Michael NancarrowSmall Network Upgrade
Proposed Small Network Upgrade - SkillageIT
Talon textile fasteners versiondatechangesnote
1.0024th Februarycreated bodyadded base information from
review
1.0125th Februaryadded small data and tablereview Rubik and
apply current fields
1.0227th Februaryadded dataneed to test packet tracer
1.0330th Februaryadded dataneed to review wording of routing
ContentsBackground Current Network3Organisational Structure Old
and New4Sites4Admin4Manufacturing5Sales5Operations6Organisation
Units6Server Specifications Dual Selection8Physical Server(s)8Role
of Server9Approval10Server Build (Template)11Server Guide15Server
and Networking Test16Server Maintenance17Routing Policy17Planning
for Implementation19Cabling19Protocols19Traffic
Monitoring20Security22Perimeter Designs22Remote Access25Site To
Site Links and VPN26Defence In Depth27Security Auditing30Risk
Analysis30Documentation31Vendor Documentation31In House
Documentation31
Background Current NetworkTalon Textile Fasteners runs several
offices from Head Office (Millicent), Mt Burr, Pts. Pirie and
Adelaide. The current systems are Windows XP machines, Microsoft
Small Business Server (2000), Linux Red Hat (7.0) File Server and a
Microsoft SQL Server. Currently the system performance is not
acceptable, as the Manufacturing Supervisor highlighted the system
does not populate requests fast enough, and the Sales Manager has
stated manufacturing isnt able to keep up with sales. There is
currently no VoIP service, remote management/access or
Virtualisation being employed by the client. All services need to
be updated to current operating systems and hardware to ensure the
efficiency of the group is not hindered. Nigel Techner, CIO, has
stated that the communications setup and wireless at Mt Burr can be
ignored as this has recently been upgraded; all other technologies
need to be reviewed and setup as soon as possible. The CFO, Eddie
Springton, has advised that the current capital investment for the
network upgrade is $150,000.00AU.
The main deliverables of the project are (but not limited to):1.
Provide the client with more current hardware for file servers and
the SQL database;2. In house web server with appropriate
security;3. VoIP implementation for communications; 4.
Virtualisation options with redundancy on a domain level;5.
Effective ordering system for online orders to communicate with an
in-house database and;6. Remote access to database and internal
resources.This does not cover the entire needs for TFF (Talon
Textile Fasteners) however the main project deliverables are. The
project deliverable can be highlighted as follows:
Each step needs to be performed during the 10 week project, and
must be rolled out to all sites for the company. Each phase should
require two weeks for completion, leaving another 4 weeks for
delays, review and discussions.
Organisational Structure Old and NewSitesThere are currently
four main sites for TFF Head Office located in Millicent, Mt Burr,
Pts. Pirie and Adelaide. There is currently interconnection between
the sites (it is considered a WAN) at present. Each site acts as an
independent entity and has their own infrastructure, all with an
outdated hardware infrastructure. AdminThe admin department (Data
Entry Officers) reside in the head office at Millicent. All
computers run on Windows XP SP1 and have not been updated for over
12 years. These computers engage an on premise file server and SQL
database, and use an internal exchange server for E-Mail. These
users are currently happy with the computers although understand
the performance speeds cause issue. Due to the age of the system
and the software used, upgrading to a later Operating System (Such
as Windows 8) may cause issues with running software. The admin
department is heavily reliant on E-Mail and access to the Microsoft
Windows Small Business Server both are considered to be a critical
IT service. The current hardware infrastructure of this site is as
follows:1. Thirty Five (35) Windows XP Computers running Service
Pack 1;2. Three Kyocera FS-3920DN and Once Kyocera M2535CDN;3. One
Master Domain Controller with DHCP Role and DNS; 4. Linux Red Hat
(7.0) file server with partition for SQL Database. The IP Scheme of
head office (hereby referenced as HO) is 10.128.15.0/24 with the
following devices:1. The main DC (Domain Controller) has an IP
address of 10.128.15.10 and resolves at tffdc1.tff.com.au 2. The
Linux File Server has an IP address of 10.128.15.12 and resolves at
qld-lrhfs.tff.com.au 3. The printer scopes for static IP is
10.128.15.2-9 where the FS-3920 start at 2-4 and the 2535 at .5 of
the range4. All computers have static IP address of .100-.135 for
ease of maintenance for users.This site has no backup solutions,
redundancy or remote access so the IT support needs to attend to
this site for an IT related issues. This servers Domain Controller
has been promoted and all others DCs in the forest are below- all
master operations have been applied to this DC. The current phone
system is an older desk phone style however has limitations for
internal calling and is frequently facing issues with services
being provided. This site needs major consideration for redundancy,
security and failover options to ensure that there is little to no
downtime on critical IT needs.
ManufacturingThe manufacturing plants suffers from lack of real
time updates from the sales department. In some aspects this site
has less IT reliance than others. Currently on site there are:1.
One read-only Domain Controller with DCHP and DNS role;2. Four
Kyocera FS-3920DN printers;3. Five Windows XP Computers;4. One
Plasma Television wired to PC;5. Three desk phones. This sites IP
address scheme is 10.128.16.0/24. Once sales push through a sale in
their DMS/SQL it should transcend through to another section of the
DMS that the manufacturing department access has to. Because this
information needs to relay to HO then update to the manufacturing
site, there are severe delays in the completion of orders. The
current phone system currently works well with little issues such
as call drop-outs. The printers here are often over-utilised and
frequent have job queues backed up. The current link to the SQL
database, number of printers and network speeds for this site need
to be looked into and reviewed as high priority- all sites are
negatively affected by the delays experienced at this site.
SalesThe sales department are negatively impacted by the delayed
data transfer to the manufacturing department, however have fast
access to the servers housed at Millicent. The sales department has
seen an increase of 5% in the previous year and thus required more
hardware infrastructure to support the growth of the department.
The current hardware infrastructure of this site (Pts. Pirie)
consists of the following: 1. One Domain Controller with DHCP and
DNS roles at 10.128.17.10 on the 10.128.17.0/24;2. Twenty Five
Windows XP machines ranging from 10.128.17.100-.1253. Four Kyocera
FS-3920DN with an IP scheme of 10.128.17.2-.5This site is currently
functioning at optimal settings, however would like to be setup as
the failover if Admin faces critical issues.The current phone
system here is not functioning at optimal levels, and thus E-Mail
and Social Networking has become a critical IT service; an in-house
exchange server should be setup here for faster access.
OperationsThe new saw mill at Mt. Burr will be opening up soon
and will employ approximately 25 employees; it is estimated only 6
staff will require a computer whilst all other users operate
machinery. Mt. Burr will be receiving a new communications rack and
ADSL2 connection back to Millicent (HO). As this site is newly
opened there is no existing infrastructure in place, so SkillageIT
will start from scratch. This site will require access to the
in-house database, phone system, fileserver access and E-Mail. This
site is situated in a remote location and will be difficult to
administer/maintain in the event issues occurred. This site needs
to be virtualised and have a redundancy link so that any failover
does not leave users with no services for an extended timeframe.
Organisation Units As an organisational unit, there are uniform
setups for IP schemes and infrastructure. The flexible single
master operation is applied to the one DC; tffdc1.tff.com.au. The
following standards have been applied per site:1. Domain
controllers are applied a static IP address of .10 per sites IP
address;2. The Linux File server resolved at .12 of the
10.128.15.0/24 network;3. The printer scopes are .2-9 (no printers
have exceeded this range currently);4. All computers have static IP
address of .100-.135 for ease of maintenance for usersEach
department requires access to the in-house exchange server, the
DMS/SQL database and the Linux Red Hat file server. The preliminary
organise unit goal for TFF has been designed with the following
boundaries:
1. Telstra TIPT phone system employed resolving through the WAN
to an external SIP Server;2. A Wan scenario divided into four
sites; Amin, Manufacturing, Operations and Sales;3. One HP 48 port
switch for Computers and one 48 port for VoIP with VLANS setup;4.
Default route through the admin router for accessing the external
internet;5. Citrix Remote Management server on the 10.128.15
network;6. Redundancy links within Manufacturing for failover;
There is currently no failover setup for IT issues, backup
solutions or remote management/access. This will be accomplished by
single-sign on applications using Citrix XenApp. Failover routes,
backup solutions and a review of current security policies. The
preliminary network outline has been designed and published as
below. This does not currently include the hosted exchange server,
backup solution or redundancy links.
The overview of the network can be summarised as:
This highlights the connection to the internet through the
default route on the 10.128.15.0/24 network to the internet, how
the Web Server will be hosted for external access and the firewall
policies for sites. For a detailed breakdown of each sites
infrastructure refer to the Server Build section of this
report.
Server Specifications Dual SelectionThe current servers in place
are outdated and require updating- the current hardware should also
be replaced in this time. The ideal changes to be made are as
follows:1. A remote access server (XenApp) should be deployed and
published so that external access can occur. 2. The current file
server should be converted to a Windows Server 2008/12 to ensure
complete compatibility with Active Directory and group policies;3.
A snapshot server should be created to handle SQL backups and the
File Server changes;4. The Windows Small Business Server 2000 and
My SQL server need to be migrated to a newer server OS;5. Internal
SMTP/Exchange Server should be created to work in cohesion with
onsite AD and;6. Redundancy links for secondary DNS/DHCP/DC needs
to be setup at another site.For power failure, several UPS systems
should be employed at these sites for specifications. Due to the
upgrade of devices, there will also be a migration from the use of
static IP address schemes (of computers) to utilise the DHCP server
this will require an overhaul of the current scopes and setup at
all four sites. Physical Server(s)Current ServersThe current
servers can be described as follows: (1) Linux Red Hat (7.0) file
server hosted on the 10.128.15.0/24 network; (1) Master Domain
Controller with DNS and DHCP Role hosted on 10.128.15.0/24 and; (1)
Microsoft Small Business Server with SQL hosted on the
10.128.15.0/24.All servers are hosted on the .15.0 network at
Admin. This is the closest connection to the external router for
Telstra and the connection to the internet. Anticipated ServersThe
anticipated servers for this site are as follows: (1) Master Domain
Controller with DNS and DHCP Role hosted on 10.128.15.0/24 and; (1)
Read Only Domain Controller on the 10.128.18.0/24 network; (1)
Backup Domain Controller on the 10.128.17.0/24 network with DNS and
DHCP; (1) Citrix Remote Access Server on the 10.128.18.0/24
network; (1) Windows Server 2008 on the 10.128.15.0/24 network with
the SQL; (1) One secondary backup server for SQL Database; (3) 2013
Exchange Servers at .15, .18 and .17 with SMTP sever on the .15;
(1) Web Server hosted on the .15 Admin network.There is also a
discussion to install a Nagios server for the monitoring of
hardware such as WAPS, switches and other network devices.If
requested, there may also be a printer server setup to link with
the Active Directory for maintenance.
Role of ServerThere are several additional servers that will be
deployed for TFF, each with their own special role. The main roles
to be considered are the Active Directory FSMO roles (Shema, Domain
Naming, RID, PDC and Infrastructure Masters) and the Global
Catalogue Server. Master Domain Controller with DNS and DHCP
RoleThe Master Domain Control (ttfdc1.tff.com.au on the
10.128.15.0/24) has the DHCP and DNS role applied- this DC also
runs all the Master FMSO roles for the TFF Company. This Domain
Controller also houses the active directory service and is the root
of the TFF forest. This DC is critical for TFF; any downtime from
this machine and there will be group-wide downtime for all sites.
Read Only Domain ControllerThe Read-Only Domain controller will be
implemented for redundancy. In the event the master DC (tffdc1)
goes down (and the backup takes lead), the flexibility to promote
this DC should be present. This Read-Only Domain serves the purpose
of copying the main DC for a redundancy and acts as a load-balance
for DNS requests. This server will probably be housed at
10.128.17.0/24 network. Backup Domain ControllerThe backup Domain
Controller server helps alleviate the pressure when there is an
issue on the main DC. It serves the role of the secondary DHCP and
DNS for TFF and can be used as a load-balance when there is high
demand. Citrix Remote Access ServerAn independent server is to be
commissioned for remote access to internal files. This XenApp
Citrix Server (qld-cit1.tff.com.au) can be housed on any network
and will have an external IP address and public DNS address to
allow users to log into the internal service with their AD
accounts. This will allow the users to work from home and will
allow remote management for sessions. Windows Server 2008 with
SQLThe Windows Server (2000) is no longer supported and needs to be
updated. Because the SQL Database is hosted on this server it needs
to be backed up and migrated or virtualised. The Windows Server
2008 can act as the host for the SQL Database and DMS system,
file-system (replacing the RDHS). This server can act as a dual
role (granting the hardware is updated) for in-house DMS and the
file-server. One secondary backup serverThe secondary backup server
acts as the backup snapshot of the file server and also SQL
database. This server will be housed on the same network as we
cannot afford to transfer large volumes of data from site-to-site
but will have a UPS for power failover. 2013 Exchange ServersThere
will be three exchange servers to delegate E-Mail for the .15, .16
and .18 network. This will cover the SMTP gateway, storage and
operation. These servers will operate off AD for groups etc. and
will function internally. The option to convert to Exchange Active
Sync (365) is also available. Web Server hostedThere will also be a
web-server to publish applications such as ordering parts etc. from
an online interface. This is separate to Citrix. Once this has been
setup the relevant security protocol/measures will be applied.
Further discussion of this is required.
Network Virtualisation With the physical hardware selected for
server upgrades, the ability to implement hardware virtualisation
through Hyper V 3.0 becomes available. Hyper-V, formerly Windows
Server Virtualisation, is a utility that allows multiple servers to
be hosted on the one physical machine. This means that one machine
can be managed as a File-Share, DNS server, DHCP server or whatever
role is required through the business. Some of the key uses for
Hyper-V could be the use of making virtual Windows XP machines to
support archaic programs, or help unfamiliar users transition from
their older computers. This VM environment can also be utilised for
testing purposes for application settings and other real-world
settings before applying them to sites. According to TechNet, the
following are the hardware requirements to run HyperV 3.0 on a
Windows Server:To install and use the Hyper-V role, you need the
following: An x64-based processor. Hyper-V is available in
x64-based versions of Windows Server2008specifically, the x64-based
versions of Windows Server2008 Standard, Windows Server2008
Enterprise, and Windows Server2008 Datacenter. Hardware-assisted
virtualization. This is available in processors that include a
virtualization optionspecifically, Intel Virtualization Technology
(Intel VT) or AMD Virtualization (AMD-V). Hardware-enforced Data
Execution Prevention (DEP) must be available and be enabled.
Specifically, you must enable the Intel XD bit (execute disable
bit) or AMD NX bit (no execute bit).For more information on HyperV
3.0 refer to
https://technet.microsoft.com/en-au/library/cc742440.aspx Windows
Server 2012 System Requirements[footnoteRef:1] [1: Microsoft Server
2012 (R2) also requires a Gigabit Ethernet Adapter.]
CPU1.4GHz 64-Bit Processor
RAM512MB Ram
HDD32GB HDD
Windows Server 2012 Pricing[footnoteRef:2] [2: ]
PlanStandard Plan
Designed ForLow-density and non-virtualized environment
FeaturesFull Windows Server functionality with two virtual
instances
License TypeProcessor + CAL
Price$882.00 (USD)
To an enterprise, three key benefits to Microsofts server are
the Data Deduplication Process, implementation of Hyper-V 3.0 and
out-of-the-box Server Management. Along with the tools to operate
the system, there are online forums, technical support and hardware
support associated with a Microsoft product[footnoteRef:3]. [3:
Refer to Appendix I for full breakdown of the benefits listed]
By enabling server virtualisation in a data centre, or across a
high-speed WAN, virtual server images (.vhd) can be migrated across
host machines in a live environment. Utilising hardware that can
perform this function will allow TFF a greater uptime percentage
and will lower their downtime. Assuming Server A and Server B are
the two Eland Pro Pedestal (Mentioned below), all having the DC,
DNS, DHCP and Exchange Server hosted on Server A. In the event of
network issues on premise, or the requirement to move from one site
to another, Windows Server 2012 with Hyper-V 3.0 can live migrate a
VHDX (Virtual Hard Disk) from Server A to Server B. In this
process, users are still able to access Server As file in a read
only format, but will write all changes to Server B.
By utilising this tool, there is a greater flexibility in moving
servers and data from site-to-site with little to no downtime. The
key role server virtualisation can perform for TFF is the ability
to take snapshots of servers in real time; in the event of an
attack or malfunction on the server, the server with the
troublesome VHD can be decommissioned and the older VHD setup.
ApprovalThe following hardware will be purchased (upon approval)
for the new network design: DevicePrice Per UnitTotal
PriceApprovalAsset Tag
Cisco Meraki Cloud Managed Indoor Access Points$480.0025CFO -
$12,000.0020140000-0025
HP1620 $680.0010CFO - $6,800.0020140026-0036
Eland Pro Pedestal$15,000.003
CFO - $45,000.0020140037-40
Intel Core i5 4690 Turbo Pack$802.0025CFO - $20, 050.00
20140041-66
Toshiba SATPro L50 PSKT5A-001001 $799.0025CFO -
$19,975.0020140067-20140093
Powershield UPS 750VA Safeguard Line Interactive$109.005CFO -
$545.0020140094-0099
HP Jetdirect Ew2500 Wireless Print Server$329.001CFO -
$329.0020150000
Eland Pedestal$357.007CFO - $2,500.0020150000-0005
The total price for the above is $102, 199.00 leaving $47,801.00
for the purchase of software (XenApp, Microsoft Server(s), Backup
Solutions etc.). This will need to be placed to the board (CIO, CEO
and CFO) for the required approval. This plan covers all require
servers, UPS devices, Wireless Access Points and 50 stations for
users. There are also two switches per site with a backup of two
switches for replacement. There will also need to be 5 routers
added for the new cutover, or possibly re-design the current router
infrastructure.
Server Build (Template) Domain Controller 1 Name:
tffdc1.tff.com.au IP Address: 10.128.15.10Roles: FSMO Master, DNS,
DHCP and AD-DS Redundancy: Backup Domain Controller Purpose:
Primary DHCP and DNS, master DC and provides AD services for the
TFF group. Backup Domain ControllerName: tffdc2.tff.com.auIP
Address: 10.128.16.10Roles: DNS, DHCP and AD-DSRedundancy: Read
Only Domain Controller Purpose: Secondary Domain Controller for
load balancing. Read Only Domain ControllerName: rodctff.tff.com.au
IP Address: 10.128.17.10Roles: Read only mirror of DC1. DNS, DHCP
and AD-DS can be appliedRedundancy: No redundant option for this
DC. Purpose: Read Only DC which can be promoted in event of
secondary DC going down. Citrix XenApp ServerName:
xenapp.tff.com.auIP Address: 10.128.15.110 with external IP address
of 172.201.144.11Roles: Remote AccessRedundancy: There is no
redundancy for the Citrix ServerPurpose: Remote access server which
allows external access to internal resourcesBackup ServerName:
tffbk.tff.com.auIP Address: 10.128.15.201Roles: BackupRedundancy:
There is no redundancy for this server. Purpose: Stated under
Performs backup of File Server and SQL database periodically
Windows 2008 Server + SQLName: sqlfs.tff.com.auIP Address:
10.128.15.12Roles: File Share and SQL Database Redundancy: Purpose:
Main File Share Server and also hosts SQL for In House DMSPrinter
ServerName: printsvr.tff.com.auIP Address: 10.128.15.202Roles:
Primary Printer ServerRedundancy: There is no redundancy for this
serverPurpose: Setup for universal printer management Web Host
ServerName: websvr.tff.com.auIP Address: 10.128.15.220 with
external 172.201.144.13Roles: Web Hosting for client
ordersRedundancy: Redundancy Purpose: To allow client orders
externally to the internal database. Exchange ServerName:
exchsvr.tff.com.auIP Address: 10.128.15/16/17.221Roles: Exchange
Servers for SitesRedundancy: Each server can become redundant
Purpose: For internal exchange hosting and E-mail
These sites can be later broken down as the following
diagram(s).
Admin Site 10.128.15.0/24
Manufacturing Site 10.128.16.0/24
Sales Site 10.128.17.0/24
Operations Site 10.128.18.0/24
Switches are configured with a universal setup as follows:VLAN
Configurator (Example); hostname adm_switch_hp1620_48p; qos
dscp-map af31 priority 4; qos type-of-service diff-services; ip
default-gateway 10.128.15.254; vlan 1 name "DEFAULT_VLAN" untagged
1-52 ip address 10.128.15.200 255.255.255.0 qos dscp af31 exit;
vlan 2 name "VLAN2" tagged 49-52 no ip address exit; spanning-tree;
spanning-tree priority 2; no tftp server; no dhcp
config-file-update; password manager; password operatorServer
GuideThe Primary Domain Controller, Microsoft Windows 2008 Server
with SQL and Web Hosting server run the following
hardware[footnoteRef:4]: [4: Please refer to the Appendix for
technical information on the servers]
1. No Operating System Support 2. 2.70 GHz E5-2697 v2 (30MB
Cache 130 Watt 12 Cores 24 Threads)3. 128 GB Quad Channel
Registered ECC DDR3 at 1333 MHz (8 16GB)4. 2.70 GHz E5-2697 v2
(30MB Cache 130 Watt 12 Cores 24 Threads)5. 128 GB Quad Channel
Registered ECC DDR3 at 1333 MHz (8 16GB)6. RAID 10 Adds an 8 Port
Hardware RAID Card7. 24 TB RAID 10 8 6TB 3.5 7200 RPM Drive8.
Lights Out Remote Management Module9. RAID Battery Backup - Ensure
data integrity in the event of power failure.10. 10 Gb SFP+ Dual
Port Network Adapter11. Second Dual Layer CD-RW / DVD-RW12. Dual
Layer CD-RW / DVD-RW13. Pedestal to 4U Rack Conversion Kit14.
Logitech Desktop MK20015. 20 Widescreen LCD Display (1600900)16. 3
Year Limited Labor and Overnight Parts Warranty
The other servers are pre-deployed with relevant OS and roles
(as the manufacturer are customer made) to cover all relevant
needs. The credentials to login to these systems are variants of
the following:Username: issadminPassword: Password: Password: All
servers will have appropriate security permissions set to prevent
users from tampering with settings. The hardware choices far exceed
the current needs of TFF, but have been built with the intention to
perform their role for a minimum of five years before being needed
to upgrade. The speeds of the servers and computers will exceed
(anticipated) the requirements of the customers, but will ensure
that the effectiveness of the company is not hindered. The switches
are connected via a 1GB/ps fibre-optic link, and depending on
provider, will be efficient enough to handle all data on the
current WAN network. Server and Networking TestFor server testing
and network testing, the following tools are suggested:Diagnostic1.
Wireshark2. NetBrute Scanner3. Cisco Network ManagerSecurity1.
LanGuard2. ZoneAlarmDOS Commands1. Ping2. Pathping3. Tracert4.
NetStat5. NSLookupTesting should focus on ensuring data reaches the
destination (such as the default-route-router) in a timely manner,
accessing the database and file server occurs in an acceptable
timeframe, that failover methods such as secondary WAPS effectively
work and that all devices on the network can be monitored. Example
tests can be as follows:1. Remove/Turn Off the default route router
to the internet to ensure that the Provider Edge Routers are able
to setup a secondary route to the internet;2. Turn off the primary
Domain Controller and ensure that the backup DC promotes to primary
and supports the network;3. Access the web server internal and
externally and;4. Ensure that the UPS are able to ensure little to
no downtime for users when power outages occur. Server Maintenance
Maintaining the hardware and software on servers is crucial for
increasing the lifespan of the device and providing services in a
timely matter. Server Maintenance should occur regularly to ensure
system performance acceptable. Server maintenance can refer to
applying Windows Updates and Patches or physical cleaning of
hardware. There should be strict guidelines on maintenance applied
to servers- e.g. each Friday set server is backed up, updates
applied and it rebooted. When there are issues with servers, the
issue should be rectified as quick as possible, the scenario
reviewed and then the server have relevant changes made to it (if
applicable) for future instances. The On-Going maintenance plan can
be summarised as follows:1. All relevant system(s) will be backed
up once per month (prior to) and updates and patches applied;2.
System Logs will be monitored and reviewed periodically to ensure
there are no issues with the service;3. All systems will be
rebooted one Sunday per month to ensure there are no lingering
issues with the system.Management is to be consulted for any other
changes required. Full details of changes are to be documented for
historical purposes. Routing PolicyRouting policies need to be
applied to ensure that there is QoS and Load Balancing. Routing
policies need to be setup for Web Traffic (http:80/https:443), FTP
(P21) and other internal applications. The following routing
policies are defined:Packet SizeAll Routing Policies are defined
with the enterprise security software, current McAfee as
follows:
The monitoring of packet size and destination is imperative to
ensure there are no network overloads or attacks from external
parties. By placing size limitations on packets, such as the SMTP
packets from Outlook, TFF are able to monitor and reduce malicious
attacks on data.
ApplicationThe monitoring of data sent from an application is
important. The routing policies need to be setup and correct
firewall settings to allow only desired connections to be
established- this is imperative when hosting a web-service such as
online order forms. By employing Enterprise Security such as the
McAfee Security Engine, the internal IT team can trace packet
destinations etc. and create firewall rules to either accept or
deny requests:
Whilst using the GUI is easier, users should be able to delve
into command line to perform testing. All policies need to be setup
in one universal program for ease of access, and must be able to be
altered by the IT team if needed. Port/Protocol Port 80: HTTP
Protocol At current there is only one default route to the web,
through the CPE router on the .15 network. All routing through the
WAN is setup via the provider, with redundancy links here. There is
an obsolete routing policy of the following:[Client IP address]
> 10.128.[Site].254 (CPE Router) > CPE Router >
10.128.15.254 > Internet In some cases, such as access to the
web application, Port 80 is filtered to only allow secure (https)
access. Port 443: HTTPS ProtocolHTTPS routes are only filtered for
content size to prevent DoS attacks and other malicious attacks.
The provider handles all routes for this protocol. Port 21: FTP
Protocol FTP is denied by default and only allows known
destinations (explicit entries) access to internal and external
hosts. Port 25: SMTP Protocol SMTP is accepted, based on packet
size. The default route for this is setup and only filtered when
large packets are sent, high volumes of packets or if the firewall
(or anti-virus) flags the packets as malicious. Port 23: Telnet
Telnet protocol is disabled/denied any access. The router rule adds
known exceptions such as:If the destination address is
172.20.3.34:23 then allow traffic, otherwise block. This policy can
be applied to ensure only applications with desired connections are
not refused. This policy relies on a firewall, router and
anti-virus solution for data integrity and security. Planning for
ImplementationThere are core services that need to function
correctly with routing policies, such as:1. Full functionality of
the internal DNS servers and DHCP services;2. Full
functionality/access to internal resources such as the SQL
Database;3. Full functionality/routing to local exchange servers
for E-mail. Because all sites function on the same WAN, applying
universal application-based routing rules and port/protocol rules
should be simple enough to achieve; in the internal WAN with no
cross-over IP ranges the MPLS method does not need to be employed.
All the routing for TFF can be done through the perimeter firewall
and applied to all sites. Testing for full accessibility to
internal resources, the web-sever from external resources and
E-Mail should occur before rolling out changes. CablingAll cabling
will be handled internally. Colour-coded RJ45 will be used on
switches to highlight servers, WAPS, Computer and phones. Ideally
on all switches, using the ports from left to right (0-12 and
25-36) will allow for easier scalability in the future. Fibre
converters (LC to SC) will be a universal option and will be
deployed on all newer switches. Cable ties will be applied on the
communications rack and zip ties for users cables. This will help
minimise damage to cables, mess and ultimately make easier to
monitor and maintain. ProtocolsSeveral different protocols will be
employed for TFF, such as http(s), FTP and STP. Each protocol is a
standard employed for an operation on the network. HTTP/HTTP: Hyper
Text Transfer Protocol (Secure): is the set of rules for
transferring files (text, graphic images, sound, video, and other
multimedia files) on the World Wide Web. SSL: Secure Socket Layer:
Is the standard security technology for establishing an encrypted
link between a web server and a browser.FTP: File Transfer
Protocol: is a standard network protocol used to transfer computer
files from one host to another host over a TCP-based network, such
as the Internet.STP: Spanning Tree Protocol: is a network protocol
that ensures a loop-free topology for any bridged Ethernet local
area network. The basic function of STP was to prevent bridge loops
and the broadcast radiation that results from them. Spanning tree
also allowed a network design to include spare (redundant) links to
provide automatic backup paths if an active link fails, without the
danger of bridge loops, or the need for manual enabling/disabling
of these backup links. SMTP: Standard Mail Transfer Protocol: is an
Internet standard for electronic mail (e-mail) transmission.Each
different protocol utilises a standard port and can be defined as
an application/protocol rule within an enterprise solution. By
setting policies based on port usage, such as ftp.server.example:21
TFF can help ensure there are no security threats for users to
penetrate the internal network. Traffic MonitoringTraffic
monitoring should occur for both security and review. Tools such as
Microsoft Network Manager and Nagios will allow TFF to highlight
bandwidth hogs or isolate issue with the network. By employing a
monitoring solution such as Nagios, TFF is able to actively watch
the services of all servers, switches and WAPS and identify minor
issues that could escalate to larger problems if not attended to.
By implementing another tool such as BandwidthD, TFF will be able
to identify network usage by IP address, or computer. This tool
will allow TFF to ensure there are no DDoS attacks or other network
problems that will hinder the performance for others. Nagios is a
free-ware tool that monitors statistics of infrastructure by
sending SMTP request to poll for information on current services,
such as:
All hosts and services can be expanded on for more detailed
information on the issues and history. By coupling this with
site-hierarchy schemes Nagios can effectively advise whether an
entire network can go down, or effectively just portions (such as
wireless devices off WAP1). An example of the network monitor can
be shown as follows:
By coupling a monitoring solution such as Nagios with a
database, TFF will be able to increase their overall system uptime
and response to issues. It is also important to maintain usage of
services for TFF, such as how much data is being used per PC, per
protocol. Using BandwidthD to achieve this can help reduce network
load, by identifying and stopping known issues.
Overall, having live system monitoring can assist the internal
IT department highlight any issues within the network and attend to
it before it causes implications to the business. Ensuring that
critical IT services are operational is an imperative goal on any
network.
SecurityImplementing firewalls per-site is a key solution to
maximise security from both external and internal attacks. This
section will highlight the security measures SkillageIT employ for
clients. Perimeter DesignsImplementing Permitter
Firewalls/Security[footnoteRef:5] is a crucial step to ensuring the
internal network is safely guarded. The following network design
highlights the flow of network traffic employed at TFF. [5:
https://technet.microsoft.com/en-us/library/cc700828.aspx ]
Border Routers and Switches are referred to as CPE (Client
Perimeter Equipment) in the document, and firewalls have not been
highlighted. The above photo highlights both the .15 network and
the WAN, which can be defined as follows:
Note: For Intentions of stating network, routing and IP address
schemes have been ignored. It is also important to know common
forms of attacks on networks, such as:1. Packet
Sniffers/Sniffing;2. IP Spoofing;3. Denial Of Service Attacks
(DoS);4. Application Layer Attacks;5. Virus Attacks and;6. Trojans
All of the above attacks can be expanded upon the TechNet website.
By employing strict policy guidelines, most attacks can be
identified by clients. By employing a Class 4 High End Firewall TFF
can obtain the following:
The advantages and disadvantages of this firewall are
highlighted as follows:High performanceHardware firewall products
are designed for a single purpose and provide high levels of
intrusion-blocking together with the least degradation of
performance.High availabilityHigh-end hardware firewalls can be
connected together for optimal availability and load
balancing.Modular systemsBoth hardware and software can be upgraded
for new requirements. Hardware upgrades may include additional
Ethernet ports, while software upgrades may include detection of
new methods of intrusion.Remote managementHigh-end hardware
firewalls offer better remote management functionality than their
low-end counter-parts.ResilienceHigh-end hardware firewalls may
have availability and resilience features, such as hot or active
standby with a second unit.Application layer filteringUnlike their
low-end counterparts, high-end hardware firewalls provide filtering
for well-known applications at the L4, L5, L6, and L7 layers of the
OSI model.
High costHigh-end hardware firewalls tend to be expensive.
Although they can be purchased for as little as $100, the cost is
much higher for an enterprise firewall, since the price is often
based on the number of concurrent sessions, throughput, and
availability requirements.Complex configuration and
managementBecause high-end hardware firewalls have much greater
capability than low-end firewalls, they are also more complex to
configure and manage. Although this system can be more expensive
and difficult to maintain than other firewall options, it covers
all potential system holes in the system. This system can be
optimised to match IP policies, port policies, ICMP messages,
outgoing access, and application protection and provides real time
alerts and logging for the review of security.By coupling this
option with the remote management feature and VPN connectivity TFF
are able to maximise their security for access internally and
externally to systems. This option is the preferred option for TFF.
The following are known issues with employing a Perimeter Firewall
and should be considered before selecting an enterprise
solution:IssueTypical Characteristics of a Firewall Implemented in
This Capacity
Required firewall features, as specified by the security
administratorThis is a balance between the degree of security
required versus the cost of the feature and the potential
degradation of performance that increased security may cause. While
many organizations want the maximum security for a perimeter
firewall, some are not willing to take the performance hit. For
example, very high-volume Web sites not involved with e-commerce
may allow lower levels of security, based on higher levels of
throughput obtained by using static packet filters instead of
application layer filtering
Whether the device will be a dedicated physical device, provide
other functionality, or be a logical firewall on a physical
deviceAs the gateway between the Internet and the enterprise's
network, the perimeter firewall is often implemented as a dedicated
device, in order to minimize the attack surface and accessibility
of internal networks that would occur if the device were
breached.
Manageability requirements for the device, as specified by the
organization's management architectureSome form of logging is
typically used, while an event monitoring mechanism is also often
required. Remote administration may not be allowed here, in order
to prevent a malicious user from remotely administering the device
and only local administration will be allowed.
Throughput requirements will likely be determined by the network
and service administrators within the organizationThese will vary
for each environment, but the power of the hardware in the device
or server and the firewall features being used will determine the
overall network throughput available.
Availability requirementsAs the gateway to the Internet in large
enterprises, high levels of availability are often required,
especially when a revenue-generating Web site is protected by a
perimeter firewall.
If a perimeter firewall is setup per site, it is
recommended[footnoteRef:6] that the following settings be reviewed
to ensure compliance with the master perimeter firewall: [6: All
information is sourced from TechNet, and is not written by
SkillageIT]
Deny all traffic unless explicitly allowed. Block incoming
packets that claim to have an internal or perimeter network source
IP address. Block outgoing packets that claim to have an external
source IP address (traffic should only originate from bastion
hosts). Allow for UDP-based DNS queries and answers from the DNS
resolver to DNS servers on the Internet. Allow for UDP-based DNS
queries and answers from the Internet DNS servers to the DNS
advertiser. Allow external UDP-based clients to query the DNS
advertiser and provide an answer. Allow TCP-based DNS queries and
answers from Internet DNS servers to the DNS advertiser. Allow
outgoing mail from the outbound SMTP bastion host to the Internet.
Allow incoming mail from the Internet to the inbound SMTP bastion
host. Allow proxy-originated traffic from the proxy servers to
reach the Internet. Allow proxy-responses from the Internet to be
directed to the proxy servers on the perimeter.Overall, SkillageIT
recommend a dual High-End Firewalls for redundancy, as so:
This can be achieved by having one server deployed as the master
firewall and the secondary obtaining changes to policy
automatically as a mirrored firewall. This can be accomplished by
employing a heartbeat setup where traffic is balanced between
firewalls:
The only downside of having load-balancing on Firewall is
increased complexity (if mirroring does not occur) and increased
pressure on single firewalls if one node goes down. The full
breakdown of the advantages, disadvantages and setup can be viewed
at: https://technet.microsoft.com/en-us/library/cc700828.aspx
Remote AccessRemote access to internal web-applications are run via
the use of a XenApp Citrix Server- mstsc.exe is defined as blocked
on the firewall for any external access for example someone trying
to remote externally to a known internal IP address. Remote access
on all computers is disabled and requires administration
credentials to enable. To remote to any server, telnet to any
switch or WAP you must have elevated privileges such as Domain
Administrator. Due to strict policies the only method to use RDP
for a non-admin account is via the Citrix XenApp application which
can be accessed at remote.tffmstsc.com (which is a public DNS that
points to this specific program). The decision to patch RDP can be
elaborated upon the following:The more severe of these
vulnerabilities could allow remote code execution if an attacker
sends a sequence of specially crafted RDP packets to an affected
system. By default, the Remote Desktop Protocol (RDP) is not
enabled on any Windows operating system. Systems that do not have
RDP enabled are not at risk. Technet Article[footnoteRef:7] [7:
https://technet.microsoft.com/library/security/ms12-020 ]
The requirement for remote support within TFF can be handled
with third-party software such as LanDesk- which notifies the end
user if there is someone accessing their computer remotely. Site To
Site Links and VPNThe setup on an internal Intranet VPN will allow
site-to-site communication throughout the WAN (Wide-Area Network).
VPN and associated protocols are defined[footnoteRef:8] as follows:
[8:
https://technet.microsoft.com/en-us/library/cc771298(WS.10).aspx
]
Tunneling enables the encapsulation of a packet from one type of
protocol within the datagram of a different protocol. For example,
VPN uses PPTP to encapsulate IP packets over a public network, such
as the Internet. A VPN solution based on Point-to-Point Tunneling
Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), or Secure
Socket Tunneling Protocol (SSTP) can be configured.PPTP, L2TP, and
SSTP depend heavily on the features originally specified for
Point-to-Point Protocol (PPP). PPP was designed to send data across
dial-up or dedicated point-to-point connections. For IP, PPP
encapsulates IP packets within PPP frames and then transmits the
encapsulated PPP-packets across a point-to-point link. PPP was
originally defined as the protocol to use between a dial-up client
and a network access server.PPTP (Point-To-Point Tunnelling
Protocol) can be employed for site-to-site VPN tunnels. This
protocol was selected as it was the best fit for TFF, with the
following requirements:PPTP can be used with a variety of Microsoft
clients including Microsoft Windows 2000, Windows XP, Windows
Vista, and Windows Server 2008. Unlike L2TP/IPsec, PPTP does not
require the use of a public key infrastructure (PKI). By using
encryption, PPTP-based VPN connections provide data confidentiality
(captured packets cannot be interpreted without the encryption
key). PPTP-based VPN connections, however, do not provide data
integrity (proof that the data was not modified in transit) or data
origin authentication (proof that the data was sent by the
authorized user).Whilst this protocol does not ensure data has not
been tampered with in transit, the ease of management and setup
compared to other protocols outweigh this risk. It is SkillageITs
belief the encryption method of PPTP is sufficient, as follows:The
PPP frame is encrypted with Microsoft Point-to-Point Encryption
(MPPE) by using encryption keys generated from the MS-CHAP v2 or
EAP-TLS authentication process. Virtual private networking clients
must use the MS-CHAP v2 or EAP-TLS authentication protocol in order
for the payloads of PPP frames to be encrypted. PPTP is taking
advantage of the underlying PPP encryption and encapsulating a
previously encrypted PPP frame.The process for the encapsulation of
set packets can be defined as follows:
An example[footnoteRef:9] of how this encapsulation occurs is as
follows: [9: Refer to appendix for another example]
The PPTP packet leaves the PE router and connects to the
internet, only to be redirected to a VPN server which passes the
packet onto an internal router, allowing site-to-site
connection.Note: No integrity check (by default) occurs between the
connection from the internet to the VPN sever.
To effectively deploy site-to-site VPN, TFF need to identify the
known hardware requirements to have an operational connection. The
minimal requirements for Site-To-Site VPN are perimeter VPN
firewalls on each site to create the locked tunnel, routers on each
site that can support the required routing policies and a network
connection that does not time out in sending packet site to site.
Note: Firewall and Routers can be one device and function as
both.
Defence In DepthThe concept can be defined as Defence in Depth
(also known as Castle Approach) is an information assurance (IA)
concept in which multiple layers of security controls (defence) are
placed throughout an information technology (IT) system. Its intent
is to provide redundancy in the event a security control fails or a
vulnerability is exploited that can cover aspects of personnel,
procedural, technical and physical for the duration of the system's
life cycle. Security measures can be applied on 7 levels, as
below:
Policies and ProceduresThe outer-layer of defence is based
around awareness. By providing policies for user security
(Password-Sets, File Passwords etc.) and making users aware of
phishing links, spam E-mail and other malicious attacks that
require user input TFF can considerably increase their security.
PhysicalPhysical security refers to access to internal
infrastructure such as File Serves, Laptops and other devices. By
ensuring that only relevant users have access to the hardware, data
theft, corruption or network alterations are less likely to occur.
PerimeterPerimeter security usually refers to Firewall protection
on perimeter networks. This has been covered in the Perimeter
Design section of this report. Having a Perimeter Firewall and
Internal Firewall allows for multiple testing of packets to ensure
only requested data is able to enter the internal network- for more
information on perimeter networks refer to
https://technet.microsoft.com/en-us/library/cc700828.aspx. Internal
NetworkThe internal network security consists of Firewall, Logging
and Auditing, Encryption and Packet filtering. This security layer
should be setup to prevent any unknown access to internal
resources, and must be monitored in real-time instances for maximum
security.
HostHost security can refer to many different technologies, such
as Firewall, Packet Fileting and Anti-Virus software. At this
level, HIPS (Host Intrusion Prevention Systems) should be applied
(either directly from an enterprise solution or firewall option) to
protect against the following: Take control of other programs. For
example sending a mail using the default mail client or sending
your browser to a certain site to download more malware. Trying to
change important registry keys, so that the program starts at
certain events. Ending other programs. For example your virus
scanner. Installing devices or drivers, so that they get started
before other programs Interposes memory access, so it can inject
malicious code into a trusted program.HIPS is a sub-category of IPS
(Intrusion Prevention Systems) that monitors local events on
systems (hosts) for suspicious activity, and then applies policies
defined by the administrator, such as blocking changes to start-up
entries.HIPS is usually an option to be enabled from an Anti-Virus
solution, such as McAfee:
Further information can be accessed through the following
resources: http://en.wikipedia.org/wiki/Intrusion_prevention_system
http://www.techsupportalert.com/content/hips-explained.htm
ApplicationApplication security is the use of software, hardware,
and procedural methods to protect applications from external
threats. Once an afterthought in software design, security is
becoming an increasingly important concern during development as
applications become more frequently accessible over networks and
are, as a result, vulnerable to a wide variety of threats. The
application layer can consist of the following[footnoteRef:10]:
[10: http://en.wikipedia.org/wiki/Application_security ]
To ensure there are no issue with application security, secure
strategies (Protocols such as HTTPS over HTTP, SSH over Telnet) and
sufficient services must be applied. An Application Firewall is an
example of security measures that can be employed to ensure any
data breaches/connections are denied and recorded. The application
firewall can fall under the following:
These rules can be applied to Source Locations, Destination
Locations, Service, and Authentication and by QoS. By employing
strict policies on this layer, the internal IT team can ensure that
both malicious code from external sources do not get in, and if
internal code is executed, will be blocked at the client-edge
firewall per site. Security AuditingSecurity Auditing should be
applied for applications that create a denied connection, or
receive a block on the firewall due to a protocol/destination
request. By coupling this logging style with an Anti-Virus log,
system administrators are able to identify potential security
threats to the system. The McAfee Enterprise security features a
Next Generation Firewall that is able to assist with Policy and
Protection, and maintain logs and events for system engineers to
review. Risk Analysis When it comes to internal network monitoring
and risk analysis, critical IT services need to be identified. Key
points in a risk analysis theory can be identified as follows:1.
Plan and prepare the risk analysis.2. Define and delimit the system
and the scope of the analysis.3. Identify hazards and potential
hazardous events.4. Determine causes and frequency of each
hazardous event.5. Identify accident scenarios (i.e. even
sequences) that may be initiated by each hazardous event.6. Select
relevant and typical accident scenarios.7. Figure 3: Bow-tie
diagram of risk management8. Determine the consequences of each
accident scenario.9. Determine the frequency of each accident
scenario.10. Assess the uncertainty.11. Establish and describe the
risk picture.12. Report the analysis.13. Evaluate the risk against
risk acceptance criteria14. Suggest and evaluate potential
risk-reducing measures.Some of the key risks associated with TFF
are as follows:1. Failed connection to Primary or Secondary DC(s)
in turn DHCP and DNS;2. Failed connection(s) to internal exchange
servers;3. Failed connection(s) to .15.16.17.18 networks, limiting
all traffic internally. SkillageIT have identified all known risks
to the customer in the cutover/migration of network and have listed
them in separate document. The following management process was
performed to define all risks and apply appropriate solutions:
DocumentationAll documentation is to be housed on premise to
allow relevant access granted. Below will list the method for the
documentation for TFF. Vendor DocumentationDocumentation on the
hardware used (and/or software) will be stored centrally to allow
access. Documentation on known faults, updates and/or technical
support forums should also be listed. For any material found online
that is of relevance, links should be housed for later review. In
House DocumentationAny information on the systems (Roles, changes,
hardware, configuration) should also be stored so that any member
of the internal IT team (or relevant managers) have access to. This
document should contain the following information:1. The purpose of
the document and what it aims to cover;2. History of
changes/outdated information; 3. References to either user or
material; 4. Clear information on system (IP Address, Passwords
etc.) and;5. Any known issues/changes to previous document.This
information should be regular reviewed to ensure that any member of
the IT support team can administer changes to systems if needed.
AppendixServer RequirementsAccording to Microsoft, the minimal
hardware requirements for Windows Server 2008 are as follows:
Coupled with an SQL Database, which required the following
hardware:
The System76 systems are custom built (Overkill) with their
hardware; this hardware is sufficient enough to house multiple
virtual servers and can support growth of the company.
Site-To-Site VPNSecondary example of how Site-To-Site VPN
encapsulation and packet delivery occurs:
Appendix I Windows Server 2013 Key Features With the release of
Windows Server 2012, there were also major updates in the File
System, Data retention and security. However the three main
benefits of the Microsoft Server are as follows:Data Deduplication:
Microsoft has refined their file system and compression techniques
for data storage. Data deduplication is as it says; a technique to
prevent data duplication. With this technique implemented on File
Servers and other storage facilities, clientele are able to save
storage page on their systems, not only making indexing and general
performance better, but saving money on storage requirements.
Hyper-V 3.0: Hyper-V (formerly referred to as Windows Server
Virtualization) is a virtualization client; it allows for Windows
to create virtual machines/environments. The main benefit of
Hyper-V is running a server centralized, yet allowing multiple
guests to remote to the server, run applications and act as if they
were logged into the PC directly. Enabling a server that can run
Hyper-V will cut the cost of purchasing multiple copies of
software, requiring to purchase (and upkeep) several actual
server/client computers and also allow for centralized security.
Server Management: Server Manager is a tool implemented from
Microsoft Server 2008 that helps IT administrators setup and upkeep
servers in a friendly matter. A full guide of setting up and using
Server Manager can be located on the TechNet site
(http://bit.ly/1zdYP4y)
Gather data to identify business requirementsCandidate displays
significant engagement with the learning materials, conveys an
exemplary transfer of knowledge and skills gained4pointsCandidate
displays good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Translate business needs into technical requirementsCandidate
displays significant engagement with the learning materials,
conveys an exemplary transfer of knowledge and skills
gained4pointsCandidate displays good engagement with the learning
materials, conveys an accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Acquire system componentsCandidate displays significant
engagement with the learning materials, conveys an exemplary
transfer of knowledge and skills gained4pointsCandidate displays
good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Evaluate and negotiate vendor offeringsCandidate displays
significant engagement with the learning materials, conveys an
exemplary transfer of knowledge and skills gained4pointsCandidate
displays good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Match IT needs with the strategic direction of the
enterpriseCandidate displays significant engagement with the
learning materials, conveys an exemplary transfer of knowledge and
skills gained4pointsCandidate displays good engagement with the
learning materials, conveys an accomplished transfer of knowledge
and skills gained3pointsCandidate displays engagement with the
learning materials, conveys a developing transfer of knowledge and
skills gained2pointsCandidate displays poor engagement with the
learning materials, conveys beginning level transfer of knowledge
skills gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Configure an internet gatewayCandidate displays significant
engagement with the learning materials, conveys an exemplary
transfer of knowledge and skills gained4pointsCandidate displays
good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Identify best-fit topology for a wide area networkCandidate
displays significant engagement with the learning materials,
conveys an exemplary transfer of knowledge and skills
gained4pointsCandidate displays good engagement with the learning
materials, conveys an accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Create network documentationCandidate displays significant
engagement with the learning materials, conveys an exemplary
transfer of knowledge and skills gained4pointsCandidate displays
good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Develop detailed technical designCandidate displays significant
engagement with the learning materials, conveys an exemplary
transfer of knowledge and skills gained4pointsCandidate displays
good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Create technical documentationCandidate displays significant
engagement with the learning materials, conveys an exemplary
transfer of knowledge and skills gained4pointsCandidate displays
good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Identify and resolve client IT problemsCandidate displays
significant engagement with the learning materials, conveys an
exemplary transfer of knowledge and skills gained4pointsCandidate
displays good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Support small scale IT projectsCandidate displays significant
engagement with the learning materials, conveys an exemplary
transfer of knowledge and skills gained4pointsCandidate displays
good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Develop and present feasibility reportsCandidate displays
significant engagement with the learning materials, conveys an
exemplary transfer of knowledge and skills gained4pointsCandidate
displays good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Identify and resolve client IT problemsCandidate displays
significant engagement with the learning materials, conveys an
exemplary transfer of knowledge and skills gained4pointsCandidate
displays good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Confirm system specificationsCandidate displays significant
engagement with the learning materials, conveys an exemplary
transfer of knowledge and skills gained4pointsCandidate displays
good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Design network diagrams and checklistsCandidate displays
significant engagement with the learning materials, conveys an
exemplary transfer of knowledge and skills gained4pointsCandidate
displays good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Contribute to development of program specificationsCandidate
displays significant engagement with the learning materials,
conveys an exemplary transfer of knowledge and skills
gained4pointsCandidate displays good engagement with the learning
materials, conveys an accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Prepare documentation for publicationCandidate displays
significant engagement with the learning materials, conveys an
exemplary transfer of knowledge and skills gained4pointsCandidate
displays good engagement with the learning materials, conveys an
accomplished transfer of knowledge and skills
gained3pointsCandidate displays engagement with the learning
materials, conveys a developing transfer of knowledge and skills
gained2pointsCandidate displays poor engagement with the learning
materials, conveys beginning level transfer of knowledge skills
gained1pointsCandidate does not address any of the learning
materials, conveys no transfer of knowledge skills
gained0points
Thursday, 9 April 2015C:\Users\mnancarrow\Dropbox\Cert IV in
Network Security\Current\Small Office Upgrade\Proposed Small
Network Upgrade_Version2.docx