connections utilizing VPN technology must use multi-factor

authentication for session establishment, employing one time passwords with CHAP and

company issued certificates. Furthermore, only FIPS 140-2 compliant encryption algorithms are

to be used for these connections.

Remote Access Scope: Applies to all employees, partners, contractors and management that require remote

access to company networks.

Policy: All remote access connections utilizing VPN technology must use multi-factor

authentication for session establishment, employing passwords with CHAP so that passwords are

not exchanged over the network and company issued certificates. Furthermore, only FIPS 140-2

compliant encryption algorithms are to be used for these connections.

Public Server and DMZScope: Applies to all WWTC publicly accessible server systems.

Policy: Public facing systems must operate within a screened subnet, firewall protected (DMZ).

Only approved ingress traffic must be allowed through the firewall protecting the screened

subnet. The firewalls (one public facing and one facing the private network) must filter OSI

layers 2 up through 7. All server systems must be hardened as bastion hosts in accordance with

current best practices and defense in depth. All servers and systems within the DMZ must be

configured for 99.99% availability with fault tolerant hardware (such as dual power supplies and

RAID 5 or 6), UPS, and software failover (if servers are virtual).

EmailScope: Applies to all employees, partners, contractors and management that require email access

while using company networks.

Policy: All email messages within the company must comply with the information classification

security policy. Email intended for delivery outside the company must be signed digitally and

comply with the company information classification security policy. Email that is unsolicited,

intended for harassment, modified without authorization or non-business related is not permitted.

Employee Security TrainingScope: Applies to all employees, partners, contractors and management that use company

networks.

Policy: All personnel that work within WWTC must attend a company sponsored information

security training session before they can use company networks and must repeat training sessions

on an annual basis. Information security training must cover company policy and how to

recognize and avoid social engineering attempts such as shoulder surfing and phishing, and

recognize and respond to malware activity and security breaches. Training must also cover user

best practices for safe computing and maintenance and support instructions such as how to reset

passwords.

Data EncryptionScope: All WWTC systems must comply with this policy where encryption is required by

company policy.

Policy: All encryption algorithms used must comply with the FIPS 140-2 standard unless not

supported by critical software or hardware systems that cannot be replaced. All other algorithms

which are not compliant must not be used within company networks.

Wireless Scope: All WWTC wireless network systems must comply with this policy.

Policy: Only approved and company registered wireless access points are allowed on WWTC

premises. All wireless systems must comply with company encryption policies and employ the

use of company compliant VPN technologies for all sessions. Authentication must use strong

two factor authentication compliant with the company VPN security policies.

ConclusionBy adhering to the aforementioned security policies WWTC will ensure that the company

networks which are newly designed are secure. However, the proposed policies must be regarded

as a starting point only as full coverage of all systems and networks, contingency planning, and

maintenance and configuration control policies must be in place to ensure that security policies

are both maintained and enforced. Only through due diligence and adherence to best practices

will WWTC ensure that all systems and information remains secure.

References

Cisco, (2005), Network Security Policy: Best Practices White Paper, Web. Retrieved from

http://www.cisco.com/en/US/tech/tk869/tk769/

technologies_white_paper09186a008014f945.shtml

Jarmon, (2002), A Preparation Guide to Information Security, Web. Retrieved from

http://www.sans.org/security-resources/policies/Remote_Access_Policy.pdf

Munior, (2001), Managing Desktop Security, Web. Retrieved from

http://www.sans.org/reading_room/whitepapers/basics/managing-desktop-security_520

SANS, (2012), Information Security Policy Templates, Web. Retrieved from

http://www.sans.org/security-resources/policies/#template

SANS, (2006), Information Sensitivity Policy, Web. Retrieved from

http://www.sans.org/security-resources/policies/Information_Sensitivity_Policy.pdf

SANS, (2012), Audit Security Policy Templates, Web. Retrieved from

http://www.sans.org/security-resources/policies/audit.php

SANS, (2006), Remote Access Policy, Web.

Retrieved from

http://www.sans.org/security-resources/policies/Remote_Access_Policy.pdf

C: Project Scope

Introduction

The earlier proposal focused on the high level network design plan for WWTC, and

touched on each of the requirements WWTC has specified as necessary in order to meet the

company's current and long term growth needs. However, topics such as the equipment list, IP

addressing scheme, and the high level network diagram must also include wireless and VoIP

systems as required by WWTC. In addition, WWTC must have an understanding of how the

WAN will be configured, how fault tolerance will operate, and the link IP address scheme before

accepting and moving forward with the proposal. The following presents these additional design

configurations so that WWTC can move forward with confidence in upgrading their networks.

Equipment List

The following equipment list is an extension of the previous proposal that covers the

additional WWTC requirements mentioned above, including those devices necessary to support

the mandatory VoIP and the LAN to WAN interfaces.

Device Cisco Model # Quantity Comments

Redundant Core Switches

6509-E 2 Fault tolerant support for up to 534 devices, IP services

Distribution layer switches

4503-E 2 Fault tolerant full mesh distribution

layer, IP services

Access layer switches WS-C3850-48U-E 22 UPoE support, 48 Gig ports per switch, IP services, stackable for fault tolerant performance, integrated wireless controller

Firewall with IPS ASA 5508-X 2 Redundant support for dual WAN link designIngress/egress IPS security

Redundant power supply for access switch

PWR-C1-1100WAC 22 Second power supply for each WS-C3850-48U-E

Wireless AP Cisco Aironet 2600 8 450Mbps data rate support, 802.11a/b/g/n, LAN integration, VLAN, 128 client session support

Cisco 6500 switch supervisor

Cisco VS-S2T-10G-XL

4 Provides 10G redundant support at the core

Cisco 6500 switch second power supply

Cisco CAB-AC-2500W-US1

2 Provides redundant power supply support

Cisco 4500 switch supervisor

Cisco WS-X45-Sup 7L-E

4 Provides 10G redundant distribution support

Cisco 4500 series line card

Cisco Catalyst 4500E UPOE Line Card

4 Provides 1G redundant access support

IP Phone Cisco 7941 87 VoIP

Router ASR 1004 2 Screened subnet and VoIP enterprise support

Device Naming Conventions Updated

The following table lists the previously identified devices along with the VoIP device

additions mentioned earlier. It is important to establish a device naming convention that makes

sense to all stakeholders involved, is easy to understand and maintain, as it eases administrative

burden, decreases the chance of error, and enables communications about the network and

infrastructure devices on a level that stakeholders other than the IT staff can easily understand.

Device Type Device Device Configured Name

Placement Connection Comments

Redundant Core Switches

Cisco 6509-E switch

CoreSwitch1CoreSwitch2

Data Center 10G to Distribution

Fault tolerant support for up to 534 devices, IP services

Distribution layer switches

Cisco 4503-E switch

DistSwitch1DisSwitch2

Data Center 10G to Core1G to Access

Fault tolerant full mesh distribution layer, IP services

Access layer switches

WS-C3850-48U-E

Quad1-1Quad1-2Quad1-3Quad1-4Quad1-5Quad2-1Quad2-2Quad2-3Quad2-4Quad2-5Quad3-1Quad3-2Quad3-3Quad3-4Quad3-5Quad3-6Quad4-1Quad4-2Quad4-3Quad4-4Quad4-5Quad4-6

Data Center 1G to Distribution1G to desktop

UPoE support, 48 Gig ports per switch, IP services, stackable for fault tolerant performance, integrated wireless controller

Firewall with IPS

ASA 5508-X Firewall1Firewall2

Data Center 1G to LAN100Mbps to

Redundant support for

WAN dual WAN link designIngress/egress IPS security

Redundant power supply for access switch

PWR-C1-1100WAC

Secondary Supply

Installed in CoreSwitch1 and CoreSwitch2

N/A Second power supply for each WS-C3850-48U-E

Wireless AP Cisco Aironet 2600

WiFi AP Ceiling mount caddy corner half way to center

1G to Access802.11b/g/n to clients

450Mbps data rate support, 802.11a/b/g/n, LAN integration, VLAN, 128 client session support

Cisco 6500 switch supervisor

Cisco VS-S2T-10G-XL

6500 Supervisor

Installed in CoreSwitch1 and CoreSwitch2

N/A Provides 10G redundant support at the core

Cisco 6500 switch second power supply

Cisco CAB-AC-2500W-US1

6500 Secondary Supply

Installed in CoreSwitch1 and CoreSwitch2

N/A Provides redundant power supply support

Cisco 4500 switch supervisor

Cisco WS-X45-Sup 7L-E

4500 Supervisor

Installed in DistSwitch1 and DistSwitch2

N/A Provides 10G redundant distribution support

Cisco 4500 series line card

Cisco Catalyst 4500E UPOE Line Card

4500 PoE Card

Installed in DistSwitch1 and DistSwitch2

N/A Provides 1G redundant access support

IP Phone Cisco 7841 IP Phone 1-87 by office blueprint location

Desktops Ethernet

Router Cisco ASR1004

ASR 1-2 In front of screened subnet and behind firewall

Ethernet Internal device has CUBE enabled for VoIP services

Hierarchical IP scheme and VLAN

The newly presented wireless and WAN hardware requires an updated hierarchical IP

scheme that includes these new portions of the network being proposed. It is especially important

to understand that a separate IP range/subnet for both wireless and WAN facing portions of the

network is essential to the defense-in-depth security strategy that will be applied to the WWTC

network. By establishing separate VLANs for each of these areas, it enables configuration of

ACLs that filter both the ingress and egress traffic flow to and from these areas of the network

that have a higher level of risk from a cyber security perspective.

Location/Dept. VLAN

# of IP Addresses Required

Future Growth Rounded Power of 2

Number of Host Bits

Subnet Address Assigned

OPR 21 21 64 10 172.16.6.1-62/26

NW USA 32 32 128 9 172.16.1.1-126/25

SW USA 32 32 128 9 172.16.2.1-126/25

NE USA 32 32 128 9 172.16.3.1-126/25

SE USA 32 32 128 9 172.16.4.1-126/25

M USA 32 32 128 9 172.16.5.1-126/25

Network IT 50 50 128 9 172.16.0.1-126/25

Wireless 32 32 128 9 172.16.7.1-62/26

High Level Diagram

The following high level diagram depicts the proposed network design with the addition

of the Wi-Fi and VoIP equipment. It is important to keep in mind that the diagram provides a

high level overview rather that the exhaustive accuracy that would be present in the actual

network blueprints.

Exhibit 1: Network device connections with WiFi and VoIP.

Voice and Wireless Design

The wireless network design for WWTC will leverage the aforementioned Cisco access

points as they integrate seamlessly within the proposed network infrastructure, which includes

support for VLANs and infrastructure configured access controls as an essential part of the

defense-in-depth strategy. Within the infrastructure a separate VLAN for wireless will be

configured for ACL filtering purposes primarily. The wireless network infrastructure will be

deployed with ample overlap in mind so that mobile devices such as laptops, tablets and

smartphones that connect to and depend upon the WiFi network will not lose connectivity as

users move from one location (and AP) to another. In addition, the wireless network will be

protected through the use of authentication via RADIUS to an Active Directory network

infrastructure and the 802.1X authentication protocol. The wireless network will also be

configured for WPA2 with AES 256 encryption for the highest level of security and protection

available in current wireless networking standards. The IEEE 802.11n will be configured on the

Cisco access points to ensure ample bandwidth of over 300 Mbps for 802.11n wireless clients.

The network will be configured to not support IEEE 802.11b and 802.11g so that the network

does not step down performance to the lowest common standard (as is the case with IEEE 802.11

WiFi standards), ensuring the highest level of performance for WiFi client systems.

VoIP Support

The VoIP system will consist of all Cisco based devices, and in particular each desk will

be equipped with a Cisco 7841 IP phone that features, among other things, an integral

10/100/1000 based Ethernet switch which eliminates the need to pull an additional cable to each

desk for IP phone support, with a second connection that allows for “loop through” to another

device that can share the same Ethernet connection while also supporting ample bandwidth. The

phones will be configured to support the G.729 voice codec compression protocol which

preserves bandwidth for the network while also providing excellent voice quality and

performance. Since G.729 does not operate well when over 1% of packets are lost it is import to

ensure top priority delivery, which will be ensured by configuring the infrastructure to use the

LLQ or Low Latency Queing QoS mechanism so that VoIP is prioritized above less time

sensitive traffic such as web browser and email traffic. The network infrastructure PoE support

ports will power these devices, eliminating the need for pulling additional expensive power

cables to each desk. The calls will be managed through the deployment of a Cisco CUBE module

installed in the LAN facing ASR1004 router.

Since a total of 87 IP phones are required for the New York office, this will be used as

the basis for bandwidth requirement calculations. Knowing that the total number of calls, both

incoming and outgoing, per device varies on a daily basis, we have determined that the baseline

high point of 100 calls per device would be best for calculations. Furthermore, at the busiest

times of the day around 70% of the phones are active. Hence we can determine the total

bandwidth demanded by the VoIP system (especially important for the WAN application) using

the following formula:

(overhead+ packetization size) x packet rate = bandwidth required

Since cRTP header compression will be used the overhead involved is 8 bytes. Since the G.729

codec will be employed, the packetization size will be 20 bytes. Then with a default Cisco packet

rate of 50 per second, and the overhead + packetization number multiplied by 8 to account for

bandwidth in bits measurement, the total amount of bandwidth required during the busiest time

of the day would be 1280 bits x 50 or 64000 bps or 64 Kbps per call which multiplied by 87

gives us a minimum bandwidth consumption of 5.57 Mbps total. It is for this reason that a DS3

WAN connection is recommended that provides 44 Mbps, with enough bandwidth to handle

VoIP and data during the busiest times of the day.

Conclusion

The WWTC requirements are demanding, and becomes even more challenging with the

mandatory inclusion of both WiFi and VoIP along with the same defense-in-depth security as the

rest of the network infrastructure. However, since Cisco devices are designed with both high

performance and security built-in, the result passed down to the end user (WWTC) is a high

performance network with the ability to meet the demand.

References

Cisco, (2001), Quality of Service for VoIP, Retrieved from

http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/qos_solutions/QoSVoIP/

QoSVoIP.html

Cisco, (2016), Cisco Unified Border Element, Retrieved from

http://www.cisco.com/c/en/us/products/collateral/unified-communications/unified-

border-element/data-sheet-c78-729692.html

Cisco, (2016), Endpoint Matrix, Retrieved from

http://www.cisco.com/c/dam/en/us/solutions/collateral/business-video/business-video/

endpoint-product-matrix.pdf

Cisco, (2016), IP Phones,

Retrieved from http://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-

phones/index.html

Cisco, (2016). Cisco ASA 5508-X with FirePOWER Services. Web. Retrieved from

http://www.cisco.com/c/en/us/support/security/asa-5508-x-firepower-services/

model.html

Cisco, (2016), Cisco Catalyst 6500 Series Switches. Web. Retrieved from

http://www.cisco.com/en/US/products/hw/switches/ps708/index.html

Cisco, (2016). Cisco Catalyst 6509-E Switch. Web. Retrieved from

http://www.cisco.com/c/en/us/products/switches/catalyst-6509-e-switch/index.html

Cisco, (2016). Compare Models. Web. Retrieved from

http://www.cisco.com/en/US/products/hw/switches/ps708/

prod_models_comparison.html#~tab-e,

Cisco, (2016). Interfaces and Modules. Web. Retrieved from

http://www.cisco.com/en/US/products/hw/switches/ps708/

products_relevant_interfaces_and_modules.html

Cisco, (2016). Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series.

Web. Retrieved from

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet

0900aecd803e69c3.html

Cisco, (2016). Cisco Aironet 2600 Series. Web. Retrieved from

http://www.cisco.com/c/en/us/products/wireless/aironet-2600-series/index.html

D: Design Requirements

Introduction

Best practices are necessary for a secure network in order to stabilize and protect

telecommunications within any organization. This document is a proposal for a Cisco network

design in the WWTC building in New York City, United States. Microsoft Active Directory is

also used to back up the system and the network will be designed with a fluid capability to

support all needs of the WWTC building in New York City, United States.

WWTC Requirements

WWTC's very specific list of requirements conveys the expectation that their new

network will be high performance, extremely scalable, cost effective to manage, and very secure.

A Cisco network infrastructure with Microsoft based directory and resource management

features together are fully capable of meeting these expectations. The high performance

requirement means not only that bandwidth is available, but also that protocols and

configurations are in place such as RSTP to prevent traffic loops and broadcast congestion, a

well thought out subnet scheme, VLAN design and robust routing protocols such as EIGRP and

PIM with IGMP Snooping enabled (for Multicast) to ensure that unnecessary traffic (broadcasts

and multi-cast flooding) are contained and required traffic is forwarded over the best path

possible in expeditious fashion. WWTC also expects the network to be designed to accommodate

a growth rate of 100% capacity so that as the company grows and expands they will not have to

invest in network upgrades nor suffer the business disruption that can be caused during network

down time while additions are installed. Along these same lines, modularity is another aspect

that WWTC requires, which would enable changes as well as expansion in the future with a

minimum of disruption, cost, and effort. WWTC expects that sometime in the near future it may

be advantageous or even required to move from the antiquated IPv4 protocol currently in

widespread use to the newer, much improved IPv6, hence all network infrastructure specified on

this project will support both IPv4 and IPv6 along with dual stack and migration capabilities

(such as IPv4 to IPv6 tunneling).

Another requirement is centralized management capability that will enable the company

to manage the new network with minimal IT staff, saving cost and decreasing complexity.

Essential to meeting this requirement are DHCP services for dynamic IP management, as it

enables a large number of IP configurations to be managed centrally for all hosts on the network

in addition to boosting security through the use of Active Directory integration.

Routing requirements for WWTC include a hierarchical IP address design scheme, route

aggregation (which increases network performance by decreasing routing table complexity), and

support for VoIP integrated into the network infrastructure to allow for video and multi-media

support such as the feature rich IP phones Cisco offers that can be installed without requiring a

separate cable infrastructure (as is the case with standard analogue phone systems).

Finally, WWTC has a stringent network security requirement that includes best practice

defense-in-depth layered security countermeasures and defenses which are essential with cyber

crime increasing at an exponential pace. A combination of Microsoft and Cisco managed

infrastructure is fully capable of meeting this expectation.

WWTC Equipment List

As noted above, the equipment and services selected to meet the stated requirements must

be very high performance LAN infrastructure devices along with services designed for

centralized management. Cisco switches, routers (and wireless devices to meet the WWTC

wireless requirement for specific network segments) support the stated requirements when the

models are specified correctly, and using a single vendor for network infrastructure helps ensure

top level performance, ease of administration, and seamless integration. The network devices

listed in the following table will handle over twice the current network capacity requirement,

both in port count as well as bandwidth and performance, while also featuring the required

support such as for VoIP, fault tolerance and high availability, seamless integration with

wireless, and state of the art security features.

Table 1: Proposed devices.

Device Cisco Model # Quantity Comments

Core layer switches -

redundant

6509-E 2 HA/fault tolerant

support for up to 534

devices plus advanced

IP services

Distribution layer

switches

4503-E 2 Supports full mesh

distribution layer plus

advanced IP services

Access layer switches WS-C3850-48U-E 22 UPoE support, 48

gigabit ports per

switch, advanced IP

services, fault tolerant

and stackable with

integrated wireless

controller

Firewall with IPS

services

ASA 5508-X 2 Supprt for redundant

dual WAN link

connections and

egress/ingress IPS

monitoring

Dual power supply for

access switch

PWR-C1-1100WAC 22 Second power supply

for all WS-C3850-

48U-E

Wireless AP Cisco Aironet 2600 8 802.11a/b/g/n, LAN

integration up to

450Mbps data rates,

VLAN support, 128

client session capable

Cisco 6500 switch

supervisor

Cisco VS-S2T-10G-

XL

4 10G redundant support

for the core switch

fabric

Cisco 6500 switch

second power supply

Cisco CAB-AC-

2500W-US1

2 Redundant power

supply support for HA

Cisco 4500 switch

supervisor

Cisco WS-X45-Sup

7L-E

4 10G redundant

distribution layer

support

Cisco 4500 line card Cisco Catalyst 4500E

UPOE Line Card

4 For 1G redundant

access layer support

The network equipment specified above is designed with centralized management, high

level security, and high performance and availability in mind. Throughout the network there is

no single point of failure as the dual power supplies on each device, full mesh interconnection,

dual supervisor engines, and dual uplinks attest. The Cisco ASA firewall with IPS services both

protects the network through advanced deep packet inspection filters as well as through

advanced intrusion detection monitoring that can take action to block access to network

segments where critical information is stored, or shut down access completely if an intrusion or

security breach is detected. The 4500 and 6500 series supervisors also have IPS capability which

will be configured in a similar manner. In addition, a VLAN will be configured for each

department with ACLs (Access Control Lists) setup so that only authorized access is allowed

into each department. At the access layer the Cisco 3850 switches provide seamless wireless

integration through wireless controller support so that mobile devices do not lose connectivity

when moving from one AP to another. The wireless network is designed with plenty of overlap

to prevent dead spots and support the faster speeds up to 450 Mbps. The network switches will

have RSTP configured (for fast spanning tree convergence), EIGRP (for fast routing

convergence), and IGMP snooping with PIM for multi-cast forwarding that minimizes flooding

at layers 2 and 3 of the OSI. All switches also support the most current PoE (Power over

Ethernet) for IP telephones and VoIP, and are modular so that if additional hardware support is

needed (such as fiber to another floor) the infrastructure is ready to accommodate. The following

diagram depicts the network design:

Diagram 1: High level network layout.

Table 2: Proposed network IP scheme and associated VLANs

Location/Dept # of IP

Addresses

Required

Future Growth Rounded

Power of 2

Number of

Host Bits

Subnet

Address

Assigned

OPR 21 21 64 10 172.16.16.1-

62/26

NW USA 32 32 128 9 172.16.11.1-

126/25

SW USA 32 32 128 9 172.16.12.1-

126/25

NE USA 32 32 128 9 172.16.13.1-

126/25

SE USA 32 32 128 9 172.16.14.1-

126/25

M USA 32 32 128 9 172.16.15.1-

126/25

Network IT 50 50 128 9 172.16.10.1-

126/25

Conclusion

The network design presented above will meet all the WWTC requirements for security,

availability, fault tolerance, performance, scalability, and modularity. In addition, centralized

management provided through a combination of Microsoft Active Directory services (such as

DHCP, integrated DNS and role based authentication by group and OU) and AD integrated

management of the Cisco infrastructure leveraging 802.1X and Radius services ensures that all

devices within the new network can all be centrally managed. This robust infrastructure is highly

capable of providing WWTC service for many years into the future.

References

Cisco, (2016). Cisco ASA 5508-X with FirePOWER Services. Web. Retrieved from

http://www.cisco.com/c/en/us/support/security/asa-5508-x-firepower-services/

model.html

Cisco, (2016), Cisco Catalyst 6500 Series Switches. Web. Retrieved from

http://www.cisco.com/en/US/products/hw/switches/ps708/index.html

Cisco, (2016). Cisco Catalyst 6509-E Switch. Web. Retrieved from

http://www.cisco.com/c/en/us/products/switches/catalyst-6509-e-switch/index.html

Cisco, (2016). Compare Models. Web. Retrieved from

http://www.cisco.com/en/US/products/hw/switches/ps708/

prod_models_comparison.html#~tab-e,

Cisco, (2016). Interfaces and Modules. Web. Retrieved from

http://www.cisco.com/en/US/products/hw/switches/ps708/

products_relevant_interfaces_and_modules.html

Cisco, (2016). Cisco Firewall Services Module for Cisco Catalyst 6500 and Cisco 7600 Series.

Web. Retrieved from

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps4452/product_data_sheet

0900aecd803e69c3.html

Cisco, (2016). Cisco Aironet 2600 Series. Web. Retrieved from

http://www.cisco.com/c/en/us/products/wireless/aironet-2600-series/index.html

E: Current State of the Network:

This section briefly describes the structure and performance of the network. It should

include a high-level network map that identifies the location of connecting devices, server farm,

storage systems, and network segment.

F: Design Solution:

IntroductionThe WWTC IT resource management plan must include an increase in efficiency so that

the IT infrastructure and users it supports can be managed without requiring an accelerated

growth of the IT department staff. IT resource management must also be scalable in order to

avoid frequent redeployment while growing with the company. The IT resource management

plan must also allow for management delegation to address site specific concerns while at the

same time allowing for centralized management. In addition, IT resource management must

provide for seamless system integration in order to minimize the amount of training required for

both IT staff and company personnel. The Microsoft Active Directory structure based upon

Windows Server 2014 is designed to meet all of these objectives.

DiscussionThe WWTC Active Directory design should have at its foundation a scalable domain and

host naming structure that makes both logical and business sense. The wwtc.com domain would

serve as the root domain for the Active Directory network. Underneath the root domain (or AD

Forest) should be OU names that include the department name. Each host will then be identified

by the hostname, followed by the FQDN (Fully Qualified Domain Name) for the local domain.

By using this proposed domain naming convention for all hosts on the network, hosts connected

to the network can be quickly identified through DNS host name resolution to determine the site

where the host is located the domain to which the host object belongs. Configuration and

troubleshooting time and staffing cost savings will be immediately realized when the company

moves to this host naming convention. In the long run this host naming convention will prove

scalable so that Active Directory can be extended with a minimum amount of time and effort,

avoiding costly Active Directory schema changes.

Active Directory policies that apply to the entire domain or all OUs will be configured

and managed by the root domain System Administrator and the OU’s (Organizational Units) will

be configured to inherit these policies from the root domain. System Administrators assigned to

handle OU management responsibilities can configure policies that apply to the OU as necessary

however, inherited policies cannot be blocked. Management of this centralized structure will be

enhanced by leveraging the IPAM feature in Windows Server 2014 that will enable network

administrators to better manage the entire AD network configured using the aforementioned IP

address scheme, (Microsoft, 2012).

Active Directory user login will be centralized and single sign-on that is two factor

(requiring both smart card and username/password credentials) however, local domain

controllers at the NY site will handle login for the domain and name resolution will be performed

within the local site to minimize down time that would otherwise be experienced if attempting to

login over a WAN link. In addition, to maximize uptime, the NY office will have two domain

controllers configured with AD built-in Failover Cluster Services that will enable access to all

services (including over the WAN) should their be a local, catastrophic failure of the servers,

(Microsoft, 2012).

Company file sharing resources will be managed via DFS (Directory File System) so that

daily logs and status report information can be saved locally and automatically synchronized

with headquarters during times when WAN link utilization is low. DFS will also be used to

ensure that important company information is immediately backed up to head quarters from all

locations (through DFS synchronization). BranchCache will be configured to preserve WAN

bandwidth by ensuring that files sent/requested over the WAN multiple times are cached locally,

saving WAN performance and increasing office efficiency, ((Microsoft, 2013).

Storage resources will leverage Windows security services such as Bitlocker to protect

valuable WWTC information both on workstations and servers with full drive encryption that

automatically unlocks when booting onto the network. To ensure confidential information

protection, cache encryption will also be enabled on systems that store WWTC's most critical

information to ensure that such information is fully protected in compliance with company

security policies, (Microsoft, 2012).

All user permissions within each OU and the forest will be handled at the group level.

Roles for each job description will be defined and entered into Active Directory at the root

domain level. Permissions necessary to work within each department will be determined and

configured into Global Groups within Active Directory. User accounts that belong within a

particular department will then be automatically included within Global Groups that include the

permissions necessary to work within the assigned department when the account is created. The

IT department will receive notification from Human Resources when job descriptions change so

that permissions are updated as business needs change and advance. Permissions configured on a

single account basis and the establishment of local groups within a single host on the network

(other than for administrative purposes by IT department personnel) is prohibited. By eliminating

single user and local group administration, the IT burden to manage user and group permissions

and permission related resource access issues will be substantially reduced, saving IT staffing

cost, time and cost to resolve permissions issues, and time to remediate permissions related

security issues. Universal groups will be employed for a very narrow scope of roles that must

have access to resources at all WWTC departments and locations. User accounts that will be

included in Universal Groups must belong to Global Groups that include user accounts, such as

senior executives and root domain IT managers and staff, will be included in Universal Groups

(rather than on an individual account basis) so that permission is granted to access resources in

other OUs according to the role defined for their user account, (Microsoft, 2013).

In addition, since scalability is a concern for WWTC, this AD deployment will also

include WDS (Windows Deployment Services), setup with preconfigured images that will be

delivered over the network for new installations and also leveraged when image redeployment is

necessary (such as drive replacement or software damage), (Microsoft, 2012).

Conclusion Microsoft Active Directory will lower WWTC total cost of ownership and help the

company to achieve its IT objectives. When properly configured from the ground up, Active

Directory provides nearly effortless scalability. Centrally managed groups at the domain and OU

levels minimize cost and effort by decreasing the number of accounts that must be managed (by

managing Active Directory groups rather than local user accounts and groups). Single sign-on to

access network resources minimizes lost password administration and maximizes efficiency by

assigning permissions to roles that are granted via Active Directory Global Groups. DFS

integration with Active Directory ensures that backups are secure and critical information is

available at all sites (while being secured by Active Directory enforced permissions).Finally,

Active Directory provides seamless integration for new hosts through the Windows NOS

(Network Operation System).

References

Microsoft, (2012), Best Practice Active Directory Design for Managing Windows Networks,

Retrieved from http://technet.microsoft.com/en-us/library/bb727085.aspx

Microsoft, (2011), How DNS Support for Active Directory Works, Retrieved from

http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx

Microsoft, (2012), Best Practice Active Directory Design for Managing Windows Networks,

Retrieved from http://technet.microsoft.com/en-us/library/bb727085.aspx

Microsoft, (2012), Assigning Domain Names,

Retrieved from

http://technet.microsoft.com/en-us/library/cc731265%28v=ws.10%29.aspx

Microsoft, (2012), How Active Directory Replication Topology Works, Retrieved from

http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx

Microsoft, (2013), Group Policy,

Retrieved from http://technet.microsoft.com/en-s/windowsserver/bb310732.aspx

G: Implementation Plan:

IntroductionThe IT infrastructure for the users of the WWTC IT resource management plan must

include a usability that supports the staff. The plan must also be scalable. The plan must also

address concerns that are specific to the site for the WWTC IT resource management plan. The

seamless integration of the system is paramount to the success of the plan. The Microsoft Active

Directory that is based on the Windows Server of 2014 will obtain the goals that are required.

Discussion

The host naming structure should be within the budget of the WWTC Active Directory

design. DNS host name resolution will decide the site where the host is located. Much of the

time-saving of using a good host provider will be provider will be provided by those who work

for the Host Domain Service.

The Organizational Units (OUs) will be designed to work with the root domain of the

host provider. The Windows Server 2014 will help to manage and organize the network for the

WWTC IT resource management plan (Microsoft, 2012). Active Directory user login will be

centralized. The filing system for the company will be administered through the Directory File

System (DFS) (Microsoft, 2013).

The WWTC is cautious about scalability so the AD deployment will also include WDS

(Windows Deployment Services), setup with preconfigured images that will be delivered through

new installations over the network that will employ an image redeployment where leveraging is

necessary, such as when drives or software is damaged (Microsoft, 2012).

Conclusion Microsoft Active Directory will lower WWTC total cost of ownership and help the

company to achieve its IT objectives. When properly configured from the ground up, Active

Directory provides nearly effortless scalability. Centrally managed groups at the domain and OU

levels minimize cost and effort by decreasing the number of accounts that must be managed (by

managing Active Directory groups rather than local user accounts and groups). Single sign-on to

access network resources minimizes lost password administration and maximizes efficiency by

assigning permissions to roles that are granted via Active Directory Global Groups. DFS

integration with Active Directory ensures that backups are secure and critical information is

available at all sites (while being secured by Active Directory enforced permissions).Finally,

Active Directory provides seamless integration for new hosts through the Windows NOS

(Network Operation System).

References

Microsoft, (2012), Best Practice Active Directory Design for Managing Windows Networks,

Retrieved from http://technet.microsoft.com/en-us/library/bb727085.aspx

Microsoft, (2011), How DNS Support for Active Directory Works, Retrieved from

http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx

Microsoft, (2012), Best Practice Active Directory Design for Managing Windows Networks,

Retrieved from http://technet.microsoft.com/en-us/library/bb727085.aspx

Microsoft, (2012), Assigning Domain Names,

Retrieved from

http://technet.microsoft.com/en-us/library/cc731265%28v=ws.10%29.aspx

Microsoft, (2012), How Active Directory Replication Topology Works, Retrieved from

http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx

Microsoft, (2013), Group Policy,

Retrieved from http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx

H: Project Budget

Project implementation plan

This document details the project implementation plan for the design, installation and testing of WWTC company network. The plan details tasks, sub tasks, the resources required to complete each of the tasks and the estimated time for each task.

Major Project Tasks

The major tasks identified for the project are as follows:

Network design Acquiring of required hardware and software Network security design and implementation Network hardware installation and configuration Software installation and configuration Security policy

Plan detail (tasks, schedule, resources and budget):

1. Network design – this is the initial phase of the plan, which will include the physical and logical network design of the offices. Deciding on the location of critical ICT infrastructure such as DNS servers, active directory Server, file, web and print servers , firewalls, routers and client machines.

Sub-tasks

Physical network design Logical design

Activities

Site visits Sketch Team meetings Network simulation using software Deciding required software and hardware

Resources

Network engineers Computers, printers and simulation software

Writing materials

Estimated budget

$70,000 USD

Estimated time

2 weeks

Deliverable

Complete physical and logical design diagrams2. Acquiring of required software and hardware

Procuring of the following devices- servers (47), switches, routers, firewalls, network operating systems, application software, client o/s, printers, PCs, CAT-6 cables.

Activities

Procurement team meetings Travelling Market survey

Budget

$50M USD

Estimated time

1 week

Deliverable

All software and hardware transported to site3. Network security design

Sub tasks Physical security design Software security design

Activities

Choosing security protocols and encryption mechanisms Decide on security software configurations Physical security design

Deliverable

Secure network configuration design

Resources

Network security hardware- firewalls IT security analyst Network security software

Budget

$45,000 USD

Estimated time

4 days4. Network hardware installation and configuration

Sub tasks

Installing DNS, File, active directory, Print, DHCP, web servers Install active directory server Configuring DHCP server Install and configure firewall Install and configure switches and routers Install desktops Install printers Install and configure wireless access points (Cisco Aironet 1250 Series) Installing CISCO phones (CISCO IP phone 8800 series) Cabling

Resources

Network engineering team Software installation team Networking hardware and software Application software Operating systems software

Deliverables

Installed servers Installed computers, printers

Fully connected network

Budget

$1M USD

Estimated time

14 weeks 5. Software installation and configuration

Sub tasks

Installing server operating systems Installing firewall operating systems Install client machine operating systems Configuring VPN Installing VoIP software Configuring VoIP (cisco phones 8800 series) Installing and configuring mobile device management software Configuring VPN Configuring active directory server Configuring file and print servers Configuring print server and printer sharing

Deliverables

Installed network and client operating systems Shared printers, group policy, and files Functioning cisco phones Secure tunnel (VPN) Installed application softwares

Resources

Software installation teams IT security software Server operating systems Firewalls operating system Installed network hardware

Budget

$300,000 USD

Estimated time

8 weeks 6. Security policy formulation

This task involves the formulation of an IT security policy, which will be followed by employees in the use of all ICT resources. The policy aims at securing IT resources of accidental and malicious actions by employees, customers of suppliers.

Sub tasks

Review existing security policies (COBIT-5, NIST, ISO-27001) Choose compliance body Write policy recommendations Educate staff on policy recommendations

Resources

Policy review team

Deliverables

Policy document Educated staff

Budget

$15,000 USD

Estimated time

3 weeks

Project schedule