WWTC Requirements - JustAnswer€¦ · Web viewThey have a large customer base of investor and...
Transcript of WWTC Requirements - JustAnswer€¦ · Web viewThey have a large customer base of investor and...
Worldwide Trading Company: Comprehensive Assessment Plan
Nathan Dan
Professor
School
Course
Date
TABLE OF CONTENTS
Executive Summary.........................................................................................................................2
Project Goal Statement....................................................................................................................3
Project Scope...................................................................................................................................3
Assumptions & Constraints..............................................................................................................4
Design Requirements.......................................................................................................................4
Priority Scale..................................................................................................................................4
Technical Requirements...................................................................................................................5
Network Applications......................................................................................................................6
Current State of the Network...........................................................................................................7
Design Solution...............................................................................................................................8
Implementation Plan......................................................................................................................21
Wireless, LAN and VoIP Equipment List / Budget......................................................................26
Project Timeline.............................................................................................................................25
Design Document Appendix..........................................................................................................26
References......................................................................................................................................31
EXECUTIVE SUMMARY
The focus of this comprehensive assessment plan is a large online broker firm called the
World Trading Company (WWTC). This company focuses on buying and selling financial
securities among buyers and sellers. They have a large customer base of investor and the staff of
the organization is 9,000 across the world. The company has their head office in New York City.
The purpose of this comprehensive assessment plan is that for the head office in New York City,
this plan is for a cutting edge network that will increase the productivity of the WWTC.
This new network stands to improve the revenue base of WWTC from their existing
revenue of $10 billion to $40 billion over the span of approximately three to four years. The
network will also decrease the operating costs for the WWTC by 15% to 30%. The network will
involve encrypted methods for investors to buy and sell online, plus include VOIP and data
network capability to use on personal assistant devices (PDAs).
The network will have a confidentiality level equivalent to the CIA and will also use a
Microsoft Winders Server 2012 Active Directory, with a Cisco network system. The budget for
this new network will also be included in this report.
The end result will greatly improve the organizational operation of the WWTC, plus
increase revenue the company’s productivity.
PROJECT GOAL STATEMENT
The project goal for this improved network for WWTC is to design a logical and physical
component design for the network that implements information on technologies towards the
design solution for the network that will increase the revenue of the WWTC and improve the
organization’s structure.
PROJECT SCOPE
The project scope will include cutting edge network technology that will include an
Active Directory, LAN, CIA-level security, VOIP, and wireless devices for the New York City
head office of the WWTC. The departments that will be improved by this venture include
Human Resources, Finance and Information Technology. Below, I discuss what will be included
and what will be excluded from the project scope:
Includes:
Create a LAN/WAN/VoIP network
CIA-level security measures that involves encryption
A wireless network that will run in cubical areas, conference rooms, as well as the
entrance of the WWTC in New York City
Installation of the network
Installing a data and voice network
Excludes:
Power supply will not be included
Maintenance of the network and other new systems will not be included
Assumptions & Constraints
There will be a gigabyte (GB) network installed. The power supply in the WWTC should
be more than adequate to support and to enable the network. The design of the network will also
include adaptations for future changes of the network to meet the changing needs of the WWTC.
The timeline that is included is designed to prevent any delays from occurring in the
implementation of the network.
DESIGN REQUIREMENTS
This section focuses on the design requirements that are necessary for installing the
network for WWTC in New York City. Please see the details below:
Priority Scale
Value Rating Description
A Very High Component is of very high importance to the success of the plan.
B High Component is of high importance to the success of the plan.
C Medium Component is of medium importance to the success of the plan.
D Low Component is of low importance to the success of the plan.
E Future Component is of future importance to the on-going success of this
plan.
Technical Requirements
RequirementPriority
ValuePurpose and Goal Characteristics
Security A
This section describes the CIA-level security protocol that
will ensure that the network is protected and safe. This
includes encryption, classification markings, audits and
activity monitoring and defense-in-depth layers.
Availability A Access to users, lenders trading online and minimizing
downtime of the server are of very high priority.
Network
PerformanceA
Response time to the users will be done over 1Gbps
Ethernet and transfer rates will be over Mbps on Lan, as
well more than 54 Mbps Internet speeds for wireless
connections.
Reliability B
The product selection for the network will be
equipment/systems, reduce the failure rate and be life-long
sustaining.
Scalability B, E
The scalability is linked to the future plans for WWTC
growth and expansion and relates to the current active
users, network capacity, client applications and the
anticipation of future users for the network.
Usability C
The system needs to be enabled for user-friendliness and
navigation purposes without any instruction required such
as the systems, networks and the overall use of the
network.
Manageability C
The maintenance, deployments and configurations of the
network need to be centralized through services and
servers, supported by the manufacturers who are supplying
the hardware and also contain Quality of Service (QoS).
Network Applications
This section discusses current applications that are being used by the WWTC in New York City:
Adobe Acrobat Pro
Accessing library card-catalog
Email (Outgoing/Incoming)
File server application
Microsoft Office 365 Plan (Office 2016 Suite, Exchange, Active Directory, SharePoint,
One Drive, and Skype for Business)
Secure Zip
The network will also include custom applications. Market tracking applications will give
real time reports of stocks and bonds for traders. An online trading application will help to direct
the clients on how to set up the online portal.
CURRENT STATE OF THE NETWORK
The current network at the WWTC’s office in New York City has security issues which
have been identified through an internal audit. The desire and the need of WWTC is to improve
upon this system so that unclassified networks cannot access their own network system and a
secure network with encryption will facilitate financial growth for the organization. There is a lot
of classified data on these networks that needs to remain secure. The WAN link and the added
layer of encryption will help to be configured with HTTPS. Users who are offsite can use the
network through VPN channels and through dial up usage. The high speed wireless network will
be VOIP enabled and also help to secure the data. All of these completions with this plan will
help to greatly improve the network and the financial growth of WWTC in New York City, as
well as their global company.
DESIGN SOLUTION
LAN/WAN Solution
The new WWTC network will comply with scalability, facilitate fault isolation and also
include high-availability. There will be six network modules that will be components to this
network and they are:
Access
Services (server farm)
Core
Demilitarized zone (DMZ)
Enterprise edge
Physically separated encrypted classified zone.
The unique features of the network will also include a redesign to the IP address and redirection
from the current network to the new network for client users, there will be an integration of voice
and data, extra capacity at switches and high speed wireless access.
Access Layer
For end users connectivity through the equipment, there will be an access layer that will
provide this. Including in this are desktops, phones, printers and laptops and PDAs. The access
layer is separate from the VLANs which are supported through security measures to handle the
network traffic so that the network will function smoothly and efficiently. The access layer will
consist of four Cisco WS-C3750X-48PF-L switches with 1Gbs connection access to the end-
user. The wireless points of access will cover the main parts of the WWTC New York City office
building such as conference rooms, cubicle areas and the entrance way or lobby. The third path
of the layer will connect all of the closest switches to the network. This will help to maximize the
use of the network at the workstation level.
Core Layer
The core layer of the network design includes a Cisco 6800 XL layer that includes three
switches. By leveraging Cisco’s proprietary Gateway Load Balancing Protocol there is high
availability for first hop redundancy. One device is a hot-standby mode and the other is an active
device. If the messages in this system are lost, there is a default timer that responds in three
seconds with a hot-standby switch that becomes active. The advantages of deploying in IPv6
capable, fast convergence, efficient use of links by using unequal cost load balancing (Enhanced
Interior, n.d.).
Services/Server Layer
For the services layer, this will control the email, file share, internal websites, print
functions and call manager. This access layer will be controlled by Nexus 7000 series of
switches with uplinks to each core chassis.
DMZ Layer
The DMZ module will control all of the WWTC’s public services for the network. This
will be separated from the office’s LAN, however it will be protected with firewalls and through
monitoring.
Enterprise/Internet Edge
The layer that is organized by the enterprise and the Internet will deal with VPN
connections and work from a network address translation (NAT) to run the enterprise. The
routers will be static with a primary service Internet Service Provider (ISP) that will be floating
static to alternate the ISP. For the default router, it will be redistributed through to ensure all
routing devices EIGRP where the routes will be contained through a table. If the IP were to get
lost, the floating static will be inserted into the routing protocol and traffic will once again flow
as a backup to the ISP connection. VPN connections will terminate on the ASR routers to allow
remote users the ability to access WWTC resources. Additionally, all NAT with overload
functions will be done on these routers. The NAT pool 208.1.1.12 /30 will be created and all
internal web traffic will be translated to use either 208.1.1.13 or 208.1.1.14 to reach the public
internet.
Best practices are necessary for a secure network in order to stabilize and protect
telecommunications within any organization. This document is a proposal for a Cisco network
design in the WWTC building in New York City, United States. Microsoft Active Directory is
also used to back up the system and the network will be designed with a fluid capability to
support all needs of the WWTC building in New York City, United States.
WWTC Requirements
WWTC's very specific list of requirements conveys the expectation that their new
network will be high performance, extremely scalable, cost effective to manage, and very secure.
A Cisco network infrastructure with Microsoft based directory and resource management
features together are fully capable of meeting these expectations. The high performance
requirement means not only that bandwidth is available, but also that protocols and
configurations are in place such as RSTP to prevent traffic loops and broadcast congestion, a
well thought out subnet scheme, VLAN design and robust routing protocols such as EIGRP and
PIM with IGMP Snooping enabled (for Multicast) to ensure that unnecessary traffic (broadcasts
and multi-cast flooding) are contained and required traffic is forwarded over the best path
possible in expeditious fashion. WWTC also expects the network to be designed to accommodate
a growth rate of 100% capacity so that as the company grows and expands they will not have to
invest in network upgrades nor suffer the business disruption that can be caused during network
down time while additions are installed. Along these same lines, modularity is another aspect
that WWTC requires, which would enable changes as well as expansion in the future with a
minimum of disruption, cost, and effort. WWTC expects that sometime in the near future it may
be advantageous or even required to move from the antiquated IPv4 protocol currently in
widespread use to the newer, much improved IPv6, hence all network infrastructure specified on
this project will support both IPv4 and IPv6 along with dual stack and migration capabilities
(such as IPv4 to IPv6 tunneling).
Another requirement is centralized management capability that will enable the company
to manage the new network with minimal IT staff, saving cost and decreasing complexity.
Essential to meeting this requirement are DHCP services for dynamic IP management, as it
enables a large number of IP configurations to be managed centrally for all hosts on the network
in addition to boosting security through the use of Active Directory integration.
Routing requirements for WWTC include a hierarchical IP address design scheme, route
aggregation (which increases network performance by decreasing routing table complexity), and
support for VoIP integrated into the network infrastructure to allow for video and multi-media
support such as the feature rich IP phones Cisco offers that can be installed without requiring a
separate cable infrastructure (as is the case with standard analogue phone systems).
Finally, WWTC has a stringent network security requirement that includes best practice
defense-in-depth layered security countermeasures and defenses which are essential with cyber
crime increasing at an exponential pace. A combination of Microsoft and Cisco managed
infrastructure is fully capable of meeting this expectation.
WWTC Equipment List
As noted above, the equipment and services selected to meet the stated requirements must
be very high performance LAN infrastructure devices along with services designed for
centralized management. Cisco switches, routers (and wireless devices to meet the WWTC
wireless requirement for specific network segments) support the stated requirements when the
models are specified correctly, and using a single vendor for network infrastructure helps ensure
top level performance, ease of administration, and seamless integration. The network devices
listed in the following table will handle over twice the current network capacity requirement,
both in port count as well as bandwidth and performance, while also featuring the required
support such as for VoIP, fault tolerance and high availability, seamless integration with
wireless, and state of the art security features.
Table 1: Proposed devices.
Device Cisco Model # Quantity Comments
Core layer switches -
redundant
6509-E 2 HA/fault tolerant
support for up to 534
devices plus advanced
IP services
Distribution layer
switches
4503-E 2 Supports full mesh
distribution layer plus
advanced IP services
Access layer switches WS-C3850-48U-E 22 UPoE support, 48
gigabit ports per
switch, advanced IP
services, fault tolerant
and stackable with
integrated wireless
controller
Firewall with IPS
services
ASA 5508-X 2 Support for redundant
dual WAN link
connections and
egress/ingress IPS
monitoring
Dual power supply for
access switch
PWR-C1-1100WAC 22 Second power supply
for all WS-C3850-
48U-E
Wireless AP Cisco Aironet 2600 8 802.11a/b/g/n, LAN
integration up to
450Mbps data rates,
VLAN support, 128
client session capable
Cisco 6500 switch
supervisor
Cisco VS-S2T-10G-
XL
4 10G redundant support
for the core switch
fabric
Cisco 6500 switch
second power supply
Cisco CAB-AC-
2500W-US1
2 Redundant power
supply support for HA
Cisco 4500 switch
supervisor
Cisco WS-X45-Sup
7L-E
4 10G redundant
distribution layer
support
Cisco 4500 line card Cisco Catalyst 4500E
UPOE Line Card
4 For 1G redundant
access layer support
The network equipment specified above is designed with centralized management, high
level security, and high performance and availability in mind. Throughout the network there is
no single point of failure as the dual power supplies on each device, full mesh interconnection,
dual supervisor engines, and dual uplinks attest. The Cisco ASA firewall with IPS services both
protects the network through advanced deep packet inspection filters as well as through
advanced intrusion detection monitoring that can take action to block access to network
segments where critical information is stored, or shut down access completely if an intrusion or
security breach is detected. The 4500 and 6500 series supervisors also have IPS capability which
will be configured in a similar manner. In addition, a VLAN will be configured for each
department with ACLs (Access Control Lists) setup so that only authorized access is allowed
into each department. At the access layer the Cisco 3850 switches provide seamless wireless
integration through wireless controller support so that mobile devices do not lose connectivity
when moving from one AP to another. The wireless network is designed with plenty of overlap
to prevent dead spots and support the faster speeds up to 450 Mbps. The network switches will
have RSTP configured (for fast spanning tree convergence), EIGRP (for fast routing
convergence), and IGMP snooping with PIM for multi-cast forwarding that minimizes flooding
at layers 2 and 3 of the OSI. All switches also support the most current PoE (Power over
Ethernet) for IP telephones and VoIP, and are modular so that if additional hardware support is
needed (such as fiber to another floor) the infrastructure is ready to accommodate. The following
diagram depicts the network design:
Diagram 1: High level network layout.
Table 2: Proposed network IP scheme and associated VLANs
Location/Dept # of IP
Addresses
Required
Future Growth Rounded
Power of 2
Number of
Host Bits
Subnet
Address
Assigned
OPR 21 21 64 10 172.16.16.1-
62/26
NW USA 32 32 128 9 172.16.11.1-
126/25
SW USA 32 32 128 9 172.16.12.1-
126/25
NE USA 32 32 128 9 172.16.13.1-
126/25
SE USA 32 32 128 9 172.16.14.1-
126/25
M USA 32 32 128 9 172.16.15.1-
126/25
Network IT 50 50 128 9 172.16.10.1-
126/25
The network design presented above will meet all the WWTC requirements for security,
availability, fault tolerance, performance, scalability, and modularity. In addition, centralized
management provided through a combination of Microsoft Active Directory services (such as
DHCP, integrated DNS and role based authentication by group and OU) and AD integrated
management of the Cisco infrastructure leveraging 802.1X and Radius services ensures that all
devices within the new network can all be centrally managed. This robust infrastructure is highly
capable of providing WWTC service for many years into the future.
IMPLEMENTATION PLAN AND TIMELINE
Project implementation plan
This section details the project implementation plan for the design, installation and
testing of WWTC company network. The plan details tasks, sub tasks, the resources required to
complete each of the tasks and the estimated time for each task.
Major Project Tasks
The major tasks identified for the project are as follows:
Network design
Acquiring of required hardware and software
Network security design and implementation
Network hardware installation and configuration
Software installation and configuration
Security policy
Plan detail (tasks, schedule, resources and budget):
1. Network design – this is the initial phase of the plan, which will include the physical and
logical network design of the offices. Deciding on the location of critical ICT
infrastructure such as DNS servers, active directory Server, file, web and print servers ,
firewalls, routers and client machines.
Sub-tasks
Physical network design
Logical design
Activities
Site visits
Sketch
Team meetings
Network simulation using software
Deciding required software and hardware
Resources
Network engineers
Computers, printers and simulation software
Writing materials
Estimated budget
$70,000 USD
Estimated time
2 weeks
Deliverable
Complete physical and logical design diagrams
2. Acquiring of required software and hardware
Procuring of the following devices- servers (47), switches, routers, firewalls, network
operating systems, application software, client o/s, printers, PCs, CAT-6 cables.
Activities
Procurement team meetings
Travelling
Market survey
Budget
$50M USD
Estimated time
1 week
Deliverable
All software and hardware transported to site
3. Network security design
Sub tasks
Physical security design
Software security design
Activities
Choosing security protocols and encryption mechanisms
Decide on security software configurations
Physical security design
Deliverable
Secure network configuration design
Resources
Network security hardware- firewalls
IT security analyst
Network security software
Budget
$45,000 USD
Estimated time
4 days
4. Network hardware installation and configuration
Sub tasks
Installing DNS, File, active directory, Print, DHCP, web servers
Install active directory server
Configuring DHCP server
Install and configure firewall
Install and configure switches and routers
Install desktops
Install printers
Install and configure wireless access points (Cisco Aironet 1250 Series)
Installing CISCO phones (CISCO IP phone 8800 series)
Cabling
Resources
Network engineering team
Software installation team
Networking hardware and software
Application software
Operating systems software
Deliverables
Installed servers
Installed computers, printers
Fully connected network
Budget
$1M USD
Estimated time
14 weeks
5. Software installation and configuration
Sub tasks
Installing server operating systems
Installing firewall operating systems
Install client machine operating systems
Configuring VPN
Installing VoIP software
Configuring VoIP (cisco phones 8800 series)
Installing and configuring mobile device management software
Configuring VPN
Configuring active directory server
Configuring file and print servers
Configuring print server and printer sharing
Deliverables
Installed network and client operating systems
Shared printers, group policy, and files
Functioning cisco phones
Secure tunnel (VPN)
Installed application software
Resources
Software installation teams
IT security software
Server operating systems
Firewalls operating system
Installed network hardware
Budget
$300,000 USD
Estimated time
8 weeks
6. Security policy formulation
This task involves the formulation of an IT security policy, which will be followed by
employees in the use of all ICT resources. The policy aims at securing IT resources of accidental
and malicious actions by employees, customers of suppliers.
Sub tasks
Review existing security policies (COBIT-5, NIST, ISO-27001)
Choose compliance body
Write policy recommendations
Educate staff on policy recommendations
Resources
Policy review team
Deliverables
Policy document
Educated staff
Budget
$15,000 USD
Estimated time
3 weeks
Project schedule
Conclusion Microsoft Active Directory will lower WWTC total cost of ownership and help the
company to achieve its IT objectives. When properly configured from the ground up, Active
Directory provides nearly effortless scalability. Centrally managed groups at the domain and OU
levels minimize cost and effort by decreasing the number of accounts that must be managed (by
managing Active Directory groups rather than local user accounts and groups). Single sign-on to
access network resources minimizes lost password administration and maximizes efficiency by
assigning permissions to roles that are granted via Active Directory Global Groups. DFS
integration with Active Directory ensures that backups are secured and critical information is
available at all sites (while being secured by Active Directory enforced permissions).Finally,
Active Directory provides seamless integration for new hosts through the Windows NOS
(Network Operation System).
REFERENCES
Cisco, (2016). Cisco ASA 5508-X with FirePOWER Services. Web. Retrieved from
http://www.cisco.com/c/en/us/support/security/asa-5508-x-firepower-services/
model.html
Hirschmann, J. (2014, September 1). Defense in Depth: A layered approach to network security.
Retrieved September 25, 2016, from http://www.securitymagazine.com/articles/85788-
defense-in-depth-a-layered-approach-to-network-security
K, R. (2010, March 27). What is a PRI Line, what are the advantages and limitations of PRI
circuits. Retrieved October 13, 2016, from http://www.excitingip.com/687/what-is-a-pri-
line-what-are-the-advantages-and-limitations-of-pri-circuits/
Kapoor, R. (2016, April 11). How to Create OU in Active Directory – Windows Server 2012 R2.
Retrieved October 9, 2016, from http://www.itingredients.com/create-ou-in-active-
directory/
Mathers, B. (2016, September 30). AD DS Installation and Removal Wizard Page Descriptions.
Retrieved October 7, 2016, from https://technet.microsoft.com/en-us/windows-server-
docs/identity/ad-ds/deploy/ad-ds-installation-and-removal-wizard-page-
descriptions#BKMK_DCOptionsPage
Mathers, B. (2016, September 30). Install a New Windows Server 2012 Active Directory Child
or Tree Domain (Level 200). Retrieved October 7, 2016, from
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/deploy/install-a-
new-windows-server-2012-active-directory-child-or-tree-domain--level-200-
McGuiness, T. (2001). Defense In Depth. (1.2E). Sans Institute. Retrieved September 24, 2016,
from https://www.sans.org/reading-room/whitepapers/basics/defense-in-depth-525
Microsoft. (2010, January 27). Gathering Information about Your Active Directory Deployment.
Retrieved from TechNet:
https://technet.microsoft.com/en-us/library/cc771366(v=ws.10).aspx
Microsoft. (2012, April 26). AD DS Design Requirements. Retrieved from TechNet:
https://technet.microsoft.com/en-us/library/cc754200(v=ws.10).aspx
Microsoft. (2014, November 19). How Active Directory Replication Topology Works. Retrieved
from TecNet:
https://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx#w2k3tr_repto_how
_mmhv
Packetizer. (n.d.). H.323 versus SIP: A Comparison. Retrieved November 17, 2015, from
https://www.packetizer.com/ipmc/h323_vs_sip/
Snyder, J. (2009, May). Do you need and IDS or IPS, or both? Retrieved September 24, 2016,
from http://searchsecurity.techtarget.com/Do-you-need-an-IDS-or-IPS-or-both
TechNet. (2010, January 19). Create a New Group. Retrieved October 9, 2016, from
https://technet.microsoft.com/en-us/library/cc733146(v=ws.11).aspx
Voice Over IP- Per Call Bandwidth Consumption. (2016, April 13). Retrieved September 10,
2016, from https://www.cisco.com/c/en/us/support/docs/voice/voice-quality/7934-
bwidth-consume.html
APPENDICES
WWTC IP Scheme
Vlan Purpose Network
L3 point to point 192.168.0.0 /24
10 IT Staff 192.168.1.0 /24
20 User 192.168.2.0 /24
30 Voice 192.168.3.0 /24
40 Device Mgmt 192.168.4.0 /24
50 Printer 192.168.5.0 /24
60 VTC 192.168.6.0 /24
70 Server 192.168.7.0 /26
71 DMZ Server 192.168.7.64 /26
Future Server Future 192.168.7.128 /25
Net Aggregate 192.168.0.0 /21
WAN Public Agg 208.1.1.0 /28
Public Point to point
208.1.1.0 /29
208.1.1.8 /30
Public NAT Overload
208.1.1.12 /30
Table 2: VLAN/IP Overview
WWTC Classified Network Diagram
WWTC Device List
DEVICE QUANTITY LOCATION DESCRIPTION
CORE/DISTRIBUTION SWITCH
CISCO 6800 XL
2 BUILDING CORE CONNECTED TO CORE AND ACCESS SWITCHES
ACCESS SWITCH
CISCO WS-C3750X-48PF-L
4 QUAD/ROOMS CONNECTED TO USER WORKSTATIONS
WIRELESS ACCESS POINT AIRONET 1700
3 OR 4 CONFERENCE ROOMS X2, RECEPTION
WIRELESS IN COMMON AREAS
WIRELESS LAN CONTROLLER
CISCO 2500 WLC
1 DMZ CONTROLLER FOR ACCESS POINTS
FIREWALL/IDS 2 TO 4 DMZ COMBINED
CISCO ASA 5500 FIREWALL/IDS/VPN
ROUTERS
CISCO ASR 1006 X
2 DMZ/INTERNET LAYER
GATEWAY TO INTERNET
SERVER
CISCO USC B460 BLADE SERVER
2 TO 4 SERVER FARM
EDGE/DMZ
APPLICATION, DHCP, FILE,PUBLIC
CUCM
CISCO BE7000
1 SERVER FARM CALL CONTROL
DMZ SWITCH
CISCO 3850
1 DMZ/INTERNET EDGE
CONNECTION FOR PUBLIC SERVERS
SERVER FARM SWITCH
CISCO NEXUS 7000
1 SERVER FARM CONNECTION FOR INTERNAL SERVERS
VOICE GATEWAY
CISCO 3800 SERIES VG
1 SERVER FARM CONNECTION TO PSTN FROM VOIP
WWTC Security Devices
WWTC Active Directory Layout