KEMBAR78
Example Network Design | PDF | Firewall (Computing) | Hyper V
0% found this document useful (0 votes)
754 views41 pages

Example Network Design

This is a task I have performed for my network course. I am uploading to reference in other courses.

Uploaded by

michaelnancarrow
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
754 views41 pages

Example Network Design

This is a task I have performed for my network course. I am uploading to reference in other courses.

Uploaded by

michaelnancarrow
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 41

Michael Nancarrow

Small Network Upgrade

Proposed Small Network Upgrade - SkillageIT

TALON TEXTILE FASTENERS


VERSION

DATE

1.00

24TH FEBRUARY

1.01

25TH FEBRUARY

ADDED SMALL DATA


AND TABLE

1.02

27TH FEBRUARY

ADDED DATA

1.03

30TH FEBRUARY

ADDED DATA

Friday, 26 June 2015


7/274668453.docx

CHANGES
CREATED BODY

NOTE
ADDED BASE
INFORMATION FROM
REVIEW
REVIEW RUBIK AND
APPLY CURRENT
FIELDS
NEED TO TEST PACKET
TRACER
NEED TO REVIEW
WORDING OF ROUTING

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Contents
Background Current Network.............................................................................................................3
Organisational Structure Old and New...............................................................................................4
Sites...................................................................................................................................................4
Admin............................................................................................................................................4
Manufacturing...............................................................................................................................5
Sales..............................................................................................................................................5
Operations.....................................................................................................................................6
Organisation Units.............................................................................................................................6
Server Specifications Dual Selection..................................................................................................8
Physical Server(s)..............................................................................................................................8
Role of Server....................................................................................................................................9
Approval..........................................................................................................................................10
Server Build (Template).......................................................................................................................11
Server Guide........................................................................................................................................15
Server and Networking Test.................................................................................................................16
Server Maintenance.............................................................................................................................17
Routing Policy.....................................................................................................................................17
Planning for Implementation...........................................................................................................19
Cabling............................................................................................................................................19
Protocols..........................................................................................................................................19
Traffic Monitoring...........................................................................................................................20
Security...............................................................................................................................................22
Perimeter Designs............................................................................................................................22
Remote Access.................................................................................................................................25
Site To Site Links and VPN.............................................................................................................26
Defence In Depth.............................................................................................................................27
Security Auditing.............................................................................................................................30
Risk Analysis...................................................................................................................................30
Documentation....................................................................................................................................31
Vendor Documentation....................................................................................................................31
In House Documentation.................................................................................................................31

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Background Current Network


Talon Textile Fasteners runs several offices from Head Office (Millicent), Mt Burr, Pts. Pirie and
Adelaide. The current systems are Windows XP machines, Microsoft Small Business Server (2000),
Linux Red Hat (7.0) File Server and a Microsoft SQL Server. Currently the system performance is not
acceptable, as the Manufacturing Supervisor highlighted the system does not populate requests fast
enough, and the Sales Manager has stated manufacturing isnt able to keep up with sales.
There is currently no VoIP service, remote management/access or Virtualisation being employed by
the client. All services need to be updated to current operating systems and hardware to ensure the
efficiency of the group is not hindered. Nigel Techner, CIO, has stated that the communications setup
and wireless at Mt Burr can be ignored as this has recently been upgraded; all other technologies need
to be reviewed and setup as soon as possible. The CFO, Eddie Springton, has advised that the current
capital investment for the network upgrade is $150,000.00AU.
The main deliverables of the project are (but not limited to):
1.
2.
3.
4.
5.
6.

Provide the client with more current hardware for file servers and the SQL database;
In house web server with appropriate security;
VoIP implementation for communications;
Virtualisation options with redundancy on a domain level;
Effective ordering system for online orders to communicate with an in-house database and;
Remote access to database and internal resources.

This does not cover the entire needs for TFF (Talon Textile Fasteners) however the main project
deliverables are. The project deliverable can be highlighted as follows:

Planning

Implementation

Testing

Each step needs to be performed during the 10 week project, and must be rolled out to all sites for the
company. Each phase should require two weeks for completion, leaving another 4 weeks for delays,
review and discussions.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Organisational Structure Old and New


Sites
There are currently four main sites for TFF Head Office located in Millicent, Mt Burr, Pts. Pirie and
Adelaide. There is currently interconnection between the sites (it is considered a WAN) at present.
Each site acts as an independent entity and has their own infrastructure, all with an outdated hardware
infrastructure.

Admin
The admin department (Data Entry Officers) reside in the head office at Millicent. All computers run
on Windows XP SP1 and have not been updated for over 12 years. These computers engage an on
premise file server and SQL database, and use an internal exchange server for E-Mail. These users are
currently happy with the computers although understand the performance speeds cause issue. Due to
the age of the system and the software used, upgrading to a later Operating System (Such as Windows
8) may cause issues with running software.
The admin department is heavily reliant on E-Mail and access to the Microsoft Windows Small
Business Server both are considered to be a critical IT service.
The current hardware infrastructure of this site is as follows:
1.
2.
3.
4.

Thirty Five (35) Windows XP Computers running Service Pack 1;


Three Kyocera FS-3920DN and Once Kyocera M2535CDN;
One Master Domain Controller with DHCP Role and DNS;
Linux Red Hat (7.0) file server with partition for SQL Database.

The IP Scheme of head office (hereby referenced as HO) is 10.128.15.0/24 with the following
devices:
1. The main DC (Domain Controller) has an IP address of 10.128.15.10 and resolves at
tffdc1.tff.com.au
2. The Linux File Server has an IP address of 10.128.15.12 and resolves at qld-lrhfs.tff.com.au
3. The printer scopes for static IP is 10.128.15.2-9 where the FS-3920 start at 2-4 and the 2535
at .5 of the range
4. All computers have static IP address of .100-.135 for ease of maintenance for users.
This site has no backup solutions, redundancy or remote access so the IT support needs to attend to
this site for an IT related issues. This servers Domain Controller has been promoted and all others
DCs in the forest are below- all master operations have been applied to this DC.
The current phone system is an older desk phone style however has limitations for internal calling and
is frequently facing issues with services being provided. This site needs major consideration for
redundancy, security and failover options to ensure that there is little to no downtime on critical IT
needs.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Manufacturing
The manufacturing plants suffers from lack of real time updates from the sales department. In some
aspects this site has less IT reliance than others. Currently on site there are:
1.
2.
3.
4.
5.

One read-only Domain Controller with DCHP and DNS role;


Four Kyocera FS-3920DN printers;
Five Windows XP Computers;
One Plasma Television wired to PC;
Three desk phones.

This sites IP address scheme is 10.128.16.0/24.


Once sales push through a sale in their DMS/SQL it should transcend through to another section of
the DMS that the manufacturing department access has to. Because this information needs to relay to
HO then update to the manufacturing site, there are severe delays in the completion of orders. The
current phone system currently works well with little issues such as call drop-outs. The printers here
are often over-utilised and frequent have job queues backed up.
The current link to the SQL database, number of printers and network speeds for this site need to be
looked into and reviewed as high priority- all sites are negatively affected by the delays experienced
at this site.

Sales
The sales department are negatively impacted by the delayed data transfer to the manufacturing
department, however have fast access to the servers housed at Millicent. The sales department has
seen an increase of 5% in the previous year and thus required more hardware infrastructure to support
the growth of the department. The current hardware infrastructure of this site (Pts. Pirie) consists of
the following:
1. One Domain Controller with DHCP and DNS roles at 10.128.17.10 on the 10.128.17.0/24;
2. Twenty Five Windows XP machines ranging from 10.128.17.100-.125
3. Four Kyocera FS-3920DN with an IP scheme of 10.128.17.2-.5
This site is currently functioning at optimal settings, however would like to be setup as the failover if
Admin faces critical issues.
The current phone system here is not functioning at optimal levels, and thus E-Mail and Social
Networking has become a critical IT service; an in-house exchange server should be setup here for
faster access.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Operations
The new saw mill at Mt. Burr will be opening up soon and will employ approximately 25 employees;
it is estimated only 6 staff will require a computer whilst all other users operate machinery. Mt. Burr
will be receiving a new communications rack and ADSL2 connection back to Millicent (HO). As this
site is newly opened there is no existing infrastructure in place, so SkillageIT will start from
scratch. This site will require access to the in-house database, phone system, fileserver access and EMail.
This site is situated in a remote location and will be difficult to administer/maintain in the event issues
occurred. This site needs to be virtualised and have a redundancy link so that any failover does not
leave users with no services for an extended timeframe.

Organisation Units
As an organisational unit, there are uniform setups for IP schemes and infrastructure. The flexible
single master operation is applied to the one DC; tffdc1.tff.com.au. The following standards have been
applied per site:
1.
2.
3.
4.

Domain controllers are applied a static IP address of .10 per sites IP address;
The Linux File server resolved at .12 of the 10.128.15.0/24 network;
The printer scopes are .2-9 (no printers have exceeded this range currently);
All computers have static IP address of .100-.135 for ease of maintenance for users

Each department requires access to the in-house exchange server, the DMS/SQL database and the
Linux Red Hat file server. The preliminary organise unit goal for TFF has been designed with the
following boundaries:

1.
2.
3.
4.
5.
6.

Telstra TIPT phone system employed resolving through the WAN to an external SIP Server;
A Wan scenario divided into four sites; Amin, Manufacturing, Operations and Sales;
One HP 48 port switch for Computers and one 48 port for VoIP with VLANS setup;
Default route through the admin router for accessing the external internet;
Citrix Remote Management server on the 10.128.15 network;
Redundancy links within Manufacturing for failover;

There is currently no failover setup for IT issues, backup solutions or remote management/access.
This will be accomplished by single-sign on applications using Citrix XenApp. Failover routes,
backup solutions and a review of current security policies. The preliminary network outline has
been designed and published as below. This does not currently include the hosted exchange server,
backup solution or redundancy links.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

The overview of the network can be summarised as:

This highlights the connection to the internet through the default route on the 10.128.15.0/24 network
to the internet, how the Web Server will be hosted for external access and the firewall policies for
sites. For a detailed breakdown of each sites infrastructure refer to the Server Build section of this
report.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Server Specifications Dual Selection


The current servers in place are outdated and require updating- the current hardware should also be
replaced in this time. The ideal changes to be made are as follows:
1. A remote access server (XenApp) should be deployed and published so that external access
can occur.
2. The current file server should be converted to a Windows Server 2008/12 to ensure complete
compatibility with Active Directory and group policies;
3. A snapshot server should be created to handle SQL backups and the File Server changes;
4. The Windows Small Business Server 2000 and My SQL server need to be migrated to a
newer server OS;
5. Internal SMTP/Exchange Server should be created to work in cohesion with onsite AD and;
6. Redundancy links for secondary DNS/DHCP/DC needs to be setup at another site.
For power failure, several UPS systems should be employed at these sites for specifications. Due to
the upgrade of devices, there will also be a migration from the use of static IP address schemes (of
computers) to utilise the DHCP server this will require an overhaul of the current scopes and setup
at all four sites.

Physical Server(s)
Current Servers
The current servers can be described as follows:
-

(1) Linux Red Hat (7.0) file server hosted on the 10.128.15.0/24 network;
(1) Master Domain Controller with DNS and DHCP Role hosted on 10.128.15.0/24 and;
(1) Microsoft Small Business Server with SQL hosted on the 10.128.15.0/24.

All servers are hosted on the .15.0 network at Admin. This is the closest connection to the external
router for Telstra and the connection to the internet.
Anticipated Servers
The anticipated servers for this site are as follows:
-

(1) Master Domain Controller with DNS and DHCP Role hosted on 10.128.15.0/24 and;
(1) Read Only Domain Controller on the 10.128.18.0/24 network;
(1) Backup Domain Controller on the 10.128.17.0/24 network with DNS and DHCP;
(1) Citrix Remote Access Server on the 10.128.18.0/24 network;
(1) Windows Server 2008 on the 10.128.15.0/24 network with the SQL;
(1) One secondary backup server for SQL Database;
(3) 2013 Exchange Servers at .15, .18 and .17 with SMTP sever on the .15;
(1) Web Server hosted on the .15 Admin network.

There is also a discussion to install a Nagios server for the monitoring of hardware such as WAPS,
switches and other network devices.
If requested, there may also be a printer server setup to link with the Active Directory for
maintenance.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Role of Server
There are several additional servers that will be deployed for TFF, each with their own special role.
The main roles to be considered are the Active Directory FSMO roles (Shema, Domain Naming, RID,
PDC and Infrastructure Masters) and the Global Catalogue Server.
Master Domain Controller with DNS and DHCP Role
The Master Domain Control (ttfdc1.tff.com.au on the 10.128.15.0/24) has the DHCP and DNS role
applied- this DC also runs all the Master FMSO roles for the TFF Company. This Domain Controller
also houses the active directory service and is the root of the TFF forest. This DC is critical for TFF;
any downtime from this machine and there will be group-wide downtime for all sites.
Read Only Domain Controller
The Read-Only Domain controller will be implemented for redundancy. In the event the master DC
(tffdc1) goes down (and the backup takes lead), the flexibility to promote this DC should be present.
This Read-Only Domain serves the purpose of copying the main DC for a redundancy and acts as a
load-balance for DNS requests. This server will probably be housed at 10.128.17.0/24 network.
Backup Domain Controller
The backup Domain Controller server helps alleviate the pressure when there is an issue on the
main DC. It serves the role of the secondary DHCP and DNS for TFF and can be used as a loadbalance when there is high demand.
Citrix Remote Access Server
An independent server is to be commissioned for remote access to internal files. This XenApp Citrix
Server (qld-cit1.tff.com.au) can be housed on any network and will have an external IP address and
public DNS address to allow users to log into the internal service with their AD accounts. This will
allow the users to work from home and will allow remote management for sessions.
Windows Server 2008 with SQL
The Windows Server (2000) is no longer supported and needs to be updated. Because the SQL
Database is hosted on this server it needs to be backed up and migrated or virtualised. The Windows
Server 2008 can act as the host for the SQL Database and DMS system, file-system (replacing the
RDHS). This server can act as a dual role (granting the hardware is updated) for in-house DMS and
the file-server.
One secondary backup server
The secondary backup server acts as the backup snapshot of the file server and also SQL database.
This server will be housed on the same network as we cannot afford to transfer large volumes of data
from site-to-site but will have a UPS for power failover.
2013 Exchange Servers
There will be three exchange servers to delegate E-Mail for the .15, .16 and .18 network. This will
cover the SMTP gateway, storage and operation. These servers will operate off AD for groups etc. and
will function internally. The option to convert to Exchange Active Sync (365) is also available.
Web Server hosted
There will also be a web-server to publish applications such as ordering parts etc. from an online
interface. This is separate to Citrix. Once this has been setup the relevant security protocol/measures
will be applied. Further discussion of this is required.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Network Virtualisation
With the physical hardware selected for server upgrades, the ability to implement hardware
virtualisation through Hyper V 3.0 becomes available. Hyper-V, formerly Windows Server
Virtualisation, is a utility that allows multiple servers to be hosted on the one physical machine. This
means that one machine can be managed as a File-Share, DNS server, DHCP server or whatever role
is required through the business. Some of the key uses for Hyper-V could be the use of making virtual
Windows XP machines to support archaic programs, or help unfamiliar users transition from their
older computers. This VM environment can also be utilised for testing purposes for application
settings and other real-world settings before applying them to sites.
According to TechNet, the following are the hardware requirements to run HyperV 3.0 on a Windows
Server:
To install and use the Hyper-V role, you need the following:

An x64-based processor. Hyper-V is available in x64-based versions of Windows Server 2008


specifically, the x64-based versions of Windows Server 2008 Standard, Windows Server 2008
Enterprise, and Windows Server 2008 Datacenter.

Hardware-assisted virtualization. This is available in processors that include a virtualization option


specifically, Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V).

Hardware-enforced Data Execution Prevention (DEP) must be available and be enabled. Specifically,
you must enable the Intel XD bit (execute disable bit) or AMD NX bit (no execute bit).

For more information on HyperV 3.0 refer to https://technet.microsoft.com/en-au/library/cc742440.aspx

CPU
RAM
HDD
Plan
Designed For
Features
License Type
Price

Windows Server 2012 System Requirements1


1.4GHz 64-Bit Processor
512MB Ram
32GB HDD
Windows Server 2012 Pricing2
Standard Plan
Low-density and non-virtualized
environment
Full Windows Server functionality with
two virtual instances
Processor + CAL
$882.00 (USD)

To an enterprise, three key benefits to Microsofts server are the Data Deduplication Process,
implementation of Hyper-V 3.0 and out-of-the-box Server Management. Along with the tools
to operate the system, there are online forums, technical support and hardware support
associated with a Microsoft product3.

1 Microsoft Server 2012 (R2) also requires a Gigabit Ethernet Adapter.


2
Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

By enabling server virtualisation in a data centre, or across a high-speed WAN, virtual server images
(.vhd) can be migrated across host machines in a live environment. Utilising hardware that can
perform this function will allow TFF a greater uptime percentage and will lower their downtime.
Assuming Server A and Server B are the two Eland Pro Pedestal (Mentioned below), all having the
DC, DNS, DHCP and Exchange Server hosted on Server A. In the event of network issues on
premise, or the requirement to move from one site to another, Windows Server 2012 with Hyper-V
3.0 can live migrate a VHDX (Virtual Hard Disk) from Server A to Server B. In this process, users are
still able to access Server As file in a read only format, but will write all changes to Server B.

By utilising this tool, there is a greater flexibility in moving servers and data from site-to-site with
little to no downtime. The key role server virtualisation can perform for TFF is the ability to take
snapshots of servers in real time; in the event of an attack or malfunction on the server, the server with
the troublesome VHD can be decommissioned and the older VHD setup.

3 Refer to Appendix I for full breakdown of the benefits listed


Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Approval
The following hardware will be purchased (upon approval) for the new network design:
Device
Cisco Meraki Cloud
Managed Indoor
Access Points
HP1620
Eland Pro Pedestal

Price Per Unit


$480.00

Total Price
25

Approval
CFO - $12,000.00

Asset Tag
20140000-0025

$680.00
$15,000.00

10
3

CFO - $6,800.00
CFO - $45,000.00

20140026-0036
20140037-40

Intel Core i5 4690


Turbo Pack
Toshiba SATPro L50
PSKT5A-001001
Powershield UPS
750VA Safeguard
Line Interactive
HP Jetdirect Ew2500
Wireless Print Server
Eland Pedestal

$802.00

25

CFO - $20, 050.00

20140041-66

$799.00

25

CFO - $19,975.00

20140067-20140093

$109.00

CFO - $545.00

20140094-0099

$329.00

CFO - $329.00

20150000

$357.00

CFO - $2,500.00

20150000-0005

The total price for the above is $102, 199.00 leaving $47,801.00 for the purchase of software
(XenApp, Microsoft Server(s), Backup Solutions etc.). This will need to be placed to the board (CIO,
CEO and CFO) for the required approval. This plan covers all require servers, UPS devices, Wireless
Access Points and 50 stations for users. There are also two switches per site with a backup of two
switches for replacement. There will also need to be 5 routers added for the new cutover, or possibly
re-design the current router infrastructure.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Server Build (Template)


Domain Controller 1
Name: tffdc1.tff.com.au
IP Address: 10.128.15.10
Roles: FSMO Master, DNS, DHCP and AD-DS
Redundancy: Backup Domain Controller
Purpose: Primary DHCP and DNS, master DC and provides AD services for the TFF group.
Backup Domain Controller
Name: tffdc2.tff.com.au
IP Address: 10.128.16.10
Roles: DNS, DHCP and AD-DS
Redundancy: Read Only Domain Controller
Purpose: Secondary Domain Controller for load balancing.
Read Only Domain Controller
Name: rodctff.tff.com.au
IP Address: 10.128.17.10
Roles: Read only mirror of DC1. DNS, DHCP and AD-DS can be applied
Redundancy: No redundant option for this DC.
Purpose: Read Only DC which can be promoted in event of secondary DC going down.
Citrix XenApp Server
Name: xenapp.tff.com.au
IP Address: 10.128.15.110 with external IP address of 172.201.144.11
Roles: Remote Access
Redundancy: There is no redundancy for the Citrix Server
Purpose: Remote access server which allows external access to internal resources
Backup Server
Name: tffbk.tff.com.au
IP Address: 10.128.15.201
Roles: Backup
Redundancy: There is no redundancy for this server.
Purpose: Stated under Performs backup of File Server and SQL database periodically

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Windows 2008 Server + SQL


Name: sqlfs.tff.com.au
IP Address: 10.128.15.12
Roles: File Share and SQL Database
Redundancy:
Purpose: Main File Share Server and also hosts SQL for In House DMS
Printer Server
Name: printsvr.tff.com.au
IP Address: 10.128.15.202
Roles: Primary Printer Server
Redundancy: There is no redundancy for this server
Purpose: Setup for universal printer management
Web Host Server
Name: websvr.tff.com.au
IP Address: 10.128.15.220 with external 172.201.144.13
Roles: Web Hosting for client orders
Redundancy: Redundancy
Purpose: To allow client orders externally to the internal database.
Exchange Server
Name: exchsvr.tff.com.au
IP Address: 10.128.15/16/17.221
Roles: Exchange Servers for Sites
Redundancy: Each server can become redundant
Purpose: For internal exchange hosting and E-mail

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

These sites can be later broken down as the following diagram(s).

Admin Site 10.128.15.0/24

Manufacturing Site 10.128.16.0/24

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Sales Site 10.128.17.0/24

Operations Site 10.128.18.0/24

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Switches are configured with a universal setup as follows:


VLAN Configurator (Example)
; hostname adm_switch_hp1620_48p
; qos dscp-map af31 priority 4
; qos type-of-service diff-services
; ip default-gateway 10.128.15.254
; vlan 1
name "DEFAULT_VLAN"
untagged 1-52
ip address 10.128.15.200 255.255.255.0
qos dscp af31
exit
; vlan 2
name "VLAN2"
tagged 49-52
no ip address
exit
; spanning-tree
; spanning-tree priority 2
; no tftp server
; no dhcp config-file-update
; password manager
; password operator

Server Guide
The Primary Domain Controller, Microsoft Windows 2008 Server with SQL and Web Hosting server
run the following hardware4:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.

No Operating System Support


2.70 GHz E5-2697 v2 (30MB Cache 130 Watt 12 Cores 24 Threads)
128 GB Quad Channel Registered ECC DDR3 at 1333 MHz (8 16GB)
2.70 GHz E5-2697 v2 (30MB Cache 130 Watt 12 Cores 24 Threads)
128 GB Quad Channel Registered ECC DDR3 at 1333 MHz (8 16GB)
RAID 10 Adds an 8 Port Hardware RAID Card
24 TB RAID 10 8 6TB 3.5 7200 RPM Drive
Lights Out Remote Management Module
RAID Battery Backup - Ensure data integrity in the event of power failure.
10 Gb SFP+ Dual Port Network Adapter
Second Dual Layer CD-RW / DVD-RW
Dual Layer CD-RW / DVD-RW
Pedestal to 4U Rack Conversion Kit
Logitech Desktop MK200
20 Widescreen LCD Display (1600900)
3 Year Limited Labor and Overnight Parts Warranty

4 Please refer to the Appendix for technical information on the servers


Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

The other servers are pre-deployed with relevant OS and roles (as the manufacturer are customer
made) to cover all relevant needs. The credentials to login to these systems are variants of the
following:
Username: issadmin
Password: <rub1x>
Password: <sk1ll@g3!>
Password: <sysw0w64>
All servers will have appropriate security permissions set to prevent users from tampering with
settings. The hardware choices far exceed the current needs of TFF, but have been built with the
intention to perform their role for a minimum of five years before being needed to upgrade.
The speeds of the servers and computers will exceed (anticipated) the requirements of the customers,
but will ensure that the effectiveness of the company is not hindered. The switches are connected via a
1GB/ps fibre-optic link, and depending on provider, will be efficient enough to handle all data on the
current WAN network.

Server and Networking Test


For server testing and network testing, the following tools are suggested:
Diagnostic
1. Wireshark
2. NetBrute Scanner
3. Cisco Network Manager
Security
1. LanGuard
2. ZoneAlarm
DOS Commands
1.
2.
3.
4.
5.

Ping
Pathping
Tracert
NetStat
NSLookup

Testing should focus on ensuring data reaches the destination (such as the default-route-router) in a
timely manner, accessing the database and file server occurs in an acceptable timeframe, that failover
methods such as secondary WAPS effectively work and that all devices on the network can be
monitored. Example tests can be as follows:
1. Remove/Turn Off the default route router to the internet to ensure that the Provider Edge
Routers are able to setup a secondary route to the internet;
2. Turn off the primary Domain Controller and ensure that the backup DC promotes to primary
and supports the network;
3. Access the web server internal and externally and;
4. Ensure that the UPS are able to ensure little to no downtime for users when power outages
occur.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Server Maintenance
Maintaining the hardware and software on servers is crucial for increasing the lifespan of the device
and providing services in a timely matter. Server Maintenance should occur regularly to ensure system
performance acceptable. Server maintenance can refer to applying Windows Updates and Patches or
physical cleaning of hardware. There should be strict guidelines on maintenance applied to serverse.g. each Friday set server is backed up, updates applied and it rebooted. When there are issues with
servers, the issue should be rectified as quick as possible, the scenario reviewed and then the server
have relevant changes made to it (if applicable) for future instances.
The On-Going maintenance plan can be summarised as follows:
1. All relevant system(s) will be backed up once per month (prior to) and updates and patches
applied;
2. System Logs will be monitored and reviewed periodically to ensure there are no issues with
the service;
3. All systems will be rebooted one Sunday per month to ensure there are no lingering issues
with the system.
Management is to be consulted for any other changes required. Full details of changes are to be
documented for historical purposes.

Routing Policy
Routing policies need to be applied to ensure that there is QoS and Load Balancing. Routing policies
need to be setup for Web Traffic (http:80/https:443), FTP (P21) and other internal applications. The
following routing policies are defined:

Packet Size
All Routing Policies are defined with the enterprise security software, current McAfee as follows:

The monitoring of packet size and destination is imperative to ensure there are no network overloads
or attacks from external parties. By placing size limitations on packets, such as the SMTP packets
from Outlook, TFF are able to monitor and reduce malicious attacks on data.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Application
The monitoring of data sent from an application is important. The routing policies need to be setup
and correct firewall settings to allow only desired connections to be established- this is imperative
when hosting a web-service such as online order forms. By employing Enterprise Security such as the
McAfee Security Engine, the internal IT team can trace packet destinations etc. and create firewall
rules to either accept or deny requests:

Whilst using the GUI is easier, users should be able to delve into command line to perform testing. All
policies need to be setup in one universal program for ease of access, and must be able to be altered
by the IT team if needed.

Port/Protocol
Port 80: HTTP Protocol At current there is only one default route to the web, through the CPE
router on the .15 network. All routing through the WAN is setup via the provider, with redundancy
links here. There is an obsolete routing policy of the following:
[Client IP address] > 10.128.[Site].254 (CPE Router) > CPE Router > 10.128.15.254 > Internet
In some cases, such as access to the web application, Port 80 is filtered to only allow secure (https)
access.
Port 443: HTTPS Protocol
HTTPS routes are only filtered for content size to prevent DoS attacks and other malicious attacks.
The provider handles all routes for this protocol.
Port 21: FTP Protocol
FTP is denied by default and only allows known destinations (explicit entries) access to internal and
external hosts.
Port 25: SMTP Protocol
Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

SMTP is accepted, based on packet size. The default route for this is setup and only filtered when
large packets are sent, high volumes of packets or if the firewall (or anti-virus) flags the packets as
malicious.
Port 23: Telnet
Telnet protocol is disabled/denied any access. The router rule adds known exceptions such as:
If the destination address is 172.20.3.34:23 then allow traffic, otherwise block.
This policy can be applied to ensure only applications with desired connections are not refused. This
policy relies on a firewall, router and anti-virus solution for data integrity and security.

Planning for Implementation


There are core services that need to function correctly with routing policies, such as:
1. Full functionality of the internal DNS servers and DHCP services;
2. Full functionality/access to internal resources such as the SQL Database;
3. Full functionality/routing to local exchange servers for E-mail.
Because all sites function on the same WAN, applying universal application-based routing rules and
port/protocol rules should be simple enough to achieve; in the internal WAN with no cross-over IP
ranges the MPLS method does not need to be employed.
All the routing for TFF can be done through the perimeter firewall and applied to all sites. Testing for
full accessibility to internal resources, the web-sever from external resources and E-Mail should occur
before rolling out changes.

Cabling
All cabling will be handled internally. Colour-coded RJ45 will be used on switches to highlight
servers, WAPS, Computer and phones. Ideally on all switches, using the ports from left to right (0-12
and 25-36) will allow for easier scalability in the future.
Fibre converters (LC to SC) will be a universal option and will be deployed on all newer switches.
Cable ties will be applied on the communications rack and zip ties for users cables. This will help
minimise damage to cables, mess and ultimately make easier to monitor and maintain.

Protocols
Several different protocols will be employed for TFF, such as http(s), FTP and STP. Each protocol is a
standard employed for an operation on the network.
HTTP/HTTP: Hyper Text Transfer Protocol (Secure): is the set of rules for transferring files (text,
graphic images, sound, video, and other multimedia files) on the World Wide Web.
SSL: Secure Socket Layer: Is the standard security technology for establishing an encrypted link
between a web server and a browser.
FTP: File Transfer Protocol: is a standard network protocol used to transfer computer files from one
host to another host over a TCP-based network, such as the Internet.
STP: Spanning Tree Protocol: is a network protocol that ensures a loop-free topology for any bridged
Ethernet local area network. The basic function of STP was to prevent bridge loops and the broadcast
radiation that results from them. Spanning tree also allowed a network design to include spare
(redundant) links to provide automatic backup paths if an active link fails, without the danger of
bridge loops, or the need for manual enabling/disabling of these backup links.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

SMTP: Standard Mail Transfer Protocol: is an Internet standard for electronic mail (e-mail)
transmission.
Each different protocol utilises a standard port and can be defined as an application/protocol rule
within an enterprise solution. By setting policies based on port usage, such as ftp.server.example:21
TFF can help ensure there are no security threats for users to penetrate the internal network.

Traffic Monitoring
Traffic monitoring should occur for both security and review. Tools such as Microsoft Network
Manager and Nagios will allow TFF to highlight bandwidth hogs or isolate issue with the network.
By employing a monitoring solution such as Nagios, TFF is able to actively watch the services of all
servers, switches and WAPS and identify minor issues that could escalate to larger problems if not
attended to. By implementing another tool such as BandwidthD, TFF will be able to identify network
usage by IP address, or computer. This tool will allow TFF to ensure there are no DDoS attacks or
other network problems that will hinder the performance for others.
Nagios is a free-ware tool that monitors statistics of infrastructure by sending SMTP request to poll
for information on current services, such as:

All hosts and services can be expanded on for more detailed information on the issues and history. By
coupling this with site-hierarchy schemes Nagios can effectively advise whether an entire network can
go down, or effectively just portions (such as wireless devices off WAP1). An example of the network
monitor can be shown as follows:

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

By coupling a monitoring solution such as Nagios with a database, TFF will be able to increase their
overall system uptime and response to issues.
It is also important to maintain usage of services for TFF, such as how much data is being used per
PC, per protocol. Using BandwidthD to achieve this can help reduce network load, by identifying and
stopping known issues.

Overall, having live system monitoring can assist the internal IT department highlight any issues
within the network and attend to it before it causes implications to the business. Ensuring that critical
IT services are operational is an imperative goal on any network.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Security
Implementing firewalls per-site is a key solution to maximise security from both external and internal
attacks. This section will highlight the security measures SkillageIT employ for clients.

Perimeter Designs
Implementing Permitter Firewalls/Security5 is a crucial step to ensuring the internal network is safely
guarded. The following network design highlights the flow of network traffic employed at TFF.

Border Routers and Switches are referred to as CPE (Client Perimeter Equipment) in the document,
and firewalls have not been highlighted. The above photo highlights both the .15 network and the
WAN, which can be defined as follows:

Note: For Intentions of stating network, routing and IP address schemes have been ignored.
It is also important to know common forms of attacks on networks, such as:
1.
2.
3.
4.
5.
6.

Packet Sniffers/Sniffing;
IP Spoofing;
Denial Of Service Attacks (DoS);
Application Layer Attacks;
Virus Attacks and;
Trojans

5 https://technet.microsoft.com/en-us/library/cc700828.aspx
Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

All of the above attacks can be expanded upon the TechNet website. By employing strict policy
guidelines, most attacks can be identified by clients. By employing a Class 4 High End Firewall
TFF can obtain the following:

The advantages and disadvantages of this firewall are highlighted as follows:


High performance
Hardware firewall products are designed for a single purpose and provide high levels of intrusionblocking together with the least degradation of performance.
High availability
High-end hardware firewalls can be connected together for optimal availability and load balancing.
Modular systems
Both hardware and software can be upgraded for new requirements. Hardware upgrades may include
additional Ethernet ports, while software upgrades may include detection of new methods of
intrusion.
Remote management
High-end hardware firewalls offer better remote management functionality than their low-end
counter-parts.
Resilience
High-end hardware firewalls may have availability and resilience features, such as hot or active
standby with a second unit.
Application layer filtering
Unlike their low-end counterparts, high-end hardware firewalls provide filtering for well-known
applications at the L4, L5, L6, and L7 layers of the OSI model.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

High cost
High-end hardware firewalls tend to be expensive. Although they can be purchased for as little as
$100, the cost is much higher for an enterprise firewall, since the price is often based on the number
of concurrent sessions, throughput, and availability requirements.
Complex configuration and management
Because high-end hardware firewalls have much greater capability than low-end firewalls, they are
also more complex to configure and manage. Although this system can be more expensive and
difficult to maintain than other firewall options, it covers all potential system holes in the system. This
system can be optimised to match IP policies, port policies, ICMP messages, outgoing access, and
application protection and provides real time alerts and logging for the review of security.
By coupling this option with the remote management feature and VPN connectivity TFF are able to
maximise their security for access internally and externally to systems. This option is the preferred
option for TFF. The following are known issues with employing a Perimeter Firewall and should be
considered before selecting an enterprise solution:
Issue
Required firewall features, as specified by the
security administrator

Whether the device will be a dedicated physical


device, provide other functionality, or be a
logical firewall on a physical device

Manageability requirements for the device, as


specified by the organization's management
architecture

Throughput requirements will likely be


determined by the network and service
administrators within the organization

Availability requirements

Friday, 26 June 2015


7/274668453.docx

Typical Characteristics of a Firewall


Implemented in This Capacity
This is a balance between the degree of security
required versus the cost of the feature and the
potential degradation of performance that
increased security may cause. While many
organizations want the maximum security for a
perimeter firewall, some are not willing to take
the performance hit. For example, very highvolume Web sites not involved with ecommerce may allow lower levels of security,
based on higher levels of throughput obtained
by using static packet filters instead of
application layer filtering
As the gateway between the Internet and the
enterprise's network, the perimeter firewall is
often implemented as a dedicated device, in
order to minimize the attack surface and
accessibility of internal networks that would
occur if the device were breached.
Some form of logging is typically used, while
an event monitoring mechanism is also often
required. Remote administration may not be
allowed here, in order to prevent a malicious
user from remotely administering the device and
only local administration will be allowed.
These will vary for each environment, but the
power of the hardware in the device or server
and the firewall features being used will
determine the overall network throughput
available.
As the gateway to the Internet in large
enterprises, high levels of availability are often
required, especially when a revenue-generating
/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade


Web site is protected by a perimeter firewall.

If a perimeter firewall is setup per site, it is recommended 6 that the following settings be reviewed to
ensure compliance with the master perimeter firewall:

Deny all traffic unless explicitly allowed.


Block incoming packets that claim to have an internal or perimeter network source IP address.
Block outgoing packets that claim to have an external source IP address (traffic should only
originate from bastion hosts).
Allow for UDP-based DNS queries and answers from the DNS resolver to DNS servers on
the Internet.
Allow for UDP-based DNS queries and answers from the Internet DNS servers to the DNS
advertiser.
Allow external UDP-based clients to query the DNS advertiser and provide an answer.
Allow TCP-based DNS queries and answers from Internet DNS servers to the DNS
advertiser.
Allow outgoing mail from the outbound SMTP bastion host to the Internet.
Allow incoming mail from the Internet to the inbound SMTP bastion host.
Allow proxy-originated traffic from the proxy servers to reach the Internet.
Allow proxy-responses from the Internet to be directed to the proxy servers on the perimeter.

Overall, SkillageIT recommend a dual High-End Firewalls for redundancy, as so:

This can be achieved by having one server deployed as the master firewall and the secondary
obtaining changes to policy automatically as a mirrored firewall. This can be accomplished by
employing a heartbeat setup where traffic is balanced between firewalls:

The only downside of having load-balancing on Firewall is increased complexity (if mirroring does
not occur) and increased pressure on single firewalls if one node goes down. The full breakdown of
6 All information is sourced from TechNet, and is not written by SkillageIT
Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

the advantages, disadvantages and setup can be viewed at: https://technet.microsoft.com/enus/library/cc700828.aspx

Remote Access
Remote access to internal web-applications are run via the use of a XenApp Citrix Server- mstsc.exe
is defined as blocked on the firewall for any external access for example someone trying to remote
externally to a known internal IP address. Remote access on all computers is disabled and requires
administration credentials to enable.
To remote to any server, telnet to any switch or WAP you must have elevated privileges such as
Domain Administrator. Due to strict policies the only method to use RDP for a non-admin account is
via the Citrix XenApp application which can be accessed at remote.tffmstsc.com (which is a public
DNS that points to this specific program).
The decision to patch RDP can be elaborated upon the following:
The more severe of these vulnerabilities could allow remote code execution if an attacker sends a
sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop
Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP
enabled are not at risk. Technet Article7
The requirement for remote support within TFF can be handled with third-party software such as
LanDesk- which notifies the end user if there is someone accessing their computer remotely.

Site To Site Links and VPN


The setup on an internal Intranet VPN will allow site-to-site communication throughout the WAN
(Wide-Area Network). VPN and associated protocols are defined 8 as follows:
Tunneling enables the encapsulation of a packet from one type of protocol within the datagram of a
different protocol. For example, VPN uses PPTP to encapsulate IP packets over a public network,
such as the Internet. A VPN solution based on Point-to-Point Tunneling Protocol (PPTP), Layer Two
Tunneling Protocol (L2TP), or Secure Socket Tunneling Protocol (SSTP) can be configured.
PPTP, L2TP, and SSTP depend heavily on the features originally specified for Point-to-Point Protocol
(PPP). PPP was designed to send data across dial-up or dedicated point-to-point connections. For
IP, PPP encapsulates IP packets within PPP frames and then transmits the encapsulated PPP-packets
across a point-to-point link. PPP was originally defined as the protocol to use between a dial-up
client and a network access server.
PPTP (Point-To-Point Tunnelling Protocol) can be employed for site-to-site VPN tunnels. This
protocol was selected as it was the best fit for TFF, with the following requirements:
PPTP can be used with a variety of Microsoft clients including Microsoft Windows 2000, Windows
XP, Windows Vista, and Windows Server 2008. Unlike L2TP/IPsec, PPTP does not require the use of
a public key infrastructure (PKI). By using encryption, PPTP-based VPN connections provide data
confidentiality (captured packets cannot be interpreted without the encryption key). PPTP-based VPN
connections, however, do not provide data integrity (proof that the data was not modified in transit)
or data origin authentication (proof that the data was sent by the authorized user).

7 https://technet.microsoft.com/library/security/ms12-020
8 https://technet.microsoft.com/en-us/library/cc771298(WS.10).aspx
Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Whilst this protocol does not ensure data has not been tampered with in transit, the ease of
management and setup compared to other protocols outweigh this risk. It is SkillageITs belief the
encryption method of PPTP is sufficient, as follows:
The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by using encryption
keys generated from the MS-CHAP v2 or EAP-TLS authentication process. Virtual private networking
clients must use the MS-CHAP v2 or EAP-TLS authentication protocol in order for the payloads of
PPP frames to be encrypted. PPTP is taking advantage of the underlying PPP encryption and
encapsulating a previously encrypted PPP frame.
The process for the encapsulation of set packets can be defined as follows:

An example9 of how this encapsulation occurs is as follows:

The PPTP packet leaves the PE router and connects to the internet, only to be redirected to a VPN
server which passes the packet onto an internal router, allowing site-to-site connection.
Note: No integrity check (by default) occurs between the connection from the internet to the VPN
sever.
To effectively deploy site-to-site VPN, TFF need to identify the known hardware requirements to have
an operational connection. The minimal requirements for Site-To-Site VPN are perimeter VPN
firewalls on each site to create the locked tunnel, routers on each site that can support the required
routing policies and a network connection that does not time out in sending packet site to site.
9 Refer to appendix for another example
Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Note: Firewall and Routers can be one device and function as both.

Defence In Depth
The concept can be defined as Defence in Depth (also known as Castle Approach) is an information
assurance (IA) concept in which multiple layers of security controls (defence) are placed throughout
an information technology (IT) system. Its intent is to provide redundancy in the event a security
control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical
and physical for the duration of the system's life cycle. Security measures can be applied on 7 levels,
as below:

Policies and Procedures


The outer-layer of defence is based around awareness. By providing policies for user security
(Password-Sets, File Passwords etc.) and making users aware of phishing links, spam E-mail and
other malicious attacks that require user input TFF can considerably increase their security.
Physical
Physical security refers to access to internal infrastructure such as File Serves, Laptops and other
devices. By ensuring that only relevant users have access to the hardware, data theft, corruption or
network alterations are less likely to occur.
Perimeter
Perimeter security usually refers to Firewall protection on perimeter networks. This has been covered
in the Perimeter Design section of this report.
Having a Perimeter Firewall and Internal Firewall allows for multiple testing of packets to ensure
only requested data is able to enter the internal network- for more information on perimeter networks
refer to https://technet.microsoft.com/en-us/library/cc700828.aspx.
Internal Network
The internal network security consists of Firewall, Logging and Auditing, Encryption and Packet
filtering. This security layer should be setup to prevent any unknown access to internal resources, and
must be monitored in real-time instances for maximum security.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Host
Host security can refer to many different technologies, such as Firewall, Packet Fileting and AntiVirus software. At this level, HIPS (Host Intrusion Prevention Systems) should be applied (either
directly from an enterprise solution or firewall option) to protect against the following:

Take control of other programs. For example sending a mail using the default mail client or
sending your browser to a certain site to download more malware.
Trying to change important registry keys, so that the program starts at certain events.
Ending other programs. For example your virus scanner.
Installing devices or drivers, so that they get started before other programs
Interposes memory access, so it can inject malicious code into a trusted program.

HIPS is a sub-category of IPS (Intrusion Prevention Systems) that monitors local events on systems
(hosts) for suspicious activity, and then applies policies defined by the administrator, such as blocking
changes to start-up entries.
HIPS is usually an option to be enabled from an Anti-Virus solution, such as McAfee:

Further information can be accessed through the following resources:

http://en.wikipedia.org/wiki/Intrusion_prevention_system
http://www.techsupportalert.com/content/hips-explained.htm

Application
Application security is the use of software, hardware, and procedural methods to protect
applications from external threats. Once an afterthought in software design, security is becoming an
increasingly important concern during development as applications become more frequently
accessible over networks and are, as a result, vulnerable to a wide variety of threats. The application
layer can consist of the following10:

10 http://en.wikipedia.org/wiki/Application_security
Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

To ensure there are no issue with application security, secure strategies (Protocols such as HTTPS
over HTTP, SSH over Telnet) and sufficient services must be applied. An Application Firewall is an
example of security measures that can be employed to ensure any data breaches/connections are
denied and recorded. The application firewall can fall under the following:

These rules can be applied to Source Locations, Destination Locations, Service, and Authentication
and by QoS.
By employing strict policies on this layer, the internal IT team can ensure that both malicious code
from external sources do not get in, and if internal code is executed, will be blocked at the client-edge
firewall per site.

Security Auditing
Security Auditing should be applied for applications that create a denied connection, or receive a
block on the firewall due to a protocol/destination request. By coupling this logging style with an
Anti-Virus log, system administrators are able to identify potential security threats to the system. The
McAfee Enterprise security features a Next Generation Firewall that is able to assist with Policy
and Protection, and maintain logs and events for system engineers to review.

Risk Analysis
When it comes to internal network monitoring and risk analysis, critical IT services need to be
identified. Key points in a risk analysis theory can be identified as follows:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.

Plan and prepare the risk analysis.


Define and delimit the system and the scope of the analysis.
Identify hazards and potential hazardous events.
Determine causes and frequency of each hazardous event.
Identify accident scenarios (i.e. even sequences) that may be initiated by each hazardous
event.
Select relevant and typical accident scenarios.
Figure 3: Bow-tie diagram of risk management
Determine the consequences of each accident scenario.
Determine the frequency of each accident scenario.
Assess the uncertainty.
Establish and describe the risk picture.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

12. Report the analysis.


13. Evaluate the risk against risk acceptance criteria
14. Suggest and evaluate potential risk-reducing measures.
Some of the key risks associated with TFF are as follows:
1. Failed connection to Primary or Secondary DC(s) in turn DHCP and DNS;
2. Failed connection(s) to internal exchange servers;
3. Failed connection(s) to .15.16.17.18 networks, limiting all traffic internally.
SkillageIT have identified all known risks to the customer in the cutover/migration of network and
have listed them in separate document. The following management process was performed to define
all risks and apply appropriate solutions:

Documentation
All documentation is to be housed on premise to allow relevant access granted. Below will list the
method for the documentation for TFF.

Vendor Documentation
Documentation on the hardware used (and/or software) will be stored centrally to allow access.
Documentation on known faults, updates and/or technical support forums should also be listed. For
any material found online that is of relevance, links should be housed for later review.

In House Documentation
Any information on the systems (Roles, changes, hardware, configuration) should also be stored so
that any member of the internal IT team (or relevant managers) have access to. This document should
contain the following information:
1.
2.
3.
4.
5.

The purpose of the document and what it aims to cover;


History of changes/outdated information;
References to either user or material;
Clear information on system (IP Address, Passwords etc.) and;
Any known issues/changes to previous document.

This information should be regular reviewed to ensure that any member of the IT support team can
administer changes to systems if needed.

Appendix
Server Requirements
According to Microsoft, the minimal hardware requirements for Windows Server 2008 are as follows:

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Coupled with an SQL Database, which required the following hardware:

The System76 systems are custom built (Overkill) with their hardware; this hardware is sufficient
enough to house multiple virtual servers and can support growth of the company.

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Small Network Upgrade

Site-To-Site VPN
Secondary example of how Site-To-Site VPN encapsulation and packet delivery occurs:

Appendix I Windows Server 2013 Key Features


With the release of Windows Server 2012, there were also major updates in the File System,
Data retention and security. However the three main benefits of the Microsoft Server are as
follows:
Data Deduplication: Microsoft has refined their file system and compression techniques for
data storage. Data deduplication is as it says; a technique to prevent data duplication. With
this technique implemented on File Servers and other storage facilities, clientele are able to
save storage page on their systems, not only making indexing and general performance better,
but saving money on storage requirements.
Hyper-V 3.0: Hyper-V (formerly referred to as Windows Server Virtualization) is a
virtualization client; it allows for Windows to create virtual machines/environments. The
main benefit of Hyper-V is running a server centralized, yet allowing multiple guests to
remote to the server, run applications and act as if they were logged into the PC directly.
Enabling a server that can run Hyper-V will cut the cost of purchasing multiple copies of
software, requiring to purchase (and upkeep) several actual server/client computers and also
allow for centralized security.
Server Management: Server Manager is a tool implemented from Microsoft Server 2008 that
helps IT administrators setup and upkeep servers in a friendly matter. A full guide of setting
up and using Server Manager can be located on the TechNet site (http://bit.ly/1zdYP4y)

Gather data to identify business requirements


Candidate
displays

Candidate
displays good

Friday, 26 June 2015


7/274668453.docx

Candidate
displays

Candidate
displays poor

Candidate does
not address

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Small Network Upgrade

engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate

Candidate does

Translate business needs into technical requirements


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Acquire system components


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Evaluate and negotiate vendor offerings


Candidate

Candidate

Friday, 26 June 2015


7/274668453.docx

Candidate

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Small Network Upgrade

displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Match IT needs with the strategic direction of the enterprise


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Configure an internet gateway


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Identify best-fit topology for a wide area network

Friday, 26 June 2015


7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Small Network Upgrade

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Create network documentation


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Develop detailed technical design


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Create technical documentation


Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Small Network Upgrade

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Identify and resolve client IT problems


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Support small scale IT projects


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Develop and present feasibility reports


Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Small Network Upgrade

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Identify and resolve client IT problems


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Confirm system specifications


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Design network diagrams and checklists


Friday, 26 June 2015
7/274668453.docx

/var/www/apps/conversion/tmp/scratch_

Michael Nancarrow

Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Small Network Upgrade

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Candidate
displays poor
engagement
with the
learning
materials,
conveys
beginning
level transfer
of knowledge
skills gained
1points

Candidate does
not address
any of the
learning
materials,
conveys no
transfer of
knowledge
skills gained
0points

Contribute to development of program specifications


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

Prepare documentation for publication


Candidate
displays
significant
engagement
with the
learning
materials,
conveys an
exemplary
transfer of
knowledge and
skills gained
4points

Candidate
displays good
engagement
with the
learning
materials,
conveys an
accomplished
transfer of
knowledge and
skills gained
3points

Friday, 26 June 2015


7/274668453.docx

Candidate
displays
engagement
with the
learning
materials,
conveys a
developing
transfer of
knowledge and
skills gained
2points

/var/www/apps/conversion/tmp/scratch_

You might also like