Michael NancarrowSmall Network Upgrade

Proposed Small Network Upgrade - SkillageIT

Talon textile fasteners versiondatechangesnote

1.0024th Februarycreated bodyadded base information from review

1.0125th Februaryadded small data and tablereview Rubik and apply current fields

1.0227th Februaryadded dataneed to test packet tracer

1.0330th Februaryadded dataneed to review wording of routing

ContentsBackground Current Network3Organisational Structure Old and New4Sites4Admin4Manufacturing5Sales5Operations6Organisation Units6Server Specifications Dual Selection8Physical Server(s)8Role of Server9Approval10Server Build (Template)11Server Guide15Server and Networking Test16Server Maintenance17Routing Policy17Planning for Implementation19Cabling19Protocols19Traffic Monitoring20Security22Perimeter Designs22Remote Access25Site To Site Links and VPN26Defence In Depth27Security Auditing30Risk Analysis30Documentation31Vendor Documentation31In House Documentation31

Background Current NetworkTalon Textile Fasteners runs several offices from Head Office (Millicent), Mt Burr, Pts. Pirie and Adelaide. The current systems are Windows XP machines, Microsoft Small Business Server (2000), Linux Red Hat (7.0) File Server and a Microsoft SQL Server. Currently the system performance is not acceptable, as the Manufacturing Supervisor highlighted the system does not populate requests fast enough, and the Sales Manager has stated manufacturing isnt able to keep up with sales. There is currently no VoIP service, remote management/access or Virtualisation being employed by the client. All services need to be updated to current operating systems and hardware to ensure the efficiency of the group is not hindered. Nigel Techner, CIO, has stated that the communications setup and wireless at Mt Burr can be ignored as this has recently been upgraded; all other technologies need to be reviewed and setup as soon as possible. The CFO, Eddie Springton, has advised that the current capital investment for the network upgrade is $150,000.00AU.

The main deliverables of the project are (but not limited to):1. Provide the client with more current hardware for file servers and the SQL database;2. In house web server with appropriate security;3. VoIP implementation for communications; 4. Virtualisation options with redundancy on a domain level;5. Effective ordering system for online orders to communicate with an in-house database and;6. Remote access to database and internal resources.This does not cover the entire needs for TFF (Talon Textile Fasteners) however the main project deliverables are. The project deliverable can be highlighted as follows:

Each step needs to be performed during the 10 week project, and must be rolled out to all sites for the company. Each phase should require two weeks for completion, leaving another 4 weeks for delays, review and discussions.

Organisational Structure Old and NewSitesThere are currently four main sites for TFF Head Office located in Millicent, Mt Burr, Pts. Pirie and Adelaide. There is currently interconnection between the sites (it is considered a WAN) at present. Each site acts as an independent entity and has their own infrastructure, all with an outdated hardware infrastructure. AdminThe admin department (Data Entry Officers) reside in the head office at Millicent. All computers run on Windows XP SP1 and have not been updated for over 12 years. These computers engage an on premise file server and SQL database, and use an internal exchange server for E-Mail. These users are currently happy with the computers although understand the performance speeds cause issue. Due to the age of the system and the software used, upgrading to a later Operating System (Such as Windows 8) may cause issues with running software. The admin department is heavily reliant on E-Mail and access to the Microsoft Windows Small Business Server both are considered to be a critical IT service. The current hardware infrastructure of this site is as follows:1. Thirty Five (35) Windows XP Computers running Service Pack 1;2. Three Kyocera FS-3920DN and Once Kyocera M2535CDN;3. One Master Domain Controller with DHCP Role and DNS; 4. Linux Red Hat (7.0) file server with partition for SQL Database. The IP Scheme of head office (hereby referenced as HO) is 10.128.15.0/24 with the following devices:1. The main DC (Domain Controller) has an IP address of 10.128.15.10 and resolves at tffdc1.tff.com.au 2. The Linux File Server has an IP address of 10.128.15.12 and resolves at qld-lrhfs.tff.com.au 3. The printer scopes for static IP is 10.128.15.2-9 where the FS-3920 start at 2-4 and the 2535 at .5 of the range4. All computers have static IP address of .100-.135 for ease of maintenance for users.This site has no backup solutions, redundancy or remote access so the IT support needs to attend to this site for an IT related issues. This servers Domain Controller has been promoted and all others DCs in the forest are below- all master operations have been applied to this DC. The current phone system is an older desk phone style however has limitations for internal calling and is frequently facing issues with services being provided. This site needs major consideration for redundancy, security and failover options to ensure that there is little to no downtime on critical IT needs.

ManufacturingThe manufacturing plants suffers from lack of real time updates from the sales department. In some aspects this site has less IT reliance than others. Currently on site there are:1. One read-only Domain Controller with DCHP and DNS role;2. Four Kyocera FS-3920DN printers;3. Five Windows XP Computers;4. One Plasma Television wired to PC;5. Three desk phones. This sites IP address scheme is 10.128.16.0/24. Once sales push through a sale in their DMS/SQL it should transcend through to another section of the DMS that the manufacturing department access has to. Because this information needs to relay to HO then update to the manufacturing site, there are severe delays in the completion of orders. The current phone system currently works well with little issues such as call drop-outs. The printers here are often over-utilised and frequent have job queues backed up. The current link to the SQL database, number of printers and network speeds for this site need to be looked into and reviewed as high priority- all sites are negatively affected by the delays experienced at this site. SalesThe sales department are negatively impacted by the delayed data transfer to the manufacturing department, however have fast access to the servers housed at Millicent. The sales department has seen an increase of 5% in the previous year and thus required more hardware infrastructure to support the growth of the department. The current hardware infrastructure of this site (Pts. Pirie) consists of the following: 1. One Domain Controller with DHCP and DNS roles at 10.128.17.10 on the 10.128.17.0/24;2. Twenty Five Windows XP machines ranging from 10.128.17.100-.1253. Four Kyocera FS-3920DN with an IP scheme of 10.128.17.2-.5This site is currently functioning at optimal settings, however would like to be setup as the failover if Admin faces critical issues.The current phone system here is not functioning at optimal levels, and thus E-Mail and Social Networking has become a critical IT service; an in-house exchange server should be setup here for faster access.

OperationsThe new saw mill at Mt. Burr will be opening up soon and will employ approximately 25 employees; it is estimated only 6 staff will require a computer whilst all other users operate machinery. Mt. Burr will be receiving a new communications rack and ADSL2 connection back to Millicent (HO). As this site is newly opened there is no existing infrastructure in place, so SkillageIT will start from scratch. This site will require access to the in-house database, phone system, fileserver access and E-Mail. This site is situated in a remote location and will be difficult to administer/maintain in the event issues occurred. This site needs to be virtualised and have a redundancy link so that any failover does not leave users with no services for an extended timeframe. Organisation Units As an organisational unit, there are uniform setups for IP schemes and infrastructure. The flexible single master operation is applied to the one DC; tffdc1.tff.com.au. The following standards have been applied per site:1. Domain controllers are applied a static IP address of .10 per sites IP address;2. The Linux File server resolved at .12 of the 10.128.15.0/24 network;3. The printer scopes are .2-9 (no printers have exceeded this range currently);4. All computers have static IP address of .100-.135 for ease of maintenance for usersEach department requires access to the in-house exchange server, the DMS/SQL database and the Linux Red Hat file server. The preliminary organise unit goal for TFF has been designed with the following boundaries:

1. Telstra TIPT phone system employed resolving through the WAN to an external SIP Server;2. A Wan scenario divided into four sites; Amin, Manufacturing, Operations and Sales;3. One HP 48 port switch for Computers and one 48 port for VoIP with VLANS setup;4. Default route through the admin router for accessing the external internet;5. Citrix Remote Management server on the 10.128.15 network;6. Redundancy links within Manufacturing for failover;

There is currently no failover setup for IT issues, backup solutions or remote management/access. This will be accomplished by single-sign on applications using Citrix XenApp. Failover routes, backup solutions and a review of current security policies. The preliminary network outline has been designed and published as below. This does not currently include the hosted exchange server, backup solution or redundancy links.

The overview of the network can be summarised as:

This highlights the connection to the internet through the default route on the 10.128.15.0/24 network to the internet, how the Web Server will be hosted for external access and the firewall policies for sites. For a detailed breakdown of each sites infrastructure refer to the Server Build section of this report.

Server Specifications Dual SelectionThe current servers in place are outdated and require updating- the current hardware should also be replaced in this time. The ideal changes to be made are as follows:1. A remote access server (XenApp) should be deployed and published so that external access can occur. 2. The current file server should be converted to a Windows Server 2008/12 to ensure complete compatibility with Active Directory and group policies;3. A snapshot server should be created to handle SQL backups and the File Server changes;4. The Windows Small Business Server 2000 and My SQL server need to be migrated to a newer server OS;5. Internal SMTP/Exchange Server should be created to work in cohesion with onsite AD and;6. Redundancy links for secondary DNS/DHCP/DC needs to be setup at another site.For power failure, several UPS systems should be employed at these sites for specifications. Due to the upgrade of devices, there will also be a migration from the use of static IP address schemes (of computers) to utilise the DHCP server this will require an overhaul of the current scopes and setup at all four sites. Physical Server(s)Current ServersThe current servers can be described as follows: (1) Linux Red Hat (7.0) file server hosted on the 10.128.15.0/24 network; (1) Master Domain Controller with DNS and DHCP Role hosted on 10.128.15.0/24 and; (1) Microsoft Small Business Server with SQL hosted on the 10.128.15.0/24.All servers are hosted on the .15.0 network at Admin. This is the closest connection to the external router for Telstra and the connection to the internet. Anticipated ServersThe anticipated servers for this site are as follows: (1) Master Domain Controller with DNS and DHCP Role hosted on 10.128.15.0/24 and; (1) Read Only Domain Controller on the 10.128.18.0/24 network; (1) Backup Domain Controller on the 10.128.17.0/24 network with DNS and DHCP; (1) Citrix Remote Access Server on the 10.128.18.0/24 network; (1) Windows Server 2008 on the 10.128.15.0/24 network with the SQL; (1) One secondary backup server for SQL Database; (3) 2013 Exchange Servers at .15, .18 and .17 with SMTP sever on the .15; (1) Web Server hosted on the .15 Admin network.There is also a discussion to install a Nagios server for the monitoring of hardware such as WAPS, switches and other network devices.If requested, there may also be a printer server setup to link with the Active Directory for maintenance.

Role of ServerThere are several additional servers that will be deployed for TFF, each with their own special role. The main roles to be considered are the Active Directory FSMO roles (Shema, Domain Naming, RID, PDC and Infrastructure Masters) and the Global Catalogue Server. Master Domain Controller with DNS and DHCP RoleThe Master Domain Control (ttfdc1.tff.com.au on the 10.128.15.0/24) has the DHCP and DNS role applied- this DC also runs all the Master FMSO roles for the TFF Company. This Domain Controller also houses the active directory service and is the root of the TFF forest. This DC is critical for TFF; any downtime from this machine and there will be group-wide downtime for all sites. Read Only Domain ControllerThe Read-Only Domain controller will be implemented for redundancy. In the event the master DC (tffdc1) goes down (and the backup takes lead), the flexibility to promote this DC should be present. This Read-Only Domain serves the purpose of copying the main DC for a redundancy and acts as a load-balance for DNS requests. This server will probably be housed at 10.128.17.0/24 network. Backup Domain ControllerThe backup Domain Controller server helps alleviate the pressure when there is an issue on the main DC. It serves the role of the secondary DHCP and DNS for TFF and can be used as a load-balance when there is high demand. Citrix Remote Access ServerAn independent server is to be commissioned for remote access to internal files. This XenApp Citrix Server (qld-cit1.tff.com.au) can be housed on any network and will have an external IP address and public DNS address to allow users to log into the internal service with their AD accounts. This will allow the users to work from home and will allow remote management for sessions. Windows Server 2008 with SQLThe Windows Server (2000) is no longer supported and needs to be updated. Because the SQL Database is hosted on this server it needs to be backed up and migrated or virtualised. The Windows Server 2008 can act as the host for the SQL Database and DMS system, file-system (replacing the RDHS). This server can act as a dual role (granting the hardware is updated) for in-house DMS and the file-server. One secondary backup serverThe secondary backup server acts as the backup snapshot of the file server and also SQL database. This server will be housed on the same network as we cannot afford to transfer large volumes of data from site-to-site but will have a UPS for power failover. 2013 Exchange ServersThere will be three exchange servers to delegate E-Mail for the .15, .16 and .18 network. This will cover the SMTP gateway, storage and operation. These servers will operate off AD for groups etc. and will function internally. The option to convert to Exchange Active Sync (365) is also available. Web Server hostedThere will also be a web-server to publish applications such as ordering parts etc. from an online interface. This is separate to Citrix. Once this has been setup the relevant security protocol/measures will be applied. Further discussion of this is required.

Network Virtualisation With the physical hardware selected for server upgrades, the ability to implement hardware virtualisation through Hyper V 3.0 becomes available. Hyper-V, formerly Windows Server Virtualisation, is a utility that allows multiple servers to be hosted on the one physical machine. This means that one machine can be managed as a File-Share, DNS server, DHCP server or whatever role is required through the business. Some of the key uses for Hyper-V could be the use of making virtual Windows XP machines to support archaic programs, or help unfamiliar users transition from their older computers. This VM environment can also be utilised for testing purposes for application settings and other real-world settings before applying them to sites. According to TechNet, the following are the hardware requirements to run HyperV 3.0 on a Windows Server:To install and use the Hyper-V role, you need the following: An x64-based processor. Hyper-V is available in x64-based versions of Windows Server2008specifically, the x64-based versions of Windows Server2008 Standard, Windows Server2008 Enterprise, and Windows Server2008 Datacenter. Hardware-assisted virtualization. This is available in processors that include a virtualization optionspecifically, Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V). Hardware-enforced Data Execution Prevention (DEP) must be available and be enabled. Specifically, you must enable the Intel XD bit (execute disable bit) or AMD NX bit (no execute bit).For more information on HyperV 3.0 refer to https://technet.microsoft.com/en-au/library/cc742440.aspx Windows Server 2012 System Requirements[footnoteRef:1] [1: Microsoft Server 2012 (R2) also requires a Gigabit Ethernet Adapter.]

CPU1.4GHz 64-Bit Processor

RAM512MB Ram

HDD32GB HDD

Windows Server 2012 Pricing[footnoteRef:2] [2: ]

PlanStandard Plan

Designed ForLow-density and non-virtualized environment

FeaturesFull Windows Server functionality with two virtual instances

License TypeProcessor + CAL

Price$882.00 (USD)

To an enterprise, three key benefits to Microsofts server are the Data Deduplication Process, implementation of Hyper-V 3.0 and out-of-the-box Server Management. Along with the tools to operate the system, there are online forums, technical support and hardware support associated with a Microsoft product[footnoteRef:3]. [3: Refer to Appendix I for full breakdown of the benefits listed]

By enabling server virtualisation in a data centre, or across a high-speed WAN, virtual server images (.vhd) can be migrated across host machines in a live environment. Utilising hardware that can perform this function will allow TFF a greater uptime percentage and will lower their downtime. Assuming Server A and Server B are the two Eland Pro Pedestal (Mentioned below), all having the DC, DNS, DHCP and Exchange Server hosted on Server A. In the event of network issues on premise, or the requirement to move from one site to another, Windows Server 2012 with Hyper-V 3.0 can live migrate a VHDX (Virtual Hard Disk) from Server A to Server B. In this process, users are still able to access Server As file in a read only format, but will write all changes to Server B.

By utilising this tool, there is a greater flexibility in moving servers and data from site-to-site with little to no downtime. The key role server virtualisation can perform for TFF is the ability to take snapshots of servers in real time; in the event of an attack or malfunction on the server, the server with the troublesome VHD can be decommissioned and the older VHD setup.

ApprovalThe following hardware will be purchased (upon approval) for the new network design: DevicePrice Per UnitTotal PriceApprovalAsset Tag

Cisco Meraki Cloud Managed Indoor Access Points$480.0025CFO - $12,000.0020140000-0025

HP1620 $680.0010CFO - $6,800.0020140026-0036

Eland Pro Pedestal$15,000.003

CFO - $45,000.0020140037-40

Intel Core i5 4690 Turbo Pack$802.0025CFO - $20, 050.00 20140041-66

Toshiba SATPro L50 PSKT5A-001001 $799.0025CFO - $19,975.0020140067-20140093

Powershield UPS 750VA Safeguard Line Interactive$109.005CFO - $545.0020140094-0099

HP Jetdirect Ew2500 Wireless Print Server$329.001CFO - $329.0020150000

Eland Pedestal$357.007CFO - $2,500.0020150000-0005

The total price for the above is $102, 199.00 leaving $47,801.00 for the purchase of software (XenApp, Microsoft Server(s), Backup Solutions etc.). This will need to be placed to the board (CIO, CEO and CFO) for the required approval. This plan covers all require servers, UPS devices, Wireless Access Points and 50 stations for users. There are also two switches per site with a backup of two switches for replacement. There will also need to be 5 routers added for the new cutover, or possibly re-design the current router infrastructure.

Server Build (Template) Domain Controller 1 Name: tffdc1.tff.com.au IP Address: 10.128.15.10Roles: FSMO Master, DNS, DHCP and AD-DS Redundancy: Backup Domain Controller Purpose: Primary DHCP and DNS, master DC and provides AD services for the TFF group. Backup Domain ControllerName: tffdc2.tff.com.auIP Address: 10.128.16.10Roles: DNS, DHCP and AD-DSRedundancy: Read Only Domain Controller Purpose: Secondary Domain Controller for load balancing. Read Only Domain ControllerName: rodctff.tff.com.au IP Address: 10.128.17.10Roles: Read only mirror of DC1. DNS, DHCP and AD-DS can be appliedRedundancy: No redundant option for this DC. Purpose: Read Only DC which can be promoted in event of secondary DC going down. Citrix XenApp ServerName: xenapp.tff.com.auIP Address: 10.128.15.110 with external IP address of 172.201.144.11Roles: Remote AccessRedundancy: There is no redundancy for the Citrix ServerPurpose: Remote access server which allows external access to internal resourcesBackup ServerName: tffbk.tff.com.auIP Address: 10.128.15.201Roles: BackupRedundancy: There is no redundancy for this server. Purpose: Stated under Performs backup of File Server and SQL database periodically

Windows 2008 Server + SQLName: sqlfs.tff.com.auIP Address: 10.128.15.12Roles: File Share and SQL Database Redundancy: Purpose: Main File Share Server and also hosts SQL for In House DMSPrinter ServerName: printsvr.tff.com.auIP Address: 10.128.15.202Roles: Primary Printer ServerRedundancy: There is no redundancy for this serverPurpose: Setup for universal printer management Web Host ServerName: websvr.tff.com.auIP Address: 10.128.15.220 with external 172.201.144.13Roles: Web Hosting for client ordersRedundancy: Redundancy Purpose: To allow client orders externally to the internal database. Exchange ServerName: exchsvr.tff.com.auIP Address: 10.128.15/16/17.221Roles: Exchange Servers for SitesRedundancy: Each server can become redundant Purpose: For internal exchange hosting and E-mail

These sites can be later broken down as the following diagram(s).

Admin Site 10.128.15.0/24

Manufacturing Site 10.128.16.0/24

Sales Site 10.128.17.0/24

Operations Site 10.128.18.0/24

Switches are configured with a universal setup as follows:VLAN Configurator (Example); hostname adm_switch_hp1620_48p; qos dscp-map af31 priority 4; qos type-of-service diff-services; ip default-gateway 10.128.15.254; vlan 1 name "DEFAULT_VLAN" untagged 1-52 ip address 10.128.15.200 255.255.255.0 qos dscp af31 exit; vlan 2 name "VLAN2" tagged 49-52 no ip address exit; spanning-tree; spanning-tree priority 2; no tftp server; no dhcp config-file-update; password manager; password operatorServer GuideThe Primary Domain Controller, Microsoft Windows 2008 Server with SQL and Web Hosting server run the following hardware[footnoteRef:4]: [4: Please refer to the Appendix for technical information on the servers]

1. No Operating System Support 2. 2.70 GHz E5-2697 v2 (30MB Cache 130 Watt 12 Cores 24 Threads)3. 128 GB Quad Channel Registered ECC DDR3 at 1333 MHz (8 16GB)4. 2.70 GHz E5-2697 v2 (30MB Cache 130 Watt 12 Cores 24 Threads)5. 128 GB Quad Channel Registered ECC DDR3 at 1333 MHz (8 16GB)6. RAID 10 Adds an 8 Port Hardware RAID Card7. 24 TB RAID 10 8 6TB 3.5 7200 RPM Drive8. Lights Out Remote Management Module9. RAID Battery Backup - Ensure data integrity in the event of power failure.10. 10 Gb SFP+ Dual Port Network Adapter11. Second Dual Layer CD-RW / DVD-RW12. Dual Layer CD-RW / DVD-RW13. Pedestal to 4U Rack Conversion Kit14. Logitech Desktop MK20015. 20 Widescreen LCD Display (1600900)16. 3 Year Limited Labor and Overnight Parts Warranty

The other servers are pre-deployed with relevant OS and roles (as the manufacturer are customer made) to cover all relevant needs. The credentials to login to these systems are variants of the following:Username: issadminPassword: Password: Password: All servers will have appropriate security permissions set to prevent users from tampering with settings. The hardware choices far exceed the current needs of TFF, but have been built with the intention to perform their role for a minimum of five years before being needed to upgrade. The speeds of the servers and computers will exceed (anticipated) the requirements of the customers, but will ensure that the effectiveness of the company is not hindered. The switches are connected via a 1GB/ps fibre-optic link, and depending on provider, will be efficient enough to handle all data on the current WAN network. Server and Networking TestFor server testing and network testing, the following tools are suggested:Diagnostic1. Wireshark2. NetBrute Scanner3. Cisco Network ManagerSecurity1. LanGuard2. ZoneAlarmDOS Commands1. Ping2. Pathping3. Tracert4. NetStat5. NSLookupTesting should focus on ensuring data reaches the destination (such as the default-route-router) in a timely manner, accessing the database and file server occurs in an acceptable timeframe, that failover methods such as secondary WAPS effectively work and that all devices on the network can be monitored. Example tests can be as follows:1. Remove/Turn Off the default route router to the internet to ensure that the Provider Edge Routers are able to setup a secondary route to the internet;2. Turn off the primary Domain Controller and ensure that the backup DC promotes to primary and supports the network;3. Access the web server internal and externally and;4. Ensure that the UPS are able to ensure little to no downtime for users when power outages occur. Server Maintenance Maintaining the hardware and software on servers is crucial for increasing the lifespan of the device and providing services in a timely matter. Server Maintenance should occur regularly to ensure system performance acceptable. Server maintenance can refer to applying Windows Updates and Patches or physical cleaning of hardware. There should be strict guidelines on maintenance applied to servers- e.g. each Friday set server is backed up, updates applied and it rebooted. When there are issues with servers, the issue should be rectified as quick as possible, the scenario reviewed and then the server have relevant changes made to it (if applicable) for future instances. The On-Going maintenance plan can be summarised as follows:1. All relevant system(s) will be backed up once per month (prior to) and updates and patches applied;2. System Logs will be monitored and reviewed periodically to ensure there are no issues with the service;3. All systems will be rebooted one Sunday per month to ensure there are no lingering issues with the system.Management is to be consulted for any other changes required. Full details of changes are to be documented for historical purposes. Routing PolicyRouting policies need to be applied to ensure that there is QoS and Load Balancing. Routing policies need to be setup for Web Traffic (http:80/https:443), FTP (P21) and other internal applications. The following routing policies are defined:Packet SizeAll Routing Policies are defined with the enterprise security software, current McAfee as follows:

The monitoring of packet size and destination is imperative to ensure there are no network overloads or attacks from external parties. By placing size limitations on packets, such as the SMTP packets from Outlook, TFF are able to monitor and reduce malicious attacks on data.

ApplicationThe monitoring of data sent from an application is important. The routing policies need to be setup and correct firewall settings to allow only desired connections to be established- this is imperative when hosting a web-service such as online order forms. By employing Enterprise Security such as the McAfee Security Engine, the internal IT team can trace packet destinations etc. and create firewall rules to either accept or deny requests:

Whilst using the GUI is easier, users should be able to delve into command line to perform testing. All policies need to be setup in one universal program for ease of access, and must be able to be altered by the IT team if needed. Port/Protocol Port 80: HTTP Protocol At current there is only one default route to the web, through the CPE router on the .15 network. All routing through the WAN is setup via the provider, with redundancy links here. There is an obsolete routing policy of the following:[Client IP address] > 10.128.[Site].254 (CPE Router) > CPE Router > 10.128.15.254 > Internet In some cases, such as access to the web application, Port 80 is filtered to only allow secure (https) access. Port 443: HTTPS ProtocolHTTPS routes are only filtered for content size to prevent DoS attacks and other malicious attacks. The provider handles all routes for this protocol. Port 21: FTP Protocol FTP is denied by default and only allows known destinations (explicit entries) access to internal and external hosts. Port 25: SMTP Protocol SMTP is accepted, based on packet size. The default route for this is setup and only filtered when large packets are sent, high volumes of packets or if the firewall (or anti-virus) flags the packets as malicious. Port 23: Telnet Telnet protocol is disabled/denied any access. The router rule adds known exceptions such as:If the destination address is 172.20.3.34:23 then allow traffic, otherwise block. This policy can be applied to ensure only applications with desired connections are not refused. This policy relies on a firewall, router and anti-virus solution for data integrity and security. Planning for ImplementationThere are core services that need to function correctly with routing policies, such as:1. Full functionality of the internal DNS servers and DHCP services;2. Full functionality/access to internal resources such as the SQL Database;3. Full functionality/routing to local exchange servers for E-mail. Because all sites function on the same WAN, applying universal application-based routing rules and port/protocol rules should be simple enough to achieve; in the internal WAN with no cross-over IP ranges the MPLS method does not need to be employed. All the routing for TFF can be done through the perimeter firewall and applied to all sites. Testing for full accessibility to internal resources, the web-sever from external resources and E-Mail should occur before rolling out changes. CablingAll cabling will be handled internally. Colour-coded RJ45 will be used on switches to highlight servers, WAPS, Computer and phones. Ideally on all switches, using the ports from left to right (0-12 and 25-36) will allow for easier scalability in the future. Fibre converters (LC to SC) will be a universal option and will be deployed on all newer switches. Cable ties will be applied on the communications rack and zip ties for users cables. This will help minimise damage to cables, mess and ultimately make easier to monitor and maintain. ProtocolsSeveral different protocols will be employed for TFF, such as http(s), FTP and STP. Each protocol is a standard employed for an operation on the network. HTTP/HTTP: Hyper Text Transfer Protocol (Secure): is the set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. SSL: Secure Socket Layer: Is the standard security technology for establishing an encrypted link between a web server and a browser.FTP: File Transfer Protocol: is a standard network protocol used to transfer computer files from one host to another host over a TCP-based network, such as the Internet.STP: Spanning Tree Protocol: is a network protocol that ensures a loop-free topology for any bridged Ethernet local area network. The basic function of STP was to prevent bridge loops and the broadcast radiation that results from them. Spanning tree also allowed a network design to include spare (redundant) links to provide automatic backup paths if an active link fails, without the danger of bridge loops, or the need for manual enabling/disabling of these backup links. SMTP: Standard Mail Transfer Protocol: is an Internet standard for electronic mail (e-mail) transmission.Each different protocol utilises a standard port and can be defined as an application/protocol rule within an enterprise solution. By setting policies based on port usage, such as ftp.server.example:21 TFF can help ensure there are no security threats for users to penetrate the internal network. Traffic MonitoringTraffic monitoring should occur for both security and review. Tools such as Microsoft Network Manager and Nagios will allow TFF to highlight bandwidth hogs or isolate issue with the network. By employing a monitoring solution such as Nagios, TFF is able to actively watch the services of all servers, switches and WAPS and identify minor issues that could escalate to larger problems if not attended to. By implementing another tool such as BandwidthD, TFF will be able to identify network usage by IP address, or computer. This tool will allow TFF to ensure there are no DDoS attacks or other network problems that will hinder the performance for others. Nagios is a free-ware tool that monitors statistics of infrastructure by sending SMTP request to poll for information on current services, such as:

All hosts and services can be expanded on for more detailed information on the issues and history. By coupling this with site-hierarchy schemes Nagios can effectively advise whether an entire network can go down, or effectively just portions (such as wireless devices off WAP1). An example of the network monitor can be shown as follows:

By coupling a monitoring solution such as Nagios with a database, TFF will be able to increase their overall system uptime and response to issues. It is also important to maintain usage of services for TFF, such as how much data is being used per PC, per protocol. Using BandwidthD to achieve this can help reduce network load, by identifying and stopping known issues.

Overall, having live system monitoring can assist the internal IT department highlight any issues within the network and attend to it before it causes implications to the business. Ensuring that critical IT services are operational is an imperative goal on any network.

SecurityImplementing firewalls per-site is a key solution to maximise security from both external and internal attacks. This section will highlight the security measures SkillageIT employ for clients. Perimeter DesignsImplementing Permitter Firewalls/Security[footnoteRef:5] is a crucial step to ensuring the internal network is safely guarded. The following network design highlights the flow of network traffic employed at TFF. [5: https://technet.microsoft.com/en-us/library/cc700828.aspx ]

Border Routers and Switches are referred to as CPE (Client Perimeter Equipment) in the document, and firewalls have not been highlighted. The above photo highlights both the .15 network and the WAN, which can be defined as follows:

Note: For Intentions of stating network, routing and IP address schemes have been ignored. It is also important to know common forms of attacks on networks, such as:1. Packet Sniffers/Sniffing;2. IP Spoofing;3. Denial Of Service Attacks (DoS);4. Application Layer Attacks;5. Virus Attacks and;6. Trojans All of the above attacks can be expanded upon the TechNet website. By employing strict policy guidelines, most attacks can be identified by clients. By employing a Class 4 High End Firewall TFF can obtain the following:

The advantages and disadvantages of this firewall are highlighted as follows:High performanceHardware firewall products are designed for a single purpose and provide high levels of intrusion-blocking together with the least degradation of performance.High availabilityHigh-end hardware firewalls can be connected together for optimal availability and load balancing.Modular systemsBoth hardware and software can be upgraded for new requirements. Hardware upgrades may include additional Ethernet ports, while software upgrades may include detection of new methods of intrusion.Remote managementHigh-end hardware firewalls offer better remote management functionality than their low-end counter-parts.ResilienceHigh-end hardware firewalls may have availability and resilience features, such as hot or active standby with a second unit.Application layer filteringUnlike their low-end counterparts, high-end hardware firewalls provide filtering for well-known applications at the L4, L5, L6, and L7 layers of the OSI model.

High costHigh-end hardware firewalls tend to be expensive. Although they can be purchased for as little as $100, the cost is much higher for an enterprise firewall, since the price is often based on the number of concurrent sessions, throughput, and availability requirements.Complex configuration and managementBecause high-end hardware firewalls have much greater capability than low-end firewalls, they are also more complex to configure and manage. Although this system can be more expensive and difficult to maintain than other firewall options, it covers all potential system holes in the system. This system can be optimised to match IP policies, port policies, ICMP messages, outgoing access, and application protection and provides real time alerts and logging for the review of security.By coupling this option with the remote management feature and VPN connectivity TFF are able to maximise their security for access internally and externally to systems. This option is the preferred option for TFF. The following are known issues with employing a Perimeter Firewall and should be considered before selecting an enterprise solution:IssueTypical Characteristics of a Firewall Implemented in This Capacity

Required firewall features, as specified by the security administratorThis is a balance between the degree of security required versus the cost of the feature and the potential degradation of performance that increased security may cause. While many organizations want the maximum security for a perimeter firewall, some are not willing to take the performance hit. For example, very high-volume Web sites not involved with e-commerce may allow lower levels of security, based on higher levels of throughput obtained by using static packet filters instead of application layer filtering

Whether the device will be a dedicated physical device, provide other functionality, or be a logical firewall on a physical deviceAs the gateway between the Internet and the enterprise's network, the perimeter firewall is often implemented as a dedicated device, in order to minimize the attack surface and accessibility of internal networks that would occur if the device were breached.

Manageability requirements for the device, as specified by the organization's management architectureSome form of logging is typically used, while an event monitoring mechanism is also often required. Remote administration may not be allowed here, in order to prevent a malicious user from remotely administering the device and only local administration will be allowed.

Throughput requirements will likely be determined by the network and service administrators within the organizationThese will vary for each environment, but the power of the hardware in the device or server and the firewall features being used will determine the overall network throughput available.

Availability requirementsAs the gateway to the Internet in large enterprises, high levels of availability are often required, especially when a revenue-generating Web site is protected by a perimeter firewall.

If a perimeter firewall is setup per site, it is recommended[footnoteRef:6] that the following settings be reviewed to ensure compliance with the master perimeter firewall: [6: All information is sourced from TechNet, and is not written by SkillageIT]

Deny all traffic unless explicitly allowed. Block incoming packets that claim to have an internal or perimeter network source IP address. Block outgoing packets that claim to have an external source IP address (traffic should only originate from bastion hosts). Allow for UDP-based DNS queries and answers from the DNS resolver to DNS servers on the Internet. Allow for UDP-based DNS queries and answers from the Internet DNS servers to the DNS advertiser. Allow external UDP-based clients to query the DNS advertiser and provide an answer. Allow TCP-based DNS queries and answers from Internet DNS servers to the DNS advertiser. Allow outgoing mail from the outbound SMTP bastion host to the Internet. Allow incoming mail from the Internet to the inbound SMTP bastion host. Allow proxy-originated traffic from the proxy servers to reach the Internet. Allow proxy-responses from the Internet to be directed to the proxy servers on the perimeter.Overall, SkillageIT recommend a dual High-End Firewalls for redundancy, as so:

This can be achieved by having one server deployed as the master firewall and the secondary obtaining changes to policy automatically as a mirrored firewall. This can be accomplished by employing a heartbeat setup where traffic is balanced between firewalls:

The only downside of having load-balancing on Firewall is increased complexity (if mirroring does not occur) and increased pressure on single firewalls if one node goes down. The full breakdown of the advantages, disadvantages and setup can be viewed at: https://technet.microsoft.com/en-us/library/cc700828.aspx Remote AccessRemote access to internal web-applications are run via the use of a XenApp Citrix Server- mstsc.exe is defined as blocked on the firewall for any external access for example someone trying to remote externally to a known internal IP address. Remote access on all computers is disabled and requires administration credentials to enable. To remote to any server, telnet to any switch or WAP you must have elevated privileges such as Domain Administrator. Due to strict policies the only method to use RDP for a non-admin account is via the Citrix XenApp application which can be accessed at remote.tffmstsc.com (which is a public DNS that points to this specific program). The decision to patch RDP can be elaborated upon the following:The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. Technet Article[footnoteRef:7] [7: https://technet.microsoft.com/library/security/ms12-020 ]

The requirement for remote support within TFF can be handled with third-party software such as LanDesk- which notifies the end user if there is someone accessing their computer remotely. Site To Site Links and VPNThe setup on an internal Intranet VPN will allow site-to-site communication throughout the WAN (Wide-Area Network). VPN and associated protocols are defined[footnoteRef:8] as follows: [8: https://technet.microsoft.com/en-us/library/cc771298(WS.10).aspx ]

Tunneling enables the encapsulation of a packet from one type of protocol within the datagram of a different protocol. For example, VPN uses PPTP to encapsulate IP packets over a public network, such as the Internet. A VPN solution based on Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP), or Secure Socket Tunneling Protocol (SSTP) can be configured.PPTP, L2TP, and SSTP depend heavily on the features originally specified for Point-to-Point Protocol (PPP). PPP was designed to send data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packets within PPP frames and then transmits the encapsulated PPP-packets across a point-to-point link. PPP was originally defined as the protocol to use between a dial-up client and a network access server.PPTP (Point-To-Point Tunnelling Protocol) can be employed for site-to-site VPN tunnels. This protocol was selected as it was the best fit for TFF, with the following requirements:PPTP can be used with a variety of Microsoft clients including Microsoft Windows 2000, Windows XP, Windows Vista, and Windows Server 2008. Unlike L2TP/IPsec, PPTP does not require the use of a public key infrastructure (PKI). By using encryption, PPTP-based VPN connections provide data confidentiality (captured packets cannot be interpreted without the encryption key). PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).Whilst this protocol does not ensure data has not been tampered with in transit, the ease of management and setup compared to other protocols outweigh this risk. It is SkillageITs belief the encryption method of PPTP is sufficient, as follows:The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption keys generated from the MS-CHAP v2 or EAP-TLS authentication process. Virtual private networking clients must use the MS-CHAP v2 or EAP-TLS authentication protocol in order for the payloads of PPP frames to be encrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previously encrypted PPP frame.The process for the encapsulation of set packets can be defined as follows:

An example[footnoteRef:9] of how this encapsulation occurs is as follows: [9: Refer to appendix for another example]

The PPTP packet leaves the PE router and connects to the internet, only to be redirected to a VPN server which passes the packet onto an internal router, allowing site-to-site connection.Note: No integrity check (by default) occurs between the connection from the internet to the VPN sever.

To effectively deploy site-to-site VPN, TFF need to identify the known hardware requirements to have an operational connection. The minimal requirements for Site-To-Site VPN are perimeter VPN firewalls on each site to create the locked tunnel, routers on each site that can support the required routing policies and a network connection that does not time out in sending packet site to site. Note: Firewall and Routers can be one device and function as both.

Defence In DepthThe concept can be defined as Defence in Depth (also known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls (defence) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical for the duration of the system's life cycle. Security measures can be applied on 7 levels, as below:

Policies and ProceduresThe outer-layer of defence is based around awareness. By providing policies for user security (Password-Sets, File Passwords etc.) and making users aware of phishing links, spam E-mail and other malicious attacks that require user input TFF can considerably increase their security. PhysicalPhysical security refers to access to internal infrastructure such as File Serves, Laptops and other devices. By ensuring that only relevant users have access to the hardware, data theft, corruption or network alterations are less likely to occur. PerimeterPerimeter security usually refers to Firewall protection on perimeter networks. This has been covered in the Perimeter Design section of this report. Having a Perimeter Firewall and Internal Firewall allows for multiple testing of packets to ensure only requested data is able to enter the internal network- for more information on perimeter networks refer to https://technet.microsoft.com/en-us/library/cc700828.aspx. Internal NetworkThe internal network security consists of Firewall, Logging and Auditing, Encryption and Packet filtering. This security layer should be setup to prevent any unknown access to internal resources, and must be monitored in real-time instances for maximum security.

HostHost security can refer to many different technologies, such as Firewall, Packet Fileting and Anti-Virus software. At this level, HIPS (Host Intrusion Prevention Systems) should be applied (either directly from an enterprise solution or firewall option) to protect against the following: Take control of other programs. For example sending a mail using the default mail client or sending your browser to a certain site to download more malware. Trying to change important registry keys, so that the program starts at certain events. Ending other programs. For example your virus scanner. Installing devices or drivers, so that they get started before other programs Interposes memory access, so it can inject malicious code into a trusted program.HIPS is a sub-category of IPS (Intrusion Prevention Systems) that monitors local events on systems (hosts) for suspicious activity, and then applies policies defined by the administrator, such as blocking changes to start-up entries.HIPS is usually an option to be enabled from an Anti-Virus solution, such as McAfee:

Further information can be accessed through the following resources: http://en.wikipedia.org/wiki/Intrusion_prevention_system http://www.techsupportalert.com/content/hips-explained.htm ApplicationApplication security is the use of software, hardware, and procedural methods to protect applications from external threats. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats. The application layer can consist of the following[footnoteRef:10]: [10: http://en.wikipedia.org/wiki/Application_security ]

To ensure there are no issue with application security, secure strategies (Protocols such as HTTPS over HTTP, SSH over Telnet) and sufficient services must be applied. An Application Firewall is an example of security measures that can be employed to ensure any data breaches/connections are denied and recorded. The application firewall can fall under the following:

These rules can be applied to Source Locations, Destination Locations, Service, and Authentication and by QoS. By employing strict policies on this layer, the internal IT team can ensure that both malicious code from external sources do not get in, and if internal code is executed, will be blocked at the client-edge firewall per site. Security AuditingSecurity Auditing should be applied for applications that create a denied connection, or receive a block on the firewall due to a protocol/destination request. By coupling this logging style with an Anti-Virus log, system administrators are able to identify potential security threats to the system. The McAfee Enterprise security features a Next Generation Firewall that is able to assist with Policy and Protection, and maintain logs and events for system engineers to review. Risk Analysis When it comes to internal network monitoring and risk analysis, critical IT services need to be identified. Key points in a risk analysis theory can be identified as follows:1. Plan and prepare the risk analysis.2. Define and delimit the system and the scope of the analysis.3. Identify hazards and potential hazardous events.4. Determine causes and frequency of each hazardous event.5. Identify accident scenarios (i.e. even sequences) that may be initiated by each hazardous event.6. Select relevant and typical accident scenarios.7. Figure 3: Bow-tie diagram of risk management8. Determine the consequences of each accident scenario.9. Determine the frequency of each accident scenario.10. Assess the uncertainty.11. Establish and describe the risk picture.12. Report the analysis.13. Evaluate the risk against risk acceptance criteria14. Suggest and evaluate potential risk-reducing measures.Some of the key risks associated with TFF are as follows:1. Failed connection to Primary or Secondary DC(s) in turn DHCP and DNS;2. Failed connection(s) to internal exchange servers;3. Failed connection(s) to .15.16.17.18 networks, limiting all traffic internally. SkillageIT have identified all known risks to the customer in the cutover/migration of network and have listed them in separate document. The following management process was performed to define all risks and apply appropriate solutions:

DocumentationAll documentation is to be housed on premise to allow relevant access granted. Below will list the method for the documentation for TFF. Vendor DocumentationDocumentation on the hardware used (and/or software) will be stored centrally to allow access. Documentation on known faults, updates and/or technical support forums should also be listed. For any material found online that is of relevance, links should be housed for later review. In House DocumentationAny information on the systems (Roles, changes, hardware, configuration) should also be stored so that any member of the internal IT team (or relevant managers) have access to. This document should contain the following information:1. The purpose of the document and what it aims to cover;2. History of changes/outdated information; 3. References to either user or material; 4. Clear information on system (IP Address, Passwords etc.) and;5. Any known issues/changes to previous document.This information should be regular reviewed to ensure that any member of the IT support team can administer changes to systems if needed. AppendixServer RequirementsAccording to Microsoft, the minimal hardware requirements for Windows Server 2008 are as follows:

Coupled with an SQL Database, which required the following hardware:

The System76 systems are custom built (Overkill) with their hardware; this hardware is sufficient enough to house multiple virtual servers and can support growth of the company.

Site-To-Site VPNSecondary example of how Site-To-Site VPN encapsulation and packet delivery occurs:

Appendix I Windows Server 2013 Key Features With the release of Windows Server 2012, there were also major updates in the File System, Data retention and security. However the three main benefits of the Microsoft Server are as follows:Data Deduplication: Microsoft has refined their file system and compression techniques for data storage. Data deduplication is as it says; a technique to prevent data duplication. With this technique implemented on File Servers and other storage facilities, clientele are able to save storage page on their systems, not only making indexing and general performance better, but saving money on storage requirements. Hyper-V 3.0: Hyper-V (formerly referred to as Windows Server Virtualization) is a virtualization client; it allows for Windows to create virtual machines/environments. The main benefit of Hyper-V is running a server centralized, yet allowing multiple guests to remote to the server, run applications and act as if they were logged into the PC directly. Enabling a server that can run Hyper-V will cut the cost of purchasing multiple copies of software, requiring to purchase (and upkeep) several actual server/client computers and also allow for centralized security. Server Management: Server Manager is a tool implemented from Microsoft Server 2008 that helps IT administrators setup and upkeep servers in a friendly matter. A full guide of setting up and using Server Manager can be located on the TechNet site (http://bit.ly/1zdYP4y)

Gather data to identify business requirementsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Translate business needs into technical requirementsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Acquire system componentsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Evaluate and negotiate vendor offeringsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Match IT needs with the strategic direction of the enterpriseCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Configure an internet gatewayCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Identify best-fit topology for a wide area networkCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Create network documentationCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Develop detailed technical designCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Create technical documentationCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Identify and resolve client IT problemsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Support small scale IT projectsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Develop and present feasibility reportsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Identify and resolve client IT problemsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Confirm system specificationsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Design network diagrams and checklistsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Contribute to development of program specificationsCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Prepare documentation for publicationCandidate displays significant engagement with the learning materials, conveys an exemplary transfer of knowledge and skills gained4pointsCandidate displays good engagement with the learning materials, conveys an accomplished transfer of knowledge and skills gained3pointsCandidate displays engagement with the learning materials, conveys a developing transfer of knowledge and skills gained2pointsCandidate displays poor engagement with the learning materials, conveys beginning level transfer of knowledge skills gained1pointsCandidate does not address any of the learning materials, conveys no transfer of knowledge skills gained0points

Thursday, 9 April 2015C:\Users\mnancarrow\Dropbox\Cert IV in Network Security\Current\Small Office Upgrade\Proposed Small Network Upgrade_Version2.docx