graded unit - lily chandlerlilymchandler.co.uk/documents/graded unit final.pdf · 2018-03-14 ·...
TRANSCRIPT
0
Graded UnitHND Computer Networking
Lewis Chandler 2017-05-08 Dundee & Angus College
Table of contentsPlanning 2
1.1 Analysis of the project assignment brief 2
1.1.1 Problem analysis 2
1.1.2 Aims of the project assignment 3
1.1.3 Requirements 4
1.1.4 Key factors 7
1.1.5 Resources and materials 7
1.1.6 Information sources 8
1.1.7 Analysis 10
1.2 Project plan 12
Development 15
2.1 Developing 15
2.1.1 Implementing the planned solution 15
2.1.1.1 PC Choice & Monitor Choice 15
2.1.1.2 IP Phone Choice 17
2.1.1.3 Printers 17
2.1.1.4 Router choice 18
2.1.1.5 Switches 19
2.1.1.6 Cabling 21
2.1.1.7 Servers 22
2.1.1.8 Firewall 24
2.1.1.9 Wireless Access Points 24
2.1.2 Network devices 25
2.1.3 Network redesign 27
2.1.4 Common Protocols 30
2.1.5 Implementing wireless network in a secure manner 31
2.1.6 Threats and Vulnerabilities 32
2.1.6.1 Common malware 32
2.1.6.2 Types of attacks 32
2.1.6.3 Mitigation and Deterrent techniques 33
2.1.6.4 Penetration testing versus vulnerability scanning 33
2.1.7 Review Application, Data and Host Security 33
2.1.8 Review Access control and identity management 34
1
2.2 Testing the implemented solution 35
2.3 Managing the Project 36
Evaluation 37
3.1 Outline of the Assignment 37
3.1.1 Growth and network 37
3.1.2 Access to software 38
3.1.3 Security and restrictions 38
3.1.4 Access to services 38
3.2 Strengths and Weaknesses 39
3.3 Recommendations 39
3.4 Modifications 40
3.5 Knowledge and skills 41
Sources 41
Planning
1.1 Analysis of the project assignment brief
1.1.1 Problem analysis
The company TechRep is a computer repair and reseller in the East of Scotland. They have asked our
company to redesign their network in readiness for their planned expansion. Currently they operate
in the UK, but are looking to expand globally, and will need to systems in place to facilitate this. At
the moment, they have 56 members of staff spread across 3 locations in South East Scotland. Their
current network is too slow and unreliable for present members, let alone their planned expansion.
At present, they have an ad-hoc network, which means all computers are connected to each other in
a peer-to-peer fashion. This is unsuitable for any network of reasonable size which is shown by the
unreliability of their current network. They plan to expand by 80% in the next 5 years, and so need a
network that can keep up with their needs and works properly.
They have also brought up the issue of security. As discussed in the project brief, they have recently
been prone to denial of service attacks. This will need to be sorted if they are due to grow their
company, as they will be more of a target. Data corruption was also outlined, and as have had
problems in the past, which has affected their profits. They wish to mitigate this as they have seen an
increase in attacks on their network.
2
The managers have also requested that they have separate permissions on files and folders so they
can access staff files as they please. The network should also have the ability to control what
different members of staff have access to.
1.1.2 Aims of the project assignment
The two major aims of the project is network security and future proof the network for the
company's projected growth.
Network security will be achieved by implementing firewalls and access control lists. These firewalls
will prevent unauthorized access to the network from the internet. Another feature that will be
added is DDoS and DoS protection, so that TechRep will be less susceptible to attacks, minimising
down time so they can keep working. Another aspect to consider is the physical security of the
network. A password policy that is secure enough to deter potential attackers, but simple enough
that people can remember them, without writing them down. This also raises the security of the
building. If we have a server onsite to hold AD and other services, these are prone to being targets of
potential thieves. If we use a data centre/cloud service, onsite security is handled by them.
The aim of future proofing the network and other hardware, should be able to at least last 5 years
with the projected 80% expansion. We will know if we have achieved this if the PC’s meet the
requirements listed below. Before TechRep approached us, they did an internal survey of how their
staff use their current PC’s, here are the results.
This shows us how to best optimize our budget, and the best way to get the best PC’s for the job. The
best way to achieve this is to purchase new networked PC’s which are capable of basic tasks and
enough for them to last for the predicted expansion of about 5 years. These tasks will include the use
3
of an Office suite which the PC will need to be able to run at the very minimum. The details of these
will be outlined in requirements.
1.1.3 Requirements
These are main points they have asked us to take into consideration, along with an idea for a solution
● Each member of staff should have their own networked PC. ○ This can be solved by procuring the right PC for the job. This will include assuring
that the specifications of the PC meets TechRep’s minimum requirements. Getting
decent hardware though will future proof the company's hardware for expansion.
○ In order to run an Office suite, a basic computer is needed at minimum. These
generally do not cost much and meet most requirements, however they tend not to
be very future proof and often break easily due to low manufacturing costs. These
can come in form factors of tiny (Credit card sized), to small (shoebox size). However,
there is also the option to run thick and thin clients, which means running a small
computer (Book size) with a keyboard, mouse and monitor, but the actual compute
power is on a server somewhere else in the building. This sort of setup is generally
expensive to setup, but is one of the easiest to expand as all you have to do to add
another computer is buy another ‘thin client’ which are cheaper than standalone
PC’s.○ Mid-tier prebuilt computers (towers) are more suited for light to medium tasks such
as running an office suite, browsing the internet, and perhaps running some
proprietary software such as a website builder or accounting software. These can be
fitted out to be fairly future proof, meaning they will last for a good amount of time,
while still being fairly inexpensive. The downside of these is they cost a fair amount
per computer, and are harder to manage than other solutions, but often are best
suited to resource intensive tasks such as using Chrome. ○ Each PC will require a monitor. Common sizes can be 19”, 21” or 24”. The larger
screen sizes will have a better resolution, and therefore a clearer view of the work a
member of staff is doing. These can vary wildly depending on screen technology (IPS
or TN). IPS is a more expensive option, but is known for its better colours and angles.
This will be important to someone who works with colour such as photo editing and
to screens in conference rooms, so everyone can see properly. TN is a more mature
technology, and is cheaper, but doesn't have as good a colour reproduction and it as
slightly worse viewing angles. Screen size is also a factor, a bigger screen will be
easier to work with as it has more screen space, but a smaller screen is cheaper and
more space efficient. Those employees who are working on space intensive work
such as spreadsheets and website building, may benefit from more than one monitor
to increase productivity. Generally, the common aspect ratio of screens tend to be
16:9, to give the best compatibility with programs. Screen resolutions depend on
screen size.
4
○ Another option for the PC’s, is laptops. These can be used by employees who want
mobility and want to move around, such as managers. These often cost more for the
same specifications as their desktop counterparts, and are smaller.○ As for the PC operating system, Microsoft Windows is the most widely used. This is
an advantage when looking at program compatibility, but because of this it is also
susceptible to malware, which then requires anti-malware software, which is often a
subscription. Windows also costs per PC, which when buying for a lot of PC’s can be
quite a lot of the budget. Apple’s macOS is a ‘proprietary’ operating system that
comes with all of their PC’s. These are often looked upon as more expensive than
what you get, but they are used among creators as they provide a nice workflow, and
are not to prone to malware. The last option is a Linux distribution, which is free.
However, they are often the least compatible with programs, as they make up a tiny
proportion of users. Because there is not a lot of program compatibility, there is no
need for an anti-malware, and since programs are maintained through repositories,
it can easily maintained. Some common distributions are Ubuntu, Mint, Debian and
Arch. Other options include Apple macOS and Linux. ● All staff require access to a generic office suite
○ Microsoft Office is available either by subscription (Office 365), or as a one off
payment. Other suites are available such as WPS Office, OpenOffice or LibreOffice.
These can be installed on most PC’s, depending on their operating system. ● Sales staff require access to sales ledger software and a specialised contact management and
sales tracking package. ○ Sage ledger software is a popular suite used by many companies used all over the
world. They also offer other packages such as Payroll and accounting software. ● Each member of staff should have their own private file storage.
○ Currently, staff have access to files in an ad-hoc fashion, where they browse others
computers, all using the same admin username and password. This is very insecure
and can easily be intercepted or misused. It also gets very complicated having to
know which computer has which file on it. To share files with other offices, they have
to email them, but with increasing file sizes this is evermore becoming impossible to
do. My plan is to have all staff to have a private file storage server, this can be
achieved many ways. The main ways of doing this include a single drive for each
employee, which would be easy to set up, but be very costly and unresourceful.
Using virtual drives per employee which can divvied up depending on how much
storage there is available and can easily be changed if a new employee is taken on.
The last option is to have a file server per location and assign each employee space
on that file server depending on their job role or needs. This is good as it is very agile
and can be easily added to if a new employee joins and does not interrupt others
users if someone leaves, as unused space can be picked up by users who are using
more storage. ● Managers require access to all files, including private files, belonging to staff within their
department.○ Permissions can be given to managers depending on the way the file system is setup.
If each employee has a single drive, then the permissions for each drive can have
multiple users with each permission. If the system is setup with virtual drives, this
can be done the same way as single drives. But if a user is allocated space with a
5
drive, folder permissions can be setup with multiple users. This can be done through
active directory. ● The Managing Directors also requires access to all files, including private files, for the entire
company.○ Permissions can be given to manager directors depending on the way the file system
is setup. If each employee has a single drive, then the permissions for each drive can
have multiple users with each permission. If the system is setup with virtual drives,
this can be done the same way as single drives. But if a user is allocated space with a
drive, folder permissions can be setup with multiple users. This can be done through
active directory.
The permissions for each system should have a hierarchical model put into place to
achieve their goal. ● The Sales Manager requires access to website development software.
○ Website development software can be as simple as a text editor, or specialized
software. Starting at the bottom, a simple text editor with plain HTML and CSS will
get the job done but is not very friendly to new users. Enhanced text editors such as
Notepad++ or Vim, will allow for colouring to help show variables and other
important details stand out making it more readable. Specialized software for
website building such as Adobe DreamWeaver will make it easier to write code for
the website and ● Suggestions are required for hosting of the web server.
○ Options for web hosting include having a dedicated server to handle web traffic with
possibly another internet connection so it doesn't interrupt your work. Another
option is cloud hosting, which is usually preferable as it is cheaper to set up. The
advantage to having your own server is complete control over everything, where in
cloud hosting you just provide the website you want to host. ● DNS, AD, DHCP, Email, Web, Backup, Storage require consideration.
○ Usually an onsite server handles most of these services, as it is the fastest and you
have the most control over it. Other alternatives include cloud services, or data
centre. However, not all services can be handled off site, but some such as DNS and
DHCP can be handled by a router. ● Purchasing staff require access to purchase ledger software.
○ DeFacto Software and other companies provide software made specially for
purchase ledger and sales software. ● One member in each branch of the accounts department should have access to a standard
accounting package. Another member should have access to a payroll○ Sage Accounting offer software, but there are other options if this does not suit.
● All staff should have full internet access with the exception of the Warehouse staff all social
media sites should be restricted○ To separate the two levels of internet access, Access Control Lists will be used to
control which type of websites can be accessed per each department. ● All staff apart from the Warehouse staff should have IP Phones on each of their desks.
Warehouse Staff will have 2 positioned within the Warehouse.○ The IP phones can be installed in switch mode so we will only need to install one
cable for both the PC and the IP phone, reducing costs.● Full email facilities are required for all staff.
6
○ Email facilities such as Microsoft Outlook, Gmail, or owned under a custom domain.
Microsoft Outlook and Gmail have a monthly cost associated with them, as a trade-
off for feasibility and usability. Having a custom domain is harder to set up, but
usually has lower operating costs in the long run. Applications such as Mozilla
Thunderbird, Microsoft Outlook can facilitate the front end of the email system. ● Each department should have its own printer, with access restricted to members of that
department.○ A printer will be bought for each department, then by using Access Control Lists we
can restrict each printer to the specified department. ● The Managing Director has a printer which is restricted to his own personal use.
○ A printer will be bought for the director, then by using Access Control Lists we can
restrict it to their own personal use.
We asked TechRep what their budget would be for a project like this, and they replied with “A budget
of £750,000-£850,000”. Also, as we have agreed with TechRep, this project is an upgrade only and
will not include long term support for the system we install. Another requirement of the project is
that the new network must be able to handle a growth of 80% over the next five years. Along with
the growth of the company, the concern for security becomes ever more important as the more of a
target they become. The network requires enough security to be able to function on a daily basis and
be protected against malicious attackers.
1.1.4 Key factorsManagement have identified a number of key factors that they think will affect the project. . They
have asked us to address these to meet the aims of this project.
They believe that network security is not as good as it can be, and we need to address this. This is
brought up after a number of attacks on their network, slowing, or even shutting down their
network, affecting profitable work time. We will know if we have achieved this, if the new network is
less prone to attacks, and there are less intrusions.
Also, since TechRep have been expanding rapidly, their network hasn't had a chance to catch up and
so, is fairly unreliable for a company of their size. This is shown by the peer-to-peer fashion of their
network, which is only good for very small networks. We will know if we have achieved this if the
new network, is faster, and has less down time.
Since they are a technology company, they under near constant threat from attackers, they wish to
mitigate this as much as possible, so they can continue working. This needs to be reflected upon the
network which they are coming more and more dependant. We will have achieved this if we also
achieve the first key factor.
1.1.5 Resources and materials
TechRep have asked us to design an upgrade to their network, with the primary focus being security.
As the network is an integral part of their business, upgrading the network will unfortunately create
certain downtimes, so we need to think of working times as a resource. Also, since we are upgrading
7
their PC’s and redesigning Active Directory, users will also experience some differences, causing
potential downtime and delays.
Resources:
● Staff - There are currently 5 people assigned to the project, including for the planning,
development, and evaluation stages. In total the project plan has detailed that the project
finishes in 4 weeks, however an additional two will be needed to finish the development on
the other offices. The staff at TechRep will not be needed, however they may be affected by
work being done. ● Transport - In order to transit the equipment and tools needed to install everything, we will
need a van. However if we get the equipment delivered straight to the appropriate office,
this will be negated, and the only transport needed will be for our staff to get to the office
they are working on. ● Time - As TechRep is a working company, and as I said earlier, the network is an important
part of business and so any downtime is an issue. To mitigate this, we will try and work
around the working hours of TechRep, or at the very least try to lessen the amount of
disruption caused.
To do this, we plan to work in the evenings, setting up the new equipment each night, then
on the final night, switching all the PC’s over, and removing the old network. In order to
achieve this, we may need the office of TechRep we are currently working on, to finish
slightly earlier than they would usually do, so we still have time to do everything we want to
do for that evening.
Materials:
● Switches - These will be used to interconnect the PC’s to the router. ● Router - Will be used to connect all the switches together and to connect to the other
offices, the internet, all through the new firewall● Firewall - Will be used to limit and filter traffic, increasing security.● Server - Can be used for Active Directory, DHCP, DNS, and other services such as the file
server. Will be in a central logical location so all can access it easily. ● Cabling - Used to connect everything together, existing cabling is only Category 5, so an
upgrade is needed. ● IP Phones - These will be used in place of old phones, which will be easier to manage.● ISP - Will look at current contract for the Internet Service Provider to see if the best plan is
being used. ● PC’s - New PC’s will be purchased in order to cope with the network upgrade, and also to
futureproof them for the planned expansion. ● Testing - To test the network, and cable testing, we will need a number of small devices such
as cable testers, bootable USB drives to configure the new PC’s, and our own laptops to work
with should any small problem need to be resolved.
1.1.6 Information sources We were given the current network topology so we could work on seeing which parts needed
upgrading. The current cabling is only Category five (Maximum of 100 MB/s), which is limiting for
local file transfers, and sometimes all internet traffic depending on the internet connection. The
current router is a no brand router, which explains the massive amount of attacks on the network.
The current PC’s have a 160GB 5400RPM hard drive, 2048MB of RAM, 1.6 GHz AMD single core CPU,
and 800x600 monitors. The operating system is Windows Vista, which according to emails from
8
TechRep, is very unstable as it crashes on a daily basis. These obviously will not keep up with work
demand, and so need to be upgraded. One piece of documentation used was the survey done by
TechRep before we were contracted to determine the specs of the new PC’s. This survey was
conducted on their own staff to see how they mainly use their PC’s, so we could accurately get the
best PC’s designed for the job. To see the results, go back to Aims of the Project assignment. This
outlined what sort of PC’s we will need to get. The picture below was sent to us by a manager of
TechRep to show us the specifications of the current computers.
The project brief asked how we will be obtaining the materials needed to complete this project. As
we are an established networking design company, we have formed strong bonds with vendors and
can recommend the best ones to use for different projects.
The ones we recommend for this project are:
Cisco Systems - https://www.cisco.com/c/en_uk/index.html
Cisco will be used as a reference for best practices, documentation, switches, routers, and servers
Netgear - http://www.netgear.co.uk/
Netgear will be used for documentation and switches
Ubiquiti Networks - https://www.ubnt.com/
Ubiquiti will be used for documentation, routers, switches and wireless access points
Ruckus Wireless - https://www.ruckuswireless.com/uk
Ruckus will be used for documentation and wireless access points
Dell - http://www.dell.co.uk/
Dell will be used for documentation, PC’s and servers
SuperMicro - https://www.supermicro.com/index_home.cfm
9
SuperMicro will be used for documentation and servers
Hewlett Packard - http://www8.hp.com/uk/en/home.html
Hewlett Packard will be used for documentation, PC’s and servers
1.1.7 AnalysisAs a conclusion based off the research I have conducted, I have been able to create a rough idea of
what the network will look like, the layout of the devices and which devices to put in their place. This
diagram shows a logical layout of how I plan to design the network.
I have a single router in the centre, which has a link to the internet/VPN to other offices, via a
firewall. The logical topology above shows how each of the three offices is going to be laid out, some
may differ slightly but it is all roughly the same. The physical network for each office will be different
however. The firewall will connect to an ISP shared by all three offices, then a VPN will be used in a
triangle formation between the three as to get the best connectivity and some redundancy if one of
10
the links fail. Leased lines were considered but for a company this size, it would deem far too
expensive for the reward. Off the router, I have 3 switches for the different departments. The PC’s are
connected to the switches via an IP phone which has a pass through enabling them to act like a
switch. I then also have a printer for each department, along with a Wireless Access point in the
warehouse for the use of BYOD, however it may be worth considering to expand the wireless
coverage over the whole office to allow for the managers and directors to use laptops. The main
server is also linked off one of the switches. I am considering either Cisco, Netgear or Ubiquiti for the
Switches, then Cisco or Ubiquiti for the router. At this stage I am thinking the IP phones should be
Cisco, however the model is not yet decided, as different models may fit different departments
differently. The PC’s have been decided to have good enough specifications to run basic tasks such as
word processing and fast boot up times.
11
1.2 Project plan
12
Development
2.1 Developing
2.1.1 Implementing the planned solution
Continuing from the analysis from the planning stage of the project, in this section we will be
outlining the exact features and specifications of the network design.
2.1.1.1 PC Choice & Monitor ChoiceAs outlined in the project brief, the PC’s have to meet a minimum requirement to run programs such
as an office suite, and accounting software. It was considered to have a thick and thin client setup,
where employees would use a smaller PC which would then connect to a larger server, offloading
resources to a central site, reducing the need for a large team of support staff for each separate
machine, and reduces cost somewhat by congregating most costs into one server. This is referred to
as virtualisation. We looked into getting a SuperMicro Ultra Server[1], and fitting it with twelve 4 TB
drives. Potentially, the drives we would get, could either be Western Digital Red’s [3], or Seagate
IronWolf[5]. The cost of the server is around £2,300[2], the cost of 12 x 4 TB WD Red Drives is about
£1,680[4].
The cost for 12 x 4 TB Seagate IronWolf Drives is about £1,440.
So the total price for a virtualization server would be about £3,800, without the cost of server
components and thin clients to add on.
However after some deliberation, this was decided not be used as it is cheaper in the short term and
is more suited for the planned rapid growth of the company. Standalone machines will last longer per
employee, and is more modular (you can just buy another computer), if more employees are taken
on. With this in mind, the PC’s we buy need to be able to last at a minimum of 5 years, with the
possibility of Operating System upgrades, which could make the system slower over time. This means
the PC’s will be more powerful now, so that down the line, they will still hold up to standards that are
workable.
After some research on both manufacturers that we outlined in the planning stage (Hewlett Packard
and Dell), HP was found to not have sufficient enough specifications for the level of future proofing
that we require. Turning to the Dell website yielded more accurate results to what we were hoping to
13
achieve. Dell offer small form factor PC’s which are especially suited for office use. This means that
they are able to fit on the desk rather than under it allowing for better access to the USB ports and
maintenance. Subsequently, we found a PC that fits our needs. The Dell OptiPlex 7040 [7] is shown
below.
We decided to go for this PC as it comes with 8GB of DDR4 RAM which is enough memory to handle
lightweight tasks such as web browsing for the foreseeable future. The system also has an Intel Core
i7 CPU which will be enough to handle accounting software and other software they wish to use.
Unlike traditional PC’s this system comes with a 256GB PCIe NVMe SSD, which means that boot up
time will be significantly reduced, minimizing downtime. Another advantage of a Solid State Drive is
that everything will run quicker so there is less waiting and more work can be done. It also comes
with Windows 10, which is completely useless.
Since we are buying from Dell directly, they offer a discount if you also buy a monitor with them. We
chose the Dell Ultrasharp U2414H[8]. This is a 24 inch monitor with IPS technology, which means the
colours will be more accurately represented and will look clearer.
14
2.1.1.2 IP Phone Choice We have chosen to use IP phones in our network as they are more easily integrated with the services
we will be using such as VoIP (Voice over Internet Protocol). This will allow us to move away from the
old system of traditional telephones which are harder to maintain and are longer suitable for a
modern working environment. We have also designed the network to use the IP phones as a switch
for the PC’s to reduce the amount of cabling needed to wire everything together.
Our vendor of choice for IP phones is Cisco, as they are known to be good quality and to work with a
wide array of systems. According to our plan, each PC will have an IP phone which is connected
through its built in single port gigabit switch. We wanted a model that offered a full size keypad, a
moderate screen size for information to be displayed. Eliminating those models that offered more
features than we needed, thus increasing price. However we needed to keep the gigabit switch for
our servers and other services to work to their fullest. After browsing the Cisco site for a while we
decided upon the Cisco 6945 Unified IP Phone[9][10], as it has all the features we need, without
unnecessary add-ons which would increase the price. The price is shown below.
2.1.1.3 PrintersCurrently, TechRep only have a single inkjet home printer which is not handling their current
workload and keeps malfunctioning. If they are to expand they will require a more stable printer that
can print more jobs and last longer.
The current inkjet printer in each office consumes a lot of ink and so is quite costly. For this reason
TechRep have expressed great interest in buying laser printers as an alternative as they have better
price to print ratio. The marketing department has also put in a request for a colour printer so they
can print out graphs as before charts were difficult to distinguish if multiple colours were used.
The common protocols used in printing over the network are Line Printer Remote (LPR) which runs
on client PC’s and is used to send files to a print server running a Line Printer Daemon (LPD). LPD is
used on a print server which is used to receive print jobs from client PC’s running LPR. Internet
Printing Protocol (IPP) is also a consideration, although maybe not totally relevant since each office
15
will have more than one printer at least, however if managers/directors are away from the office, this
protocol may come in handy if they need to print something urgently.
The main manufacturers we have been considering are HP and Brother. After some research it has
been found that Brother have a good reputation of good quality printers that are not prone to break
easily. As with IP phones, we want to meet the requirements of TechRep, but not go too overboard
with unnecessary features as to keep the cost down.
After browsing the brother website and eliminating those printers with unnecessary features, we
found one that fits the needs. The Brother HL-3170CDW is a colour laser printer, so management can
print out in colour, and the cost for toner/ink will be reduced as it is a laser printer. It is connected via
Ethernet, which will make it easily manageable through Active Directory and Virtual Local Area
Networks (VLANs). Printers will be bought for each department to reduce the printer queue so work
can be carried out more efficiently.
2.1.1.4 Router choiceIn the planning stage, we set out three switches and a single router. The internet connection would
be managed through a firewall. This means that there will need to be a minimum number of
Ethernet ports on the router. Additionally, if we want to futureproof, it may be worth considering the
use of 10 Gigabit interfaces not just 1 Gigabit, however the price will severely dictate the use of
these. It may also be worth considering the use of Cisco Meraki, since they have VPN and firewall
capabilities built in, negating the need for an additional device. However, this could be a drawback
since if the router goes down, it will be more expensive to replace and there is more to go wrong.
Since the selection of Meraki routers are limited, it was fairly easy to find one that would fit the
needs of TechRep. The Cisco Meraki MX100[12][13] is a firewall and VPN router that has 8 Gigabit
Ethernet LAN ports, a single WAN Ethernet port and a management port. This will make it easy to
setup a VPN between the three offices if all routers are the same model. The built in firewall also has
a throughput of 750 Mbps which will greatly improve the speed and security of the network. The
VPN has a throughput of 500 Mbps, which sounds low, but we will split the traffic so that only the
traffic intended for the other offices will need to travel down the VPN, freeing up bandwidth for
other users on the internet connection. Since we are using a VPN, IPsec will definitely be used to help
16
keep the VPN part secure. Other protocols we will use is IPv4 to help with addressing internally, and
possibly the use of IPv6 to aid in the future proofing of the network. SSH will also be used to
remotely manage the router once it has been deployed. The LAN ports may come in handy, however
it also includes two SFP ports which plays a big part in our decision for switches.
2.1.1.5 SwitchesAccording to the logical topology from the planning stage, we were going to have three switches
connected to the router, which would service at least one department, if not more. However, the
options of interfaces on routers and thereby switches, have made it uneconomical to have all three
switches connect to the router at once. Because of this, we have decided to also acquire a
distribution switch to aggregate all the access switches. This also gives us the option to upgrade to 10
gigabit so that users will be able to access the server(s) at faster speeds and be able to work more
efficiently. To gain access to the 10 gigabit speeds, we will need to use the “small form-factor
pluggable” connector.
Since the distribution switch will need to aggregate all the access switches, it will need to primarily
be made of 10GBASE-T SFP+ ports. For this I looked on the Ubiquiti website and Cisco website. Upon
eliminating those products who offer more than we need I narrowed the search down to the Ubiquiti
EdgeSwitch 16 port switch[14][15]. This offers 12 SFP+ (10GBASE-T) ports that will be used to connect to
the other switches at 10 Gigabit speed. However, since there will only be about 3 access layer
switches, it may be possible to aggregate SFP+ ports so that two connections are made to each
switch, increasing bandwidth from 10 Gigabit, to a theoretical 20 Gigabit. At this data range, we are
struggling to get read/write speeds from/to the SSD’s in our potential file server, so to aggregate a
third SFP+ port may not be useful.
17
In the case of the distribution switch, this means the access switches need to have at the minimum
two SFP(+?) ports to be able to connect to the distribution layer. All other ports need to be Ethernet
ports operating at 1000BASE-T (Gigabit). Since the distribution layer will be operating at a theoretical
20 Gbps, this will allow multiple users to access the server and services while maintaining relatively
fast speeds. Another consideration is Power over Ethernet, which will need to be used for the
Wireless Access Point(s). Also since we were going with Ubiquiti for the distribution switch, to
maintain continuity, it would be preferable to use another switch from the same company. The UniFi
switch with PoE (Ubiquiti UniFiSwitch)[16][17] fits the specifications perfectly, and still allows us to keep
the 20 Gigabit speeds maintained through the two SFP+ ports.
These switches will be the access switches that will connect to the IP phones and the PC’s. The
switch also supports PoE up to 500W which will be more than enough to power the IP phones and
Wireless Access Points.
New switch layout after revisions:
18
2.1.1.6 CablingCurrently, TechRep only have Category 5 cabling, which can only support up to 100 Mbits/s. This will
become an issue when employees are accessing the new file server and trying to retrieve files. It will
also be an issue when employees from other offices need to access the file server also. It is also very
difficult to manage as none of the wires are labelled, so troubleshooting will be difficult. We intended
to replace most of the Category 5 cable with Category 6, which will give the end user Gigabit access.
However, some of the cabling will be replaced with SFP+ cables[18]. These will primarily be placed
from the access switches, to the distribution switch and to the main router. We will also be
aggregating two SFP+ cables going to and from each switch and router. Depending on the mode
used, this will either increase speeds from 10Gbit/s to 20Gbit/s, or can be used as a failover in case
one fails.
19
2.1.1.7 ServersCurrently, for sharing files between computers, employees either email them to each other, or use
the default file sharing using peer-to-peer. This is a very unsecure and unstable way to store files.
TechRep also do not have any way to backup files, however sometimes employees may save files to
flash drives to ‘save’.
The plan is to get a server for each office, and then to set up active directory on each and assign
users file storage space in active directory. To manage all user profiles over all offices, we will use an
active directory controller, and then link up the other servers. The Edinburgh office will be the Active
directory master, so it will be the main source of all the profiles that the other offices use to login
with and will act as the slaves. We will also use folder redirection, to help employees get used to
saving files on the server. To save costs, we will use one physical server to host both the active
directory server (with file server), and the onsite backups. In our planning we outlined using
SuperMicro servers as they have a good reputation and reliability. We have selected the SuperServer
6028U-TNR4T+[19] as a candidate, as it is not overkill on its specifications but has enough drive bays to
support both roles. Half of the drives will be used to form a cluster in RAID 1, copying the other half.
The other half, a half of that will be active directory file storage, and then the other half will be a
backup of that.
This server configuration will be deployed in each office, the only difference in Edinburgh will be the
Active directory controller master.
Since this server only comes with the caddies and the motherboard, we will need to fit out the server
with all the other components. For a server this size, 32GB of Error Correcting Code (ECC) [20] memory
should be sufficient for day-to-day use. The advantages of ECC over normal memory is that there is
less memory corruption over normal memory that would otherwise have caused a program or the
system to crash. This ensures the server is always available.
20
Another component we need is a processor, or CPU. The server supports Intel Xeon’s E5 Server
processors, and for this sort of workload, where we do not need to virtualize, we don't need a huge
number of cores. To keep the cost low and the clock speed high, we have chosen the Intel Xeon
Processor E5-1660 v4[21]. The hard drives we discussed in the PC’s section, and we were going to get 3
x 2 TB drives for the active directory (green), then 3 x 4 TB drives for the backup (blue), and 6 x 4 TB
drives for the RAID 1 area (red).
For the website and we have decided that the best course of action would be to store the html files
on a cloud service such as Amazon Web Services or Google cloud. This means that the website has a
lower chance of going down than if we were to store it on local servers which are prone to more
accidents and downtime. We have decided to use Amazon Web Services due to their low cost and
easy to use interface.
The mail server will also be in the active directory server, added as a role. Because the mail server is
a vital part of the company, it will be placed in the Edinburgh server, the active directory master, so
all email will be replicated on the slaves. We will then use an application such as Thunderbird on the
client PC’s. Since the mail server is an important role in the company, a Uninterruptible Power Supply
(UPS)[22] may be a consideration, to stop unwanted power fluctuations and power outages from
adversely affecting the server to go down.
21
2.1.1.8 FirewallSince we have chosen to go with a Cisco Meraki, the router we have chosen, includes a firewall built
in which makes it easier to manage and reduces cost. See above in router if you would like to know
more.
2.1.1.9 Wireless Access PointsSince the planning stage, we have discovered that the single wireless access point in the warehouse
for Bring Your Own Device is not enough, and that the employees in the rest of the office would also
benefit from a more widespread coverage for internet. This would allow them to access the internet
on their mobile devices, and we would also keep the Bring Your Own Device policy. However those
that would benefit from mobile devices such as laptops could be managers and directors might be a
consideration.
In our planning, we outlined two potential manufacturers to buy our wireless access points from.
Ubiquiti who we are getting the switches from, and Ruckus wireless. Ruckus have a good reputation
for reliability, and since we need future proofing, we have decided to use them.
To future proof the offices, 802.11ac should be used to ensure speeds are adequate enough from
now even through 5 years’ time. Because AC Wi-Fi uses dual band radios (2.4 GHz and 5GHz), the
speeds depend on which version of the spectrum you are using. 2.4GHz offers speeds up to 300
Mbps, whereas 5GHz can currently offer up to 1300 Mbps on higher end models, but only 867 Mbps
on lower end models. The 2.4GHz only operates in the 802.11n standard it should be noted. The
addition of MIMO, or even MU-MIMO is always welcome as to serve more clients at once and reduce
interference with others. QoS support is a must, so that VoIP can be used easily, however on higher
end models this is usually standard.
There are many different types of wireless security, however usually the newest version of security is
the most preferred as they usually offer the strongest encryption and therefore the strongest
security. Wireless Protected Access II (WPA2) is the newest version of the 802.11 protocol security
suite. However, authentication with active directory and/or RADIUS also adds a layer of security.
Taking all these factors into consideration and looking into the Ruckus website, we have found a
suitable access point that will last the planned 5 year upgrade. The Ruckus ZoneFlex R500 is a 2x2:2
MIMO dual band 802.11ac Wi-Fi access point. It can be used in either a standalone or autonomous
mode to support a bigger range of wireless. It comes with support with RADIUS and Active directory,
so we will not have to create another set of user groups, but will just be able to use the ones we use
for the PC’s.
We plan to deploy two access points in the warehouse, and two in the office. At this time we do not
think it is necessary for a wireless controller, however one may be of use in the future.
2.1.2 Network devices The firewall that we have decided to get is the Cisco Meraki MX100. As it is an all in one router,
firewall and VPN concentrator, most of the configuration will be done on this one device. The
firewall will be set up with an explicit deny rule so that any unmet traffic is dropped. Rules in place
will ensure only safe and predetermined types traffic get through. The types of traffic that will be
added to the allow rule will be discussed later in common protocols.
22
Network Address Translation (NAT) is used to conserve space for IP addresses. The internal
network address range is used to assign to devices with a unique address to the private network.
Then to access the internet, that private address gets translated with a predefined pool of public
address’ that is provided by an ISP. Since we will be using ISP connections to access the internet,
these addresses will be given to TechRep to add to the configuration of the router. Depending on the
amount of addresses we receive from the ISP, we will also implement NAT overload, which uses only
one or two address and each time a user needs to access the internet, is assigned a port for the
client. This is known as Port Address Translation (PAT). A consideration with NAT is its compatibility
with IPv6, using NAT64, along with DNS64.
Security on switches will mainly be MAC address security. Three modes can be assigned to a port
ensuring the right user is connected. Static address security ensures that only a list of computers can
use that port, stopping unauthorized devices connecting to the network. This mode will probably be
used on the ports that are not yet in use.
The next mode is dynamic in which devices are learned on the go and will be lost when the port is
shutdown. Sticky MAC addresses are learned dynamically from the port and also entered into the
running configuration so it is not lost when the port goes down. This is the mode that will be used on
end user devices.
If a violation occurs, the port will enter one of three states. Shutdown, closes the port to all traffic.
Protect allows traffic from known address while dropping those from unknown, and Restrict does the
same as protect but also sends a message showing a violation as happened.
Network Intrusion Protection System is a monitoring and protection system used to detect
unusual network traffic and adjust the firewall rules accordingly. This is a more advanced version of
Network Intrusion Detection System which only monitors the network, however this may be
preferable if TechRep would like manual adjustment.
The spam filter we will be implementing comes preinstalled along with our email client of choice,
Thunderbird[23]. It dynamically learns what messages are junk mail according to the users’ habits and
places those in a folder. This should reduce the amount of spam received if also the user is train
appropriately.
For URL filtering, we will be implementing OpenDNS[24], which is equivalent to Cisco Umbrella[25] on
Cisco’s Integrated Service Routers. OpenDNS analysis traffic to try and detect threats. It also has the
ability to block certain types of traffic, but this will be dealt with by our firewall. However a useful
feature will be the ability to block certain types of websites or just individual websites. This will be
used in the warehouse if TechRep want to block. OpenDNS can also block certain types of malware
from joining a botnet.
Virtual Local Area Networks (VLAN’s) will be used on the network to help break up users into
manageable groups. ID numbers will be assigned to departments’ incrementing by a number each
time. This will also help create a useable and semi-readable IP address scheme.
23
We will be implementing security features on the routers to lockdown unauthorised access.
Standard procedures such as password encryption on plaintext passwords, encrypted secret
passwords, and console line passwords will be added. Giving each appropriate technician a separate
SSH login will not only make it more secure, but easier to audit since we can see which tech was
logged in if an issue occurs. SSH is far more secure than the unencrypted plain text Telnet. It may
also be worth shutting down the console port to increase security even further.
For a Denial of Service flood guard, the Cisco Meraki MX100 we have used for our router and
firewall also includes a basic Intrusion Prevention System (IPS) which acts as a flood guard against
DoS attacks.
Spanning Tree Protocol will need to be implemented to mitigate looping. This is important as we
have three loops each with two links to accommodate LACP.
Remote access will be used to transfer files between sites using the domain controller through the
VPN. Users should not have a need to access the other sites FTP servers manually due to folder
redirection. If two users want to share files, the file should be put into the not private area of the
server where they can both access it, and folder redirection should do the rest.
2.1.3 Network redesignThe current network consists of ~20 users per office, connected to an old-style hub, via Category 5
cabling. This causes collisions and instability. They do not currently have a wireless network, and the
PC’s are low end machines running Windows Vista. The router they currently have is a no brand
router from their ISP which keeps malfunctioning. Below is a logical topology of what we believe to
be the current network at TechRep. It represents one office with 19 PC’s, one backbone hub and
three access hubs.
24
This is the proposed logical topology we formed at the end of the planning stage.
25
This is a physical topology of the proposed network, with upgraded cables (blue).
This is a hierarchical model of how the network devices are going to be distributed.
IP address table for the new network topology.
Edinburgh Dundee Glenrothes
Location base IP address
10.10.0.0255.255.0.0
10.20.0.0255.255.0.0
10.30.0.0255.255.0.0
26
Subnet mask
SalesSubnet mask
10.10.10.0255.255.255.0
10.20.10.0255.255.255.0
10.30.10.0255.255.255.0
PurchasingSubnet mask
10.10.20.0255.255.255.0
10.20.20.0255.255.255.0
10.30.20.0255.255.255.0
AccountingSubnet mask
10.10.30.0255.255.255.0
10.20.30.0255.255.255.0
10.30.30.0255.255.255.0
WarehouseSubnet mask
10.10.40.0255.255.255.0
10.20.40.0255.255.255.0
10.30.40.0255.255.255.0
Management/DirectorsSubnet mask
10.10.50.0255.255.255.0
10.20.50.0255.255.255.0
10.30.50.0255.255.255.0
WirelessSubnet mask
10.10.60.0255.255.255.0
10.20.60.0255.255.255.0
10.30.60.0255.255.255.0
GatewaySubnet mask
10.10.100.1255.255.255.248
10.20.100.1255.255.255.248
10.30.100.1255.255.255.248
NATSubnet mask
Provided by ISPProvided by ISP
Provided by ISPProvided by ISP
Provided by ISPProvided by ISP
ServerSubnet mask
10.10.100.5255.255.255.252
10.20.100.5255.255.255.252
10.30.100.5255.255.255.252
2.1.4 Common Protocols● IPsec provides security to packets heading over the network. It encrypts and authenticates
the packets. It is especially useful for uses such as VPN’s, which we will be using to connect
and secure the sites, a fairly important role. ● SNMP (Simple Network Management Protocol) (Port 161) is used to monitor and gather
statistics from events occurring on the network. This will be used to collect data on the
running data of the network, and be very useful in auditing. ● Secure Shell (SSH) (Port 22) is a more secure version of Telnet which allows users to login to
devices using a username and password. Each authorized technician will be given a unique
username and password so it will be easier to audit if something happens. ● Domain Name System (DNS) (Port 53) is a system of assigning IP addresses to name servers
to make websites and other systems more readable and memorable. This will be used in our
network to assign the servers(s) with domain names as to make the servers more accessible
to users. It will also be sued for the website. ● Secure Socket Layer (SSL) is used in conjunction with HTTPS to create a secure tunnel from
end user to end user. This will be used in our network to help keep website data secure. ● Transmission Control Protocol/Internet Protocol (TCP/IP) is how most packets are formed to
traverse the network.
27
● File Transfer Protocol (FTP) (Ports 20 and 21) is used to transfer files. We will be using this
extensively on our servers to transfer files to and from them. There are secure options for
FTP that include File Transfer Protocol Secure (FTPS) (Port 21 and 22) and Secure File Transfer
Protocol (SFTP) (Port 21 and 22). FTPS uses SSL for its encryption and security whereas SFTP
uses SSH. We will be using SFTP to allow users to write and read files from the file servers. ● Hyper Text Transfer Protocol (HTTP) (Port 80) is a way of exchanging web content between
browsers. Hyper Text Transfer Protocol (HTTPS) (Port 443) is a way of exchanging web
content between browsers but in a secure manner, often using SSL. This will be used on all
PC’s using a web browser. ● Secure Copy Protocol (SCP) (Port 22) is a way to transfer files securely from a file server
through SSH.● Internet Control Message Protocol (ICMP) is a way of sending error messages and other
types of messages over the network. The traceroute and ping utility also makes use of ICMP.
We will use this in our network to monitor and diagnose problems. ● Internet Protocol version 4 (IPv4) is the most common protocol in networking. We will be
using this in our network as it is easy to read and manage. However Internet Protocol version
6 is an ever growing standard which may be worth considering to futureproof the network.
These are going to be the mostly used protocols on the network, along with their port numbers. Well
known ports are usually 0-1023. Ports after that and ranging to 41,951 are registered ports. Then
ports ranging to 65,535 are dynamic/private/unregistered. We will be blocking all ports apart from
the ones we have be using by the explicit deny any/any command in our firewall and if TechRep
would like specified ports unblocked we can do that easily.
2.1.5 Implementing wireless network in a secure mannerA more in depth look at wireless in general is discussed earlier. Wired Equivalent Privacy (WEP) was
the first type of security for wireless and which aim was to bring some level of basic security. WEP
was released in 1997 and the security derived from the security of its wired counterparts, giving its
name. Since it is so old, it is now considered deprecated and too easy to break, therefore we will not
be using WEP to secure out wireless network. It is now superseded by WPA.
Wireless Protected Access (WPA) was the next iteration of security made for wireless networks. WPA
introduces multiple means of authentication accommodating to different deployment types. WPA-
Pre-shared key (WPA-PSK) is a mode of authentication used by homes and small offices that makes
use of a password to join the network. Normal WPA mode is used in conjunction with a third party
authentication server such as a RADIUS server. This requires a valid username and password on the
server. For its encryption, WPA uses Temporal Key Integrity Protocol (TKIP) meaning it generates a
128-bit key per each packet. WPA was also superseded by WPA2 with a stronger encryption
algorithm.
Wireless Protected Access 2 (WPA2) is the successor to WPA bringing with it stronger encryption
algorithms. WPA incorporates the Advanced Encryption Standard (AES) as part of its security. This
ensures the passwords in the pre-shared key are securely parsed and exchanged. AES-256 is the most
common type of encryption with WPA currently, however AES-512 is starting to be used more often.
28
The type of security we will be implementing in the network is WPA2 with AES-256 using a RADIUS
server linked to our active directory server, so users will have a seamless use of both the desktop
PC’s, and the Bring Your Own Device plan provided by the wireless network.
We will not be disabling the SSID broadcast as to more easily allow employees to connect, however
the placement and arrangement of the antennas will be installed in such a way that will try to
eliminate interference with other businesses nearby.
2.1.6 Threats and Vulnerabilities
2.1.6.1 Common malware
Adware is the least dangerous type of malware, as it just injects ads onto your computer, these are
fairly easy to remove providing a reputable anti-malware program is installed.
Spyware is malware that spies on you and can be disastrous to a business as it can track internet
activities and sensitive information such as billing and sales.
Viruses are programs that are spread from user to user often through emails or messages, and
replicates itself when executed. Viruses often slow down or destroy the host computer if not dealt
with.
Worms is very much like a virus, however these often have a more malicious intent such as deleting
or corrupting files.
Trojans are the most dangerous type of malware. They often present themselves as innocent
programs that will then run a malicious program in the background such as consuming system
resources.
For these reasons we will be implementing user account controls and installing an anti-malware
program such as MalwareBytes or Sophos.
2.1.6.2 Types of attacksPhishing attacks are when a legitimate looking request for some type of data is sent to an
employee. These requests often pose as official correspondence from companies such as banks and
will be asking you to verify details to do with money or personal information. They are often sent via
email and can look very convincing so the proper training in ways to spot a phishing attempt is
valuable. Things to look out for are valid SSL/HTTPS certificates
A Denial of Service (DoS) is an attack that objective is to disrupt normal service as much as
possible. These attacks can be done in many different ways but the goal is the same. A very popular
way of a DoS attack is by sending a huge amount of traffic requests to your network. A form this can
take is a Distributed Denial of Service (DDoS) which is very similar to a DoS, but using multiple
computers to send traffic. Usually attackers do not target smaller companies, however the Cisco
Meraki MX100 still comes with a basic prevention system.
Man In the Middle attacks often occur on wireless networks, usually if they have been able to gain
access to the network and have maliciously made themselves a ghost router, so that all traffic is now
sent to them before it is sent to the real router. They can then inspect packets for information to
steal. As we will be using RADIUS for our authentication, this should not be an issue.
29
Rogue Access Points are third party access points that do not belong in the company Network.
They often have the same SSID as the legitimate network and so users can connect to it without
knowing it is not the real network. If they have already joined the legitimate network through
RADIUS, device should automatically connect to the legitimate one. If it is the first time the device is
trying to connect to the network, and they try to connect through the rogue access point, the
request to the RADIUS server will fail due to invalid credentials.
Zero-day attacks are very hard to protect against as they are bugs in code of software or firmware
that have been found and exploited so that attackers can use the bugs maliciously. The best way to
prevent these are just to always keep software up to date whenever possible.
Flash cookies are pieces of data stored on your computer which websites use to make the website
easier to use more personalised. However flash has been known to contain lots of exploitable code,
and for this reason we will be blocking flash on the end user PC’s, only allowing the use of HTML5.
Browser add-ons can contain malicious code if not validated correctly. For this reason we will only
be allowing add-ons from official sources such as the Chrome Web Store and Mozilla's add-ons for
Firefox.
2.1.6.3 Mitigation and Deterrent techniquesEvent logs are generated usually on the host Operating System, showing events that have occurred
such as new software installs. These show if the system has been compromised.
Audit logs are very similar to event logs however they are usually listening for one thing, such as
updates on the Operating System or USB driver installs.
Security logs are like event and audit logs, but focused on security. These can include changes or
updates to the PC’s firewall, and downloads from the internet.
Access logs are logs that show who (Active directory user) accessed what (files and folder) at certain
times. These can be useful to diagnose who did what if something occurs.
The Network Intrusion Protection System is discussed above, this is used like auditing on the
network.
2.1.6.4 Penetration testing versus vulnerability scanningVulnerability scanning checks for vulnerabilities on your network such as open ports that could be
used to connect to the network without permission. A vulnerability can should be performed on the
network mostly to see if there are any issues. A vulnerability scan helps identify potential points of
access or exploitation on the network.
A penetration test actively tries to find exploits in your network. Penetration testing is often
performed by an independent team as to get a fresh look on the network, and to eliminate any
internal exploits. Whereas vulnerability scanning is detective, penetration testing tries to be
preventative.
30
2.1.7 Review Application, Data and Host SecurityApplication security is solved by always keeping applications up to date whenever possible. On
Windows, a program will let you know if an update is available, however these usually require
administrative privileges to change data on the install drive. On Linux all applications are updated
through a package manager such as Pacman or Apt, and do not require an immediate restart which
may be useful to deploy updates globally. The application we will be using for the accounting is call
GNUCash and can be installed on Arch Linux as shown:
$ sudo pacman -Sy yaourt$ yaourt -S gnucash
Another way to keep applications secure is to install them to a directory where normal users do not
have write/change permissions, only read, however some exceptions will have to be made for
programs that require write permissions to work. The operating system will update at the end of
each working day.
To keep the rest of the applications secure, and by extension the host computer secure, the ability to
install programs however will be restricted to power users only, such as directors and managers.
In terms of antivirus, if we are using Linux we do not require an anti-malware as most malware is
written for Windows, and any that are written for Linux, we will only be allowing software installs
from the package manager to make sure they are signed officially.
Physical security will be handled by a Kensington lock on both the PC and monitor. In the BIOS, all
USB ports will be disabled apart from the mouse and keyboard port. All data transfers should be
done via the file server.
Mobile device security will only apply to the wireless device network, and to secure it, users will not
be able to connect to the servers (file server etc.), but still use RADIUS as a form of authentication.
Backups will be done at the same time as updates. Updates will be downloaded, then backups to the
backup server on the file server, then updates are installed so if an update breaks anything, there is a
working backup with the update already downloaded.
We are planning on encrypting the drives on the server as that is where all the sensitive data is
stored. This means if the drives are stolen the information cannot be used. Linux Unified Key Setup
uses AES-256 so all data will be encrypted until the drive is mounted by system.
In terms of physical security for the server room, the servers, switches and router will all be stored in
a rack which is locked and only the director will have a key for. The room in which the rack is in will
also be locked.
2.1.8 Review Access control and identity managementActive Directory will be used as authentication for the desktop PC’s, this will ensure no unauthorized
users try and log onto the network. As for the wireless, RADIUS will be used to authenticate with
active directory to again ensure no unauthorised access is granted, however those devices on the
wireless network will not be allowed access to the servers as it is a Bring Your Own Device policy.
A Bluetooth device will be used as a second form of authentication[26]. The device will be paired to
the login of the user and will have to be nearby to unlock the account. The account will also lock if
the device moves too far away. The device can be the user's phone if they wish, this will possibly
31
increase the likelihood of users just not leaving the device nearby, or it can be a small keyring
attachment on a lanyard.
Log on times will also be applied to employees’ accounts so that attackers cannot use accounts
during non-working hours to gain access. The working times will be 0830 to 1830, and out with those
times, users will be logged off and not be able to log in.
The file server will be split up into two main areas; the active directory folder redirection, and a main
shared network drive. The active directory folder redirects will be where most of the data is stored so
it is structurally easy to read. The shared folder will be for public files and sharing between users. A
managers/directors account permission will need to be required to write to the shared folder,
however all users will have read/change permissions.
2.2 Testing the implemented solutionThe way we will be installing the network is asking the office we are working on to finish working
about an hour early and then installing parts bit by bit over a week, then the transition will happen
on the last day. Installing offices in stages will allow us to see if there is something wrong with the
solution before we start on the next two offices.
Network testing will involve testing the cables with a cable tester.
This will ensure the cables are working correctly when they are installed.
32
We will test random desktop PC’s to check they are part of the domain and the user accounts are
working with folder redirection. We will store some test files such as PDF’s and PNG’s on user
accounts to test folder redirection is working on not just saving it on the local machine.
The aggregated SFP+ links will be tested in both bonded mode and failover mode to ensure the links
can handle both modes. After testing we have discovered that the bonded mode will not give a huge
advantage over the single link, so the other link will be put into Active-backup mode to ensure the
users do not lose access to the servers.
Software testing will include downloading the applications from the Arch User Repository (AUR) [27]
and making sure they run properly by asking an employee to try and do some basic tasks.
Security testing will be done both in-house and we will also get independent security penetration
testers to test the security if the network. We also need to make sure all passwords meet a minimum
requirement. This means a minimum length of 8 characters, including uppercase, lowercase, a
number and a symbol. We will enable minimum and maximum age of 30 days and 90 days
accordingly.
To test the network performance we will transfer a number of large files such as videos from the file
server and end user PC and vice versa.
2.3 Managing the ProjectAccording to the project plan, everything went well, apart from the deliveries of one of the
shipments to the Glenrothes office was missed by three days and so we had to work on the Dundee
office that week then go back to the Glenrothes office when the delivery of switches had arrived.
Apart from this all tasks were met on time and as shown below, under budget.
Device name Device cost Number needed Total
Dell OptiPlex 7040 £652 (20 x 3) = 60 £39,120
Dell UltraSharp Monitor U2414H
£259 (20 x 3) = 60 £15,540
PC and Monitor Bundle
£911 (20 x 3) = 60 £54,660
Cisco 6945 Unified IP Phone
£138 (20 x 3) = 60 £8280
Brother HL-3170CDW Printer
£240 (6 x 3) = 18 £4320
Cisco Meraki MX100 £3000 (1 x 3) = 3 £9000
Ubiquiti ES-16-XG EdgeSwitch
£500 (1 x 3) = 3 £1500
Ubiquiti UniFi 48 port PoE Switch
£700 (3 x 3) = 9 £6300
SPF+ cables £10 (6 x 3) = 18 £180
33
SuperServer 6028U-TNR4T+
£2500 (1 x 3) = 3 £7500
Western Digital Red 4 TB NAS drives
£136 (12 x 3) = 36 £4896
ECC server memory £176 (2 x 3) = 6 £1056
Intel Xeon E5-1660 v4 £960 (2 x 3) = 6 £5760
APC Back-UPS 700
Watt
£115 (1 x 3) = 3 £345
Cat 6 Ethernet cable £150 (1 x 3) = 3 £300
Total cost £104,096
This was considerably under the budget of £750,000.
Any problems that arose from the first installation site, we were able to prevent against at the
coming sites after that. One such problems was the access to the file server was slow, and it was
discovered that the RAID configuration had not been applied properly, but after it had been applied,
normal speed and access was resumed.
Evaluation
3.1 Outline of the AssignmentThe project that was given to us by TechRep came with a project brief. This document contained all
the things TechRep wanted to be achieved by the end of the project. The original requirements laid
out my TechRep was to also include at least an 80% expansion in the next 5 years.
3.1.1 Growth and networkTechRep’s old network was outdated and needed upgrading badly. They are expected to grow up to
80% in 5 years’ time. However as the numbers of each office is around 18 or 19, we have decided to
include a projected 100% growth so that estimates will be rounded off. We have decided to acquire
new PC’s for each user as the existing ones would not hold up with the new network. This will ensure
that the PC’s will be fast enough for at least the next 5 years, if not more. The PC’s all come with
gigabit Ethernet which will be adequate for each user. To restrict the warehouse staff from accessing
social media sites we have decided to put in a program called OpenDNS on our router which will
dynamically filter out sites it thinks are social media, but it will only be applied to those on the
warehouse VLANs. The VLANs will be set up so that the normal office staff can access all sites,
34
however warehouse users will not be able to access social media sites. We have also bought IP
phones for each desk to connect through their PC connection, this means it will reduce the amount
of wiring needed to use IP phones. We will be replacing the single printer with a printer for each
department. It will be networked so that all users will be able to print at once (subject to a print
queue) without the need to print from one PC in the office. The managing director will also get a
printer for their personal use, and to stop others from printing to it, the printer permissions will be
restricted so that only the managing director login will be able to print to it.
3.1.2 Access to softwareUsers currently have Microsoft Office 2003, and we will be replacing it with LibreOffice 5 on the new
PC’s. This will allow for a more stable and faster working experience for each user. Sales ledger
software will be available to the sales staff with a program called GNUCash. This program also
includes sales tracking capabilities. Contact management will be included in the email client. The
sales manager will have access to website development software such as Vim or Emacs, however all-
inclusive solutions are also available. The purchasing staff will have access to purchase ledger
software, which is also included in GNUCash. Email facilities will be provided by Thunderbird, from
the email server. Thunderbird is a feature rich client with advanced and basic capabilities.
3.1.3 Security and restrictionsOne of the main things that TechRep wanted to address was the issue of Distributed Denial of Service
attacks. To address this we have implemented the Cisco Meraki MX100 which has a built in Intrusion
Prevention System (IPS) so that you can easily set up rules and block attackers easier and with less
hassle. Managers will require access to all files of the employees, including private files belonging to
persons in different departments. This has been achieved by distributing Active Directory hierarchical
permissions, so that each department head will be able to access those in their department, but not
anyone above them. Each user will have special permissions giving them access to certain files and
folders at different permissions. The warehouse staff will have restricted internet access to social
media sites, whereas the office staff will have full access. We will be using OpenDNS to restrict the
sites. OpenDNS will use a predetermined list of sites it thinks is classed as social media. These rules
can be changed dynamically so that if any problems are found they can be changed as necessary.
3.1.4 Access to servicesMembers of staff will have access to their own private file storage made available through Active
Directory. This file storage will be reflected across all sites through folder redirection and a Domain
Controller. This will allow for staff to move from location to location without needing to take their
files with them. This file storage will have permissions set through Active Directory as mentioned in
Security and Restrictions. This will be hierarchical so that managers and directors will have access in
the case of an emergency. Hosting of the web server will be handled by an online cloud storage
provider. In this instance we have decided to use Amazon Web Services, which will mean that there
will be next to no down time in the event of an outage at the offices. This is very achievable as it is
35
low cost and easy to manage from any computer.
For DNS we will be using the Google DNS servers so that there is less chance for failure if the servers
in the office go down. This will ensure some level or normal operation and will still be usable. Active
Directory will be used on our servers to serve employees with their logins, including usernames and
passwords, and with managing their file server storage options. DHCP will be handled by our router,
the Cisco Meraki MX100, this will serve all devices on wired and wireless apart from the server,
printers and wireless access points which will have a static IP address. Email has been achieved by
setting up an email service on the AD server, and an email client on the host PC’s, we will be using
Thunderbird. Email address’ will be used from the old system, and new email address’ will be based
off the employee's initial and surname @ techrep.co.uk. Backups will be used on site in a RAID 1
configuration on the same AD server. This will ensure failure of disks will not affect day to day
running of the company. Also since the Domain Controller reflects all changes to all other servers in
the company, these act as off-site backups.
3.2 Strengths and WeaknessesThis section will outline the strengths and weaknesses of the project outcome. A weakness we
encountered in the planning stage was that we did not account for all of the office space when
deciding on how many Wireless Access Point we needed to give good coverage for all of the office
and warehouse. The warehouse had a lot of obstacles in the building which provided less than
favourable interference with the access points, so to fix this we added another access point in both
the office and the warehouse so that good coverage was achieved throughout the buildings. We also
did not acquire the devices necessary for the 100% growth we put into our calculations. We only
bought the devices needed for the current members of staff, however we did keep in mind the
budget TechRep gave us and we purposely went well under budget so that TechRep can buy the
devices as needed. The devices we did not buy for the 100% growth include the end devices such as
the workstations and maybe perhaps the Wireless Access Points, however to avoid later unnecessary
upgrades in the future which would disrupt business working hours once again, we did intentionally
oversize the distribution layer of the network and the access layer of the network so that devices can
just be plugged into the network without the need for upgrades once again. The 3 access layer
switches per office allow a total of 144 Ethernet connections, all of which can be used to connect end
devices since we are using SFP+ to connect the access layer to the distribution layer. We recommend
to lockdown the unused ports for security reasons when not in use.
The modular design of the server we have chosen allows for hot-swappable drives, which means
since due to our RAID configuration, if you pull a drive out while the server is still running, the other
drives will be able to compensate, and if a replacement drive is added, the other drives will be able
to rebuild the data on the new drive. The way the server is set up will also allow for another to be
added if need be in the future if more storage is needed, however we do not recommend upgrading
the drive capacities unless really needed as the less drives there are, the higher chance there is for
one of them to fail. In the event of storage running out another server is preferred.
Another weakness we encountered while finishing up the install of the network is we did not account
company wide attacks in our network when choosing a backup solution, these are usually very rare
and the backup solution at present is good enough to provide a data recovery solution for most
common failure issues such as driver failure or other device failure.
36
3.3 RecommendationsTechRep has projected an 80% growth in their company over the next 5 years. Their current
employee numbers are 18-19 people per office, and so to make things easier we have accounted for
a 100% growth as well. So the total number for the offices combined are 60 employees, so we have
factored in an increase of up to 120 people. Since our company are only providing the installation of
the equipment, we will not be providing Long Term Support (LTS) of the running of the network, so it
is our advice to acquire some support package from a third party company. This will assure that any
issues that arise from the running of the network will be handled and fixed without hefty one-off
costs. However this is only if an abnormal issue arises, if the issue is to do with the devices, as long as
they are within warranty the Original Equipment Manufacturers (OEM’s) such as Cisco/Ubiquiti, then
they should be replaced/fixed with no extra charge.
Another recommendation I would make is that at some point, if after the 5 year upgrade projection,
another server could be added if space is becoming an issue on the server. An extra server could be
implemented easily by us if need be, and it would dramatically increase the storage capacity for your
employees, as well as the security of the servers as there is a lower chance of data being lost if it is
striped across multiple drives.
On last recommendation would be to implement some sort of off-site backup. Now with the Active
Directory Domain Controller in the main site, that synchronizes all the files on Active Directory with
folder redirection. This provides a backup of drive failure and per device failure (such as the server
failing) however it does not protect against company wide failure such as targeted attacks, physical
and digital. To mitigate this it would be advisable to get some sort of off-site backup such as Amazon
Glacier or Google Nearline, which provide a cheap (per GB used) plan for disaster recovery in the
event of a company wide failure.
It is also advisable to implement IPv6 at some point so that the network will be ready for full IPv6
support. This can be easily implemented on the local devices through DHCP, but will be harder to
achieve with the server communication through the VPN. For the future-proofing of the network
however, it is still highly advisable.
3.4 ModificationsDuring the project plan, the network was originally designed to have two Wireless Access Points, one
in the warehouse and one in the office. However we decided later on that an additional access point
was needed in each the office and warehouse. This was caught fairly early on and so it did not create
any disruptions. This reduced the amount of time needed later on in the project, and so kept the cost
down (so delivery was still the same as the others) and also the quality, so all the access points were
all the same model. Also during the development, when we were installing the network in the first
office, which was Edinburgh, the SFP+ cables had not arrived, so we could only install the main
network devices such as the switches and router, and then we moved onto the next office so that we
were not behind schedule. This mean we could then go back in the second week to install the SFP+
cables in the Edinburgh site. This was easily navigable as since we were doing the installation of the
hardware after office hours and not disconnecting the old network until the end of the install, the
37
new hardware could wait for the new cables without disrupting working hours. This slightly affected
the cost of the project as it meant we had to go back to the office to install the SFP+ cables when
initially we would have been able finish up and not need to go back, reducing fuel and transport
costs etc. The quality was not affected as the network was not completed and so was not under load
so could not experience quality of service. Time was slightly affected as we had to go back to
Edinburgh to install the cables.
3.5 Knowledge and skillsFrom designing and building this network I have gained some useful skills and built on others.
Designing and planning the network allowed me to research and gain insight into the networking
devices I was thinking of using. More time spent in the planning stage also allowed me to expand my
options for the later development stage. My skills in Cisco that I have gained over the past two years
doing my semesters one through four, granted me an easy insight into the devices I was to put to use
when I visited other vendor sites so I could recognise which features were needed in order to make
the network to the specifications I wanted, and that TechRep wanted. I have used and enhanced my
skills from doing project management before, and was able to make adjustments to the project plan
when problems arose. My personal experience with cloud computing systems such as Amazon Web
Services allowed me to recommend the use of cloud platforms for use in situations where systems
cannot go down and the other benefits that the cloud offers. My past background in troubleshooting
computers let me better analyse problems and implementing solutions to mitigate them before they
were a problem. The development stage also allowed me broaden my knowledge of areas I wouldn't
normally have to think about, such as a UPS to keep the server online. One area which I found
fascinating was learning how Active Directory handles folder redirection and also opened my eyes to
Domain Controllers, making me think in a different way and how I could make it work more
seamlessly with the rest of the equipment.
38
Bibliography[1] Potential Virtualization server
https://www.supermicro.nl/products/system/2U/6028/SYS-6028U-E1CNR4T_.cfm[2] Cost for virtualization server
http://www.broadberry.co.uk/superservers-supermicro-servers/sys-6028u-e1cnr4t-plus
[3] WD Red HDD’s
https://www.wdc.com/products/internal-storage/wd-red.html[4] Cost for WD Red HDD’s
https://www.amazon.co.uk/dp/B00EHBERSE/
[5] Seagate IronWolf HDD’s
http://www.seagate.com/gb/en/internal-hard-drives/hdd/ironwolf/[6] Cost for Seagate IronWolf HDD’s
https://www.amazon.co.uk/gp/product/B01LYHW9NI/
[7] Dell OptiPlex 7040
http://www.dell.com/uk/business/p/optiplex-7040-micro-desktop/pd?
oc=n016o7040mff&model_id=optiplex-7040-micro-desktop[8] Dell UltraSharp Monitor U2414H
http://www.dell.com/ed/business/p/dell-u2414h/pd
[9]Cisco 6945 Unified IP Phone
https://www.cisco.com/c/en/us/products/collaboration-endpoints/unified-ip-phone-
6945/index.html[10] Price for Cisco 6945 Unified IP Phone
https://www.pmctelecom.co.uk/cisco-6945-unified-ip-phone
[11] Brother HL-3170CDW Printer
https://www.brother.co.uk/printers/colour-laser-printers/hl3170cdw
[12] Cisco Meraki MX100 Firewall and VPN Router
https://meraki.cisco.com/products/appliances/mx100[13] Price for Cisco Meraki MX100
https://www.broadbandbuyer.co.uk/products/20238-meraki-mx100-hw/
39
[14] Ubiquiti ES-16-XG EdgeSwitch 16-Port switch
https://www.ubnt.com/edgemax/edgeswitch-16-xg/[15] Price for Ubiquiti ES-16-XG EdgeSwitch 16-Port switch
https://www.broadbandbuyer.co.uk/products/26485-ubiquiti-es-16-xg/
[16] Ubiquiti UniFi 48 port PoE Switch
https://www.ubnt.com/unifi-switching/unifi-switch-poe/[17] Price for Ubiquiti UniFi 48 port PoE Switch
https://www.broadbandbuyer.co.uk/products/21668-ubiquiti-us-48-500w-cloud/
[18] SPF+ cables
http://www.fs.com/products/30851.html
[19] SuperMicro SuperServer 6028U-TNR4T+ (Complete System Only)
https://www.supermicro.com/products/system/2u/6028/sys-6028u-tnr4t_.cfm
[20] ECC server memory
https://www.kingstonmemoryshop.co.uk/server/supermicro/supermicro-superserver-6028u-tnr4t-
super-x10dru-i-server/kingston-16gb-ddr4-2133mhz-reg-ecc-memory-ram-dimm-71556?
gclid=CjwKEAjw8OLGBRCklJalqKHzjQ0SJACP4BHr_Z1BpMuyGwGuusULQb87Eltk7IXlsxC0wWkcTCwrP
RoCrRbw_wcB
[21]Intel Xeon Processor E5-1660 v4
https://ark.intel.com/products/92985/Intel-Xeon-Processor-E5-1660-v4-20M-Cache-3_20-GHz
[22]APC Back-UPS 700 Watt
http://www.ebuyer.com/704438-apc-back-ups-700-watt-1400-va-230v-avr-iec-sockets-bx1400ui?
[23]Thunderbird spam filter
https://support.mozilla.org/t5/Basics/Thunderbird-and-Junk-Spam-Messages/ta-p/16272
[24]OpenDNS
https://www.opendns.com/[25]Use of OpenDNS on Cisco Meraki devices
https://meraki.cisco.com/lib/pdf/opendns_with_meraki_solution_guide.pdf
[26]BlueProximity Bluetooth software used for two-factor authentication on the PC’s
https://aur.archlinux.org/packages/blueproximity/
[27]Arch User Repository
https://aur.archlinux.org/
40