Transcript
Running head: COMPREHENSIVE AAP 1
Melvin Dickerson
CMIT 495
Comprehensive AAP
7/10/16
COMPREHENSIVE AAP 2
Executive Summary
WWTC is opening a new regional office in New York City and they will lease one floor
of a building on Wall Street in order to support aggressive growth in their organization. WWTC
has hired an IT director to set up a state of the art network by the end of 2016. The new network
will be designed to support the following business requirements: increase revenue from $10
billion to $40 billion in three to four years, and reduce the operating cost from 30 to 15 percent in
the next two to three years by using an automated system for buying and selling. WWTC needs a
fast, secure, and reliable network in order to support current and future growth and requirements.
WWTC needs a network that will support the following goals: providing a secure means of
customer purchase and payment over the Internet, allow WWTC’s employees to attach their
notebook (laptop) computers to the network to access WWTC’s resources, provide a state of the
art voice and data network, provide fast network services, and provide fast and secure wireless
services in the two conference rooms and lobby to accommodate WWTC’s employees and
guests.
COMPREHENSIVE AAP 3
Project Goal
The primary goal of the network design project is to design and implement a fast,
reliable, and secure network. The new network will ensure that WWTC will have increased
revenue for WWTC, reduced operating costs from using an automated system for buying and
selling, and providing a secure means of customer purchase and payment over the Internet, have
a state of the art network design at the New York City office, solves the current security
problems in order to protect sensitive information from going to the wrong hands, and the
network will be modular and scalable to accommodate for future business growth.
COMPREHENSIVE AAP 4
Project Scope
This project will design and implement a new network for WWTC’s NY office. The
extent of this project will affect all departments (VP OPR, VP NW USA, VP SW USA, VP NE
USA, VP SE USA, and VP M USA) at the new office and the design is a single LAN for single
floor at the Wall Street building. The new network will address the following issues: a new IP
addressing design, enhanced security measures on key applications and servers to mitigate or
reduce security risks, voice and data will be integrated to reduce costs, provide fast and secure
wireless network access to WWTC’s users and guests in the lobby and conference rooms in the
office, and new Active Directory design.
COMPREHENSIVE AAP 5
Design Requirements
The new network will support the following business and technical requirements:
Business Requirements Increase revenue from 10 billion to 40 billion in three to four years Reduce the operating cost from 30 to 15 percent in two to three years by using an
automated system for buying and selling.
Technical Requirements Provide secure means of customer purchase and payment over Internet. Allow employee to attach their notebook computers to the WWTC network and Internet
services. Provide state of the art VoIP and Data Network Provide faster Network services Provide fast and secure wireless services in the lobby and two large conference rooms
(100x60)
WWTC’s LAN Requirements
Provide a modular, scalable network
Provide redundancy at building core, distribution, and access layers to avoid
single point of failure.
For building access, provide redundant uplinks connection to the
distribution layer.
Provide an IP addressing redesign that optimizes IP addressing and routing
along with provisions to implement IPv6 in the future.
Provide aggregate routing protocols with hierarchal IP scheme.
Use NAT to reduce the number of assigned IP addresses
Centralize all services and servers to make the network easier to manage and
more cost-effective.
Provide LAN speed minimum 100 MB and Internet speed minimum 54 MB.
COMPREHENSIVE AAP 6
Provide extra capacity at switches so authorized users can attach their
notebook PCs to the network.
Standardize on TCP/IP protocols for the network. Macintoshes will be
accessible only on guest notebook but must use TCP/IP protocols or the
Apple Talk Filling Protocol (AFP) running on top of TCP.
Install DHCP software to support notebook PCs.
WWTC VOIP Requirements
Integrate voice and data network to reduce cost. Use IP phones to remove
reliance on phone lines as much as possible
Provide 100% connectivity with a minimum number of outside lines.
Provide provisions for video conference and multicast services.
WWTC’S Wireless Network Requirements
Provide wireless network access to network users and guest users in limited
area (Lobby and Conference room) by using directional WAPs
In conference room and the lobby, the user will get a minimum 54 Mbps of
bandwidth.
Provide fast and secure wireless services in the lobby and two large
conference rooms.
Will use open authentication for the public facing wireless access and
802.1x for wireless access in the conference rooms.
Allow employee to attach their notebook computers to the WWTC network
and Internet services.
COMPREHENSIVE AAP 7
Use the 802.1x RADIUS server to point to a NAP server to ensure that
outside computers meet certain requirements before connecting to the
network.
WWTC’s Active Directory Requirements
Implement a highly developed OU structure and implement security polices
via GPOs at all domains, OUs, and workstations.
Implement VeraCrypt drive encryption for all servers, workstations, and
laptops’ drives so that non Windows devices will be encrypted.
Create and implement GPO policies to enforce either full encryption or used
disk space only when BitLocker is enabled on a drive.
Implement BranchCache on Windows Server 2014 to enhance and improve
network performance, manageability, scalability, and availability.
Implement Cache Encryption to store encrypted data by default.
Implement Failover cluster services.
Implement File classification infrastructure feature to provide automatic
classification process and to classify files according to level of sensitivity:
top secret, secret, or confidential.
Implement IPAM to administer and manage IP addresses on WWTC’s
network.
Implement Windows Deployment Services to enables you to remotely
deploy Windows operating systems.
Implement secure backups in the event of a disaster to minimize downtime.
This would include RAID arrays on servers, volume shadow copies and
COMPREHENSIVE AAP 8
incremental backups for workstations, and remote backups for servers to
include Active Directory and file contents.
WWTC’s Security Requirements
The network design will solve the following security problems that were
identified at other WWTC offices:
E-mail had been inappropriately used at times to communicate Business
sensitive information.
Confidential business information and public data were connected to the
same physical network.
End users systems had inappropriately housed confidential data should have
resided only on servers. In addition, some of the end-user systems were
found to be laptops, which had left the facility in clear violation of security
policies.
Some logical control systems were found to rely on username and password
combinations only.
Some sensitive business information was found to be transmitted in clear
text between server and client.
These are the security requirements that will solve the issues listed above:
Internet connectivity and any other unclassified network must be physically
separate from the network.
The classified network must be physically secure to prevent any access to
the classified network’s data. Control should be put in place to prevent local
COMPREHENSIVE AAP 9
users from removing data from the systems in any way. This includes
removable media, AV recorders, pen and paper, and any form of printer.
All data transmitted on the classified network must be cryptographically
protected throughout the network.
All classified data must be centrally stored and secured in a physically
separate area from the unclassified network.
All data crossing wide-area links should undergo another layer of
cryptographic protection such as IPSec/VPN/SSL.
All public servers must be configured HTTPS connections and accept all
requests that are on valid IP addresses and pass through firewall and the
servers must ask some identity of the connecting party.
Implement a DMZ for areas that can be accessed from the internet such as
email and file servers
Use firewalls and IPS and IDS system to detect and prevent malicious traffic
For site to site VPN tunnels, all devices must be mutually authenticated and
cryptographic protection should be provided.
For PSTN dial-up, dial-up clients must authenticate with username and
OTP.
New WWTC Applications
Microsoft Office 2014 Sending and receiving e-mail Surfing the Web using Netscape or Microsoft’s Internet Explorer
applications to access information, participate in chat rooms, and use other typical Web services
Accessing the library card-catalog File Server application.
Custom/In-House Applications
COMPREHENSIVE AAP 10
Market Tracking Application: This application will provide real-time status
of stock and bond market to brokers and their clients.
Stock and Bond Analytical Application: This application will provide
analysis of stock and Bond to Brokers only.
On Line Trading: WWTC wishes to train new clients in online trading to
attract new customers. WWTC will sign up new client to receive streaming
video and instructions.
Current State of the Network
COMPREHENSIVE AAP 11
This diagram depicts the current state of WWTC’s network at other regional offices. The
current network has several issues from audits such as: (a) email had been inappropriately used
at times to communicate business sensitive information, (b) confidential business information
and public data were connected to the same physical network, (c) end user systems had
inappropriately housed confidential data should have resided only on servers. In addition, some
of the end-user systems were found to be laptops, which had left the facility in clear violation of
security policies, (d) some logical control systems were found to rely on username and password
combinations only, and (e) some sensitive business information was found to be transmitted in
clear text between server and client.
COMPREHENSIVE AAP 12
Design Solution
Proposed Network Topology
COMPREHENSIVE AAP 13
Icon Item Name Description Roles
Cisco ASR 1001 Edge
Router
These routers sit at the edge of the WWTC network connecting the company to the WANs Internet Service Provider links. Delivers high performance throughput with services turned on, enabling deployment agility in high-end enterprise branch, WAN edge, and managed services
1. Managed services, including VPN and firewall2. Provides WAN aggregation and secure,
encrypted WAN connectivity3. Provides WWTC with Deep packet Inspection
(DPI)
Cisco IPS 4270
These Intrusion Prevention Systems monitor IP traffic within WWTC's network
1. An online network security appliance2. Protect WWTC network from worms, viruses, and malicious traffic while maintaining business continuity3. Detect threats to intellectual property and WWTC customer data4. Reduce the time and effort required to implement and update security measures
KG175DHigh Assurance IP Encryption
1. Encrypts WWTC traffic from geographically separated locations. 2. Ethernet, IPv4/IPv6 Dual Stack compatible
Cisco Access Control System
WWTC's centralized identity and access policy solution with network access policy and identity strategy
1. WWTC managed access policy device that defines policy rules in both IPv4 and IPv6 networks
2. Integrates with external identity and policy databases, including WWTC's Windows Active Directory to control network access
3. Provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to the WWTC network for VPN and wireless
McAfee Server
Provide WWTC security to prevent malware, exploitations, reconnaissance, denial of service, loss of data, intrusions and is managed
1. Provides Virus Scanning Enterprise. Integrates
2. Host Intrusion Prevention (HIPS)3. Prevents data loss with Data Loss Prevention
Cisco ASA 5500
Firewall w/IPEC
The Cisco ASA firewall will protects WWTC networks and its data centers. It provides users with highly secure access to data and network resources - anytime,
1. Offers integrated IPS, VPN, and unified Communications capabilities.
2. Helps WWTC increase capacity and improve performance through high-performance, multi-site, multi-node
clustering.
COMPREHENSIVE AAP 14
Proposed Network Topology Icon Explanation
LAN Solution
WWTC will use the 172.0.0/20 address and that should be able to accommodate every
device along with the capacity for 100% growth. To begin, the designer will separate the subnets
along the division of job title, since those jobs will have resources and policies that will be
shared between them. For example, there are policies that will need to be applied to staff that
will not be applicable to brokers. The next step was to determine the number of devices that are
currently in place for the office and the four reception offices can hold a maximum of 14 devices
between wired and wireless connections. This allows for multiple devices per person there
needing access to what will be the guest network. This gives an immediate total of 56
connections. To make room for 100% growth, a subnet will be created to handle an assumed
total of 112 devices. To create this subnet, the design must use the 128 place in the octet. Since
we have started at the bottom of our address range of 172.0.0.0, we begin our division in the last
octet. We take the first three octets as network bits and then add the 128 spot as a network bit to
denote that the only changes being med are to the last 7 bits of the last octet. This gives the
address range of 172.0.0.0 – 172.0.0.127 since we cannot change the 128-bit portion. We can
also denote this by 172.0.0.0/25 since we have 25 network bits. We now repeat this process for
our other divisions.
For VOIP, a chart will be shown in the appendix and specifies that WWTC needs 94
internet connected (VoIP) phones. To double that, there are needs to accommodate room for 188
phones. We must use a full octet to accommodate this. Since keep the VOIP phones will be static
and do not want this to encroach upon other divisions that we may need to add in the future, we
COMPREHENSIVE AAP 15
place this subnet in the upper ranges of our given 172.0.0.0/20 range. The /20 range shows that
there are 20 network bits which uses the first 2 octets and the first four of the third octet. This
means that only the last 4 octets (8, 4, 2, and 1) will be changed giving the highest address of
172.0.15.255. For VOIP, we chose the range of 172.0.13.0/24 since we will need to use the final
octet for the possible number of 188 phones. For the conference room, we assume a max
capacity of 10 in each for 20 devices. We must accommodate 40 for the future. For the staff, we
counted the number of desk in the design giving us 48 connections needed. For our printers, we
are told that there are currently 20. For the servers we have a given 40 devices plus an additional
7 that will be used for DNS and DHCP and Active Directory. We must double that to 94 servers
for future networking needs. We use the given diagram to determine our needs for the managers
and brokers as well. For the executive segment, we used the given number of devices needed for
the current executive offices and extended that into the vacant offices, assuming that any new
executive will sit in one of those. This gives us a total of 26 currently needed addresses with us
needing to provide for 52 for future growth.
In order for the two core layer routers to communicate and exchange routing information,
the EIGRP routing protocol will be implemented. EIGRP is a distance vector routing protocol
that will allow the two core routers pass routing information between each other and will be able
to build their routing tables. Both of the core layer routers will be configured with EIGRP as the
routing protocol in order to keep copies of the neighboring routers’ routing table and will be able
to query these tables that will help to find the best route, with the lowest cost, for packets
transmitting over the wire. EIGRP by default, auto-summarizes the routes at each network
boundary. Such route summarization points will include: 172.16.0.0 /30, 172.16.0.4 /30,
172.16.0.8 /30, 172.16.0.12 /30, 172.16.0.16 /30, and 172.16.0.20 /30.
COMPREHENSIVE AAP 16
Wireless Solution
The design of the wireless network should provide a very fast and secure wireless
connection in the lobby as well as the two large conference rooms in the organization. For
efficient full Wireless Access Points (WAP) coverage to the lobby and the two conference rooms
and for the fact that the target areas are located apart within the office, a Cisco Aironet 1250
Series WAP will be configured in each of the rooms and the lobby. The Aironet 1250 will be an
ideal choice for the conference room due to a lot of high bandwidth usage in terms of voice, data
and video applications used in these areas. The WAP is also a dual band device with multiple
channels capable to limit channel overlapping during high traffic usage, supports rogue access
detection, able to detect malicious users and alert the administrator. A Cisco 4400 Series
Wireless LAN Controller will be added to the WAP used to provide single management point for
real-time communication to and from the WAP and will deliver centralized security policies,
intrusion detection and prevention capabilities, quality of service and efficient mobility service.
The WLC connect to the access layer PoE switches and configured with three VLANs:
WWTC employee, WWTC guest, and voice for wireless phones. In order to ensure maximum
bandwidth and reduce RF interference, these APs will be placed in the center of each location
and will be configured to use 802.11g (supports the 54 Mbps bandwidth requirement) with the
2.4 GHz frequency. The 2.4 GHz frequency is the best frequency to use since other devices such
as microwaves use the 5 GHz frequency and if the APs use the 5 GHz frequency, there will be
risk of RF interference. The APs are going to be mounted at each end of the two conference
rooms and the lobby area instead of overhead so that it does not negatively affect each of the
COMPREHENSIVE AAP 17
rooms’ aesthetics. To maximize channel and bandwidth usage, the APs will be installed at eight
feet from the floors in each room and will face downward at 40 degrees. The antennas will be
directional in order to ensure adequate coverage and the APs in the two conference rooms will
use separate channels (channels 6 and 11) in order to prevent similar channels from interfering
with each other at the overlapping point. For the lobby APs, they will be placed at each end at
eight feet from the floor and will face downward at 40 degrees. Both antennas will be directional
in order to ensure adequate coverage along with using separate channels (6 and 11) to mitigate
channel interference.
For security, all of the access points will use 802.1x (WPA2 Enterprise) authentication
where all WWTC users and guests must provide their username and password (guests will be
provided a temporary username and password) before authenticating onto the WLAN. The
802.1x standard also features encryption via EAP. This ensures confidentially since unauthorized
users, such as a war driver using a packet sniffer to view transmitted data over the WLAN,
cannot view the data. VLANs will be configured on the WLC that will separate traffic on the
WLAN. The names of the VLANS are: WWTC employees, WWTC guests, and voice.
Employees in WWTC’s NYC office will be on the WWTC employees VLAN, external users
who need to access WWTC’s WLAN any of the three locations will be on the WWTC guests
VLAN, and the voice VLAN will be configured to handle wireless phone communication.
COMPREHENSIVE AAP 18
VoIP Solution
A VoIP solution will be implemented in order to reduce costs and maintain 100% connectivity.
The VoIP implementation must also be scalable to provide for future growth and have fault
tolerance. The New York office will need to separate VoIP from the network to prevent
interference of the lines and congestion over the network. When used as a singular entity, VoIP
traffic will suffer from decreased bandwidth when there are delays or other issues over the
network. By keeping VoIP on its own dedicated VLAN, these issues will be avoided. The
VLAN will also make it easier for administrators to manage the VoIP network. Unified
Communications Manager can be used to both monitor and manage IP telephony and video
services throughout WWTC. The Cisco Business Edition 6000 offers most elements of the
Unified Communications Manager console to include VoIP and video messaging services.
Outside telephone lines will be used through public switched telephone network (PSTN)
channels. WWTC’s executive staff and brokers will be making commercial calls outside of the
organization and will need PSTN phone lines. Due to the number of users (around 28) and the
expected heavy call volumes to be made, it is estimated that executive staff and brokers will need
about six PSTN channels at a 5:1 person per channel ratio. For redundancy, voice-network dial
peers can be established to maintain 100% connectivity. To ensure PSTN redundancy, WWTC
should consider purchasing two geographically separated SIP trunk entry points from the PSTN
provider, use two IP addresses (one is the primary and the other is the secondary) for the trunks,
and both should terminate onto different devices. This will ensure that if one link fails, the other
COMPREHENSIVE AAP 19
will pick up the slack and WWTC NY branch office users will be able to continue making
outside calls regardless of a single trunk entry failure.
Security Solution
WWTC will implement a security solution that will protect their NY office’s network from the
following attacks: reconnaissance attacks, access attacks, Denial of Service (DoS), and worms,
viruses and Trojans. This solution will enable the office to provide high availability by means of
mitigating these attacks through technology and organizational practices, while maintaining
confidentiality and integrity to prevent the network from compromise. The solution will be used
to mitigate and/or reduce the following security risks:
Reconnaissance Mitigation
Unauthorized users such as hackers are looking to gain information about WWTC’s
network are a serious threat. The use of packet sniffers, port scans, ping sweeps and information
queries on the Internet are several ways in which reconnaissance of the network could occur.
Mitigation of reconnaissance attacks can be completed using several tools, such as firewall
implementation, strong authentication techniques, cryptography, switched infrastructure and
using anti-sniffer tools.
WWTC will use a firewall to prevent ping sweeps, port scans and other types of network
probing. Inclusion of a Cisco IOS based firewall provides adequate protection at this level,
however there is the possibility that other network resources may be affected to mitigate damage.
The addition of Cisco 4270 Intrusion Protection System (IPS) is also included, as it is designed
to provide countermeasures to these types of attacks.
COMPREHENSIVE AAP 20
Access Attack Mitigation
Access attacks see intruders attempt to gain access to the network or escalate privileges to
perform inside attacks. Password and man-in-the-middle attacks are common in performing
access attacks. To prevent password attacks, WWTC will use Active Directory password
policies and configurations to develop rules that will require users to create strong passwords
with at least 10 characters, adding complexity by including special characters, and a three month
password limit before it must be changed. Two-factor authentication will be integrated into the
WWTC network with username and password access and a smart card with pin number. This is
the standard for access to the network and its resources. Mitigation for man-in-the-middle
attacks requires cryptographic encryption. SHA-1 hashes will be used as its large digest size of
20 bytes makes it difficult or at the least unlikely that two messages through a secure
transmission will have the same SHA-1 signature.
DoS Mitigation
Denial of Service attacks harm networks by flooding targeted devices and components with an
overload of traffic that subsequently denies all users and customers access to network resources.
WWTC will need to be able to filter incoming traffic before it reaches the firewall or other
network devices, as they do not provide sufficient protection from such attacks. The Cisco
COMPREHENSIVE AAP 21
Guard XT device will be installed to mitigate DoS attacks through a layered five-module
process:
Filtering – Dynamic filters detail the flow of traffic and provides live updates that will
continually increase verification for suspicious traffic, and block traffic that has been
identified as suspicious.
Active Verification – Verifies that the packets entering the network have not been
spoofed. Mechanisms are also in place to validate legitimate packages and prevent
verified traffic from being discarded.
Anomaly Recognition – Monitors all traffic not stopped by the dynamic filters or active
verification, compares it to baseline behavior recorded over time, and searches for any
kind of deviations that would identify malicious packets. This is based on the principle
that the pattern of traffic originating from a "black-hat" daemon residing at a source
differs dramatically from the pattern generated by legitimate sources during normal
operation. This principle is used to identify the attack source and type, as well as to
provide guidelines for blocking traffic or performing more detailed analysis of the
suspected data.
Protocol Analysis – Will process the flows that the anomaly recognition module deemed
suspicious in an effort to identify application-based attacks, such as HTTP error attacks.
Other misbehaving protocol transactions are also identified.
Rate Limiting – Further enforcement that prevents overwhelming of a target by
misbehaving flows while performing further detailed monitoring. Traffic flow is shaped
and resource-eating sources that use up too much time are penalized.
Worms, Viruses, and Trojan Horses Mitigation
COMPREHENSIVE AAP 22
Worms, viruses and Trojan horses pose significant harm to WWTC’s network if not
protected against. All users in WWTC will be required to undergo training on how to
identify threats, to include malicious emails, phishing attempts, software downloads that
may contain worms or viruses, and use of portable devices on the network. Users are
also expected to read and understand WWTC security policies concerning worms, viruses
and Trojans as they are designed to prevent introduction of these threats to the network.
WWTC will provide a server hosting McAfee antivirus software to mitigate the threat of
worms, viruses and Trojans. In addition, regularly scheduled updates will be in place to
keep up with new, emerging threats and keep all network clients up to date. Updates and
scans will be run after work hours to prevent slowdown for WWTC users.
Active Directory Solution
WWTC’s NY office needs to have Active Directory in order to simplify day-to-day IT
support, such as password resets, since the office is largely autonomous and have few IT
personnel. This Active Directory design will be supporting the following requirements: greater
workstation, server, laptop security and simplified administration for WWTC’s IT staff. The
solution will have the following features: BitLocker drive encryption to protect sensitive
information stored on WWTC’s workstations, servers, and laptops’ hard drives from being
compromised in the event of hard drive theft. All group policy settings will be based off of the
security policies to ensure adequate user account security. Cache Encryption will be
implemented to store and encrypt sensitive information on the servers. Smart card authentication
will be implemented that will require WWTC’s NY office users to use their smart cards and
COMPREHENSIVE AAP 23
PINs to gain access to network resources. File classification system will be implemented that
will be used to classify files according to the level of sensitivity.
Network Management
A network management tool that will best suit WWTC’s NY office is Network
Performance Monitor (version 12) from Solarwinds. This tool has features such as performance
metrics for wireless networks, Web-based network monitoring dashboards, monitors network
hardware for issues such as high CPU temperature or faulty power supplies, configure network
baselines, perform packet captures to analyze and troubleshoot issues, and generate custom
network performance reports to further analyze for issues in the new network (Solarwinds, 2016,
p. 1). This tool will help to take the load off of the network administrators since it will allow
them to focus on issues such as making sure that the network continues to support and meet the
desired requirements along with gathering information of network issues before the end users
begin to call the service desk and complain. Since this tool monitors for network issues, the
number of service desk complaints will also drop since the administrators can troubleshoot in a
short amount of time.
COMPREHENSIVE AAP 24
Implementation Plan
Project Schedule
DATE COMPLETED PROJECT MILESTONE
July 8 Business and design requirements identified for network, security, and Active Directory implementation.
July 15 Preliminary network design submitted for WWTC’s review.July 22 WWTC requests network design modifications.July 29 Preliminary security design submitted for client review.August 5 WWTC receives requests for security design modification.August 12 Preliminary Active Directory design submitted for client review.
August 19 Active Directory design modification requests received from client.
August 26 Final designs (network, security, Active Directory) submitted to WWTC along with employee training plan.
September 2 Network equipment and WAN links purchased from vendors and services providers.
September 16 All network equipment will be onsite and accounted for.September 23 Installation of WAN links completed.
October 7 Installation and configuration of network infrastructure devices completed at the first floor of WWTC’s NY office. Enabled security controls on the devices.
October 15 Performance testing completed at the first floor of WWTC’s NY office.
October 22 Active Directory configuration and implementation completed. WWTC NY office’s IT personnel has been trained on new network devices.
November 4 WWTC has completed a preliminary audit of network, security, and Active Directory implementations.
November 18 Modification requests due from WWTC.November 25 WWTC’s modification requests completed.December 9 Support for network, security, and Active Directory implementations ends.
COMPREHENSIVE AAP 25
Plan with Vendors
In the weeks leading up to September 2nd in the project schedule, WWTC will begin
purchasing equipment from the following vendors: Microsoft, Cisco, HP, and Dell. From
Microsoft: 133 licenses for McAfee Anti-virus for 89 computers and 44 servers, and 87 licenses
for Microsoft Office 2014, and Microsoft Exchange. From Cisco: 94 VoIP phones, one Cisco
Unified Communications call manager system, voice gateway, three Cisco Catalyst 4510R+E
access layer switches, three Cisco Catalyst 6503-E distribution layer switches, three Cisco ASR
1001 core layer routers, one Cisco ASA 5500 firewall, four Cisco IPS 4270 Sensors, and Cisco
Access Control system. For HP: WWTC will purchase nine HP ProLiant DL380 servers and HP
Storage Works EVA4400 AG637BR Hard Drive Array SAN, 20 HP Color LaserJet Pro MFP
printers. From Dell: 87 Dell 22” monitors, 20 E-Port Plus docking stations, 20 Laptops with
Windows 10 installed, and 55 Precision Tower 3000 Series with Windows 10 installed. For
WAN links, WWTC will purchase links from Verizon (150x150 Mbps T-1 link) and AT&T (to
connect to their metro Ethernet network). After WWTC has the equipment onsite at the NY
office, they will conduct an inventory to check to see if anything is missing, if so, they will
notify the vendor of the issue.
COMPREHENSIVE AAP 26
Outsourcing Network Management
WWTC will hire Earthlink, a network services provider, who will provide network
management solutions such as (a) network threat monitoring and defense; (b) network
diagnostics to ensure that the new network will support WWTC’s business requirements; (c) use
monitoring tools such as myLink to ensure good network performance. This allows WWTC’s IT
staff to focus more resources towards strategic and critical priorities instead of daily
maintenance, and provide security diagnostics to identify and mitigate any security
vulnerabilities in the newly implemented network (Earthlink, 2016, p. 1).
Communication Plan
Since WWTC will be implementing a new network at the NY office, there must be
excellent collaboration between management, network administrators, and end users. The
network design document will be distributed to WWTC’s management, network administrators,
and end users. As the design and implementation takes place, the network administrators will
update the status of each task such as completion of configuring the network infrastructure and
testing for issues to management and the end users. If there are risks and issues, such as missing
equipment, the administrator will immediately notify first the manager in charge of the phase and
the manager will then contact the vendor. Every week, management and the network
administrators will hold meetings for items such as status updates and to maintain awareness of
the budget in order to prevent overspending.
COMPREHENSIVE AAP 27
Training Plan
During and after the network implementation, the consultant will offer training to
WWTC’s network administrators and they will be trained on specific tools, equipment, and
configuration of all devices during each implementation phase. The IT consultant will purchase
the administrators configuration manuals from the vendors and set up online classes that will
apply to each implementation phase. The administrators will be offered online classes LAN,
security, and Active Directory configuration. For example, before the end of the LAN phase, the
administrators will be trained on the configurations of routers and switches. For security, they
will be trained on configuring, implementing, and maintaining strong security measures on the
network devices. For Active Directory, they will be trained on configuring and implementing
group policies along with the Active Directory structure. WWTC’s end users, on the other hand,
will be trained before the project’s completion and it will mainly focus on security policies, such
as password complexity and proper use of computers. The consultant will work with WWTC to
establish online classes for the end users that will be on the subjects of acceptable use policies
and security best practices.
Measuring the Effectiveness of the Design after Implementation
After implementation, the network administrators will monitor the entire network, LAN,
Active Directory, and security, to check for design issues such as a misconfigured IP address or
VLAN and if such issues arise, the design and device configurations will be modified and
documented to reflect the new changes, such as a different IP address or different VLAN name.
The administrators will then conduct additional assessments to the newly implemented network
COMPREHENSIVE AAP 28
in order to verify that it meets WWTC’s requirements, such as reviewing the security
configurations on the devices to check for compliance with WWTC’s security policy.
Project Risks
The network implementation can be delayed due to the following issues;
Missing equipment;
Administrator turnover;
Executives may not support some project objectives;
Key executives may leave WWTC;
Project scope creep;
Device misconfigurations;
Budget overspent or inaccurate budget estimates;
Lack of communication between network administrators;
Faulty equipment;
Security breach occurs when a phase is implemented;
Network outages or down links;
Network does not support WWTC’s business and design requirements;
Bad vendor relationships or vendor conflicts;
Cannot negotiate acceptable prices for contracts and;
Too many end user complaints about the performance of the network
COMPREHENSIVE AAP 29
Fallback Plan if Implementation Fails
Before an implementation failure occurs, network administrators at the NY site will
perform daily backups of configurations on the routers, switches, servers, and other network
devices. After the administrators make new configuration changes to these devices, all
configurations will be backed up offsite, such as to cloud service providers Cisco (LAN and
security configurations) and Microsoft (Active Directory configurations). In the event of a failure
in the implementation, such as equipment failure or misconfiguration, the administrators can
quickly recover the previous device configurations and prevents them from starting from scratch,
and this will ensure quick recovery of configurations and minimizes network downtime.
Evolving the Network Design to Fit New Application Requirements
In order to fit new application requirements in the future, WWTC will consider
modifying their design. If WWTC develops a new in-house application or decides to outsource
them, such as email, the design has to be modified in order to support new requirements. For
example, if WWTC has an in-house email application, they will have their own email servers
and will be responsible for maintenance and upkeep. If they decide to outsource email to a third
party application such as Microsoft Office 365, they have to make design changes such as
decommissioning their in-house email servers and then configure other devices such as routers to
point to Microsoft’s email servers. The best way to handle this is for WWTC’s network
administrators to document all changes to the network design, such as network baseline
information. Having good documentation ensures that if there are application changes, there will
not be a struggle with identifying where changes should be made in the design when new
application requirements arise.
COMPREHENSIVE AAP 30
Project Budget
This budget will cover the following needs: network devices, maintenance and support
agreements, vendor service contracts, training/staffing, consulting fees, and outsourcing
expenses and its associated costs. In total, the project will cost $1,088,000.
Needs# Required
(Equipment/Software Licenses)
Description of Needs Cost
Wiring $30,000
Server Room Construction $300,000
Network Devices $640,000
Maintenance and Support Agreements Applies to all equipment
The vendors: Cisco, HP, and Dell, will be maintaining the equipment
and service warranty for the devices.
$10,000 per year
Service Contracts with Vendors Applies to all equipment There will be service contracts with:
Dell, Cisco, and HP.$30,000 per
yearMcAfee Anti-Virus Software 133 licenses Will be installed on all servers,
laptops, and workstations at WWTC$20,000 per
year
Training and StaffingThree administrators are
needed for implementation
The IT consultant has to train each administrator in the area they are
responsible for implementing (LAN, Security, and Active Directory)
along with developing an end user training awareness program.
$10,000
Outsourcing Costs (EarthLink)
Applies to network management
WWTC will outsource network management (security threat
monitoring and network diagnostics)
$50,000 per year
COMPREHENSIVE AAP 31
Network Performance Monitor from SolarWinds 1 license Used to monitor WWTC’s network
performance.$2,000 per
year
COMPREHENSIVE AAP 32
Design Document Appendix
Implementation Schedule:
LAN Implementation Tasks
Task Description
LAN Design The LAN design should efficiently connect the devices at the NY facility in a manner that allows maximum flexibility, scalability and ease of maintenance and administration.
Server Room Construction The installation of data cabling to connect all devices at the NY facility, including shielded and plenum cables where safety and performance requirements dictate. ("Alpine Communications," n.d.)
Electrical Cabling The installation of electrical cables to connect all devices at the NY facility. Distribution boards and UPS systems will be installed as well. ("Alpine Communications," n.d.)
Security Implementation Tasks
Step # Task1 Physically install Cisco ASA 5500 firewall2 Configure ASA 5500 firewall3 Setup access to the public server farm in DMZ in ASA 55004 Configure VPN for IPSEC in ASA 55005 Configure firewall rules in ASA 55006 Physically install Cisco IPS 42707 Configure IPS 4270 for “inline mode” between ASA 5500 and WWTC network8 Install and configure McAfee E-Policy Orchestrator (EPO)9 Install and configure Cisco Access Control Server (CACS) 5.410 Install and configure KG-175D11 Configure VLAN security on network devices12 Configure port security on network devices13 Configure DHCP snooping on network devices
COMPREHENSIVE AAP 33
Active Directory Implementation Tasks
Step # Task1 Create Forest Root/Parent Domain; WWTC.com2 Create the Forest Root/Parent Domain; WWTC.com3 Create a Child Domain; NY.WWTC.com4 Configure DNS suffix search list and distribute through GPOs5 Establish forest trust with WWTC and HQ Hong Kong6 Configure global catalog servers and FSMO roles7 Create sites and subnets8 Create site link objects and configure site link settings9 Create WWTC Group Formation10 Create WWTC Active Directory GPO Implementation
Network and VLAN Configuration
Segments
VLAN ID
Device quantit
y
IP addresses required including
growth SubnetNumber of
Hosts First Host - Last Host
Servers 100 47 94 172.16.12.0/25 126172.16.12.0 –172.16.12.127
VoIP 101 94 188 172.16.13.0/24 254172.16.13.0 –172.16.13.255
Reception/Guest110 56 112 172.16.0.0/25 126
172.16.0.0 – 172.16.0.127
Conference Rooms 120 20 40 172.16.0.128/2
662
172.16.0.128 –172.16.0.191
Printers 102 20 40 172.16.0.192/26
62172.16.0.192 –172.16.0.255
Executive Offices 130 26 52 172.16.1.0/26 62
172.16.1.0 – 172.16.1.63
Managers 140 20 40 172.16.1.64/26 62172.16.1.64 –172.16.1.127
Staff 150 48 96 172.16.1.128/25
126172.16.1.128 –172.16.1.255
Brokers 160 28 56 172.16.2.0/26 62172.16.2.0 – 172.16.2.63
COMPREHENSIVE AAP 34
VoIP Configuration
Task DescriptionSeparate roles For this step, we want to know how we will separate our roles
for subnets and VLANs.Create subnets After separating roles, inventory the number of users and
devices that need an IP address and create subnets around 100% growth
Create subnets on switch Now we create the subnets on our switches and define their IP address range on the switch to allow the network to reach the devices.
Setup VoIP We have to set up the voice over IP network on both the router and switches to assign DHCP and phone numbers so that phone service will work.
Create PTSN failover This allows us to make and receive calls using the public relay in the event of an internet outage using a Cisco Unified Communications Manager. The cost of this is around $1300.
COMPREHENSIVE AAP 35
VoIP Diagram
DHCP/DNS Addresses
Scope Addresses Available Subnet Mask Default
Gateway Primary DNS
Executives 62 255.255.255.192 172.16.0.2 172.16.0.93Brokers 62 255.255.255.192 172.16.0.2 172.16.0.93Managers 62 255.255.255.192 172.16.0.2 172.16.0.93Staff 126 255.255.255.128 172.16.0.2 172.16.0.93VoIP Phones 254 255.255.255.0 172.16.0.2 172.16.0.93
COMPREHENSIVE AAP 36
Wireless Network Deployment Diagram
COMPREHENSIVE AAP 37
Active Directory OU Structure
Executives Users
Workstations Brokers
Users
Workstations Finance
Users Workstations
Human Resources (HR) Users
Workstations Managers
Users Workstations
IT Users Workstations
Printers Servers Security Groups
COMPREHENSIVE AAP 38
Active Directory GPO Implementation Diagram
COMPREHENSIVE AAP 39
Active Directory Forest Structure
COMPREHENSIVE AAP 40
References
Earthlink. (2016). Network and Security Outsourcing. Retrieved July 6, 2016, from Earthlink:
https://www.earthlink.com/services-and-solutions/solutions-by-challenge/network-security-
outsourcing
Hummel, S. (2009, September 20). Effective Network Planning and Design Guide. Retrieved July 7, 2016,
from IT World: http://www.itworld.com/article/2768291/networking/effective-network-
planning-and-design-guide.html
Solarwinds. (2016). Network Performance Monitor v12. Retrieved July 8, 2016, from Solarwinds:
http://www.solarwinds.com/network-performance-monitor
top related