This plan outlines the structure for how WWTC will integrate wireless devices, LAN, active directory, security policies, and configurations to achieve the desired state-of-the-art status in its New York office. The success of this strategy will depend on increasing WWTC's revenues while lowering the organization's overall spending levels. This deployment plan is based on the assumption that a gigabit network is already operational and that all wiring complies with the required standards. The implementation strategy also assumes that the New York office's power supply will be enough to meet its needs both now and in the future.
Milestones
Based on the assessment of the IT team, a proper timeline for project implementation was arrived at. In the plan, it is important to proceed with network installation in varied phases. The authorizing body at WWTC has decided to proceed with the implementation of the project based on the phase proposals presented in initial stages.
Contacts
Project Consultants
Project Customer
Mr. John Wriggler, Project manager
Telephone: 345-211-0002
Email: [email protected]
Mr. Steve Weimar, Project manager
Telephone: 345-211-789
Email: [email protected]
Mrs. Hillary Taylor, Chief Configuration Engineer
Telephone: 345-211-0002
Email: [email protected]
Mr. Frigg Jones: Project coordinator
Telephone: 345-211-0002
Email: [email protected]
Mr. Nelly Barkley, Chief Configuration Engineer
Telephone: 345-211-789
Email: [email protected]
Mrs. Margaret Schwartz: Project coordinator
Telephone: 345-211-789
Email: [email protected]
Key Tasks
The following are the key tasks whose implementation shall aid in driving the project:
Implementation of LAN
Security implementation
Implementation of active directory
Router configuration
Configuration of circuits and switches
Configuration of the VLAN
Security technologies
Formation of active directory forest domain
Formation of active group directory
Implementation of active directory GPO
Tools Required
The New York WWTC LAN has different Installation tasks and calls for the adoption of varied tools. The table below gives a summary of the tools required for full installation of the WWTC network.
Tool Number
Required Tools
1
Text editor, SCP server, a VT100 emulator PC, FTP server, TFTP server.
2
DB-9-RJ45/DB25 console port cable with a USB adapter
3
Standard mechanical tools like tape measures, screwdrivers, anti-static mats, pliers, ratchet drivers, multi meter tapes, a socket bit set and electric tape.
4
USB optical drive
5
Fiber optic installation kit
6
Laptop computer to act as the console terminal
7
Ethernet installation kit
8
Software drives and an operating system
9
USB thumb drive
10
Hyper terminal exe
Activities
The project will be implemented in different phases. These include LAN, VOIP, security and wireless implementations.
LAN Implementation
For efficient deployment and implementation of the NY.WWTC.com infrastructure, there is need for proper documentation through thorough planning and careful thinking of the collective services among all stakeholders involved. The implementation plan for NY.WWTC local area network gives a description of how the accumulation of resources needed to meet these objectives will undergo configuration and transition into an operational IT network system with high levels of efficiency (Xu et al., 2016). For efficient and well-coordinated delivery of services, the following sequence details will be adopted to ensure that the specific hardware and software implementation of the LAN is achieved.
Provision of a high level network diagram
Provision of an IP scheme for the network address of intention
Proper identification of the equipment required for such a roll out
Identification of the desired topology for equipment connections
Proper description of redundant connections as a way of achieving 100% connectivity
Identification and adoption of security technologies
Adoption of active directory implementation tasks
Configuration of switches, routers and VLAN as a way of including wireless and voice
Configuration of VPN
Deployment and management of antiviruses
Planning and implementation of DHCP and DNS
Deployment and configuration of group and active directory policies
Formation of active directory group
LAN High Level Diagram and IP Scheme
The design for WWTC LAN is made up of a series of networked switching devices, distribution and access layers and network cablings. The WWTC network adopts star topology as its model. The company’s IT staff will be trained on the switching configurations of the system to ensure that the network performance is fast, and device management is done in such a way that it puts into consideration the company’s future growth plans. The approach adopted goes a long way in enhancing network performances while reducing unnecessary interconnection leading to higher levels of scalability (Bassey, Ogbulezie & Effiom, 2016). The WWTC’s topology will consist of a number of edge routers at a higher level to act as sources of Internet Service Provider connectivity. Intruders, access switches, and routers looked at as sources of redundancy to this system will be prevented through the adoption of firewall and intrusion prevention systems.
WWTC has adopted a full mesh topology in its operations. For instance, the New York regional office communicates with other offices including the Hong Kong headquarters using redundant ISP links. The New York WWTC office (NY.WWTC.com) adopts EIGPR as a routing protocol. Cisco (2011) defines EIGPR as “an enhanced vector protocol relying on Diffused Update Algorithm (DUAL) to calculate the shortest path to a destination within a network”. The New York office has adopted a full mesh architecture which plays a significant role in allowing for continuity in connections between all WWTC global locations.
To attain network device redundancy, the local area network design model adopted by WWTC makes use of a series of switches at each layer. All computers are installed with dual network cards connected to two switches. To ensure redundant cable connections, WWTC begins with all computers connected to the network. A part from this, redundancy is arrived at through the network’s access and distribution layers by the use of cross-connected links. Such a measure ensures that an individual switch uses independent cable connections with two other switches.
Security Implementation
The table below gives a summary of the processes to be undertaken in security implementation for the WWTC’s New York office.
Process #
Task
1
Physical installation of Cisco ASA 5500 firewall
2
ASA 5500 firewall configuration
3
IPSEC’s VPN configuration in ASA 5500
4
Setting up of public access server farm in DMZ for ASA 5500
5
Physical installation of Cisco IPS 4270
6
Inline mode configuration of IPS 4270 between the WWTC and ASA 5500 networks
7
Installation and configuration of McAfee EPO
8
Installation and configuration of McAfee E- policy Orchestrator
9
Installation and configuration of Cisco Access Control Servers
10
KG-175D installation and configuration
11
Security configuration of the VLAN on network devices
12
Configuration of Port security
13
Configuration and snooping of the DHCP on selected network devices
Physical Installation of Cisco ASA 5500 Firewall
Cisco firewall device will be installed in an unclassified IT closet. This will be done after ensuring that the closet is in package. A notebook will then be connected to an Ethernet cable then configured with DHPC.
Configuration of ASA 5500 Firewall
A setup wizard will be used in configuring both basic and advanced features through a user interface. The user interface enables the person installing to manage the ASA from any point through web browsers.
The steps below will be followed for effective configuration and installation:
To a PC connected to the ASA , enable a web browser
Enter the URL: https//192.168.11/admin. in the address field
Click Run Startup Wizard on the URL. A startup wizard opens upon the appearance of the ASDM window
Use the configurations below
Hostname: WWTC_NYFW_ 01
Domain name: NY.WWTC.com
Password: letmein
IP address: 192168.23.191/195
DHCP server: 192.168.20.189
Static route 192.168.20.0, 192.168.21.0 and 192.168.22.0
Accessing the Public Server Farm Setup (DMZ ASA 5500)
There is a public server for the organization’s internal network: DMZ of NY.WWTC.com that allows for access of emails and the web which must always be available for external users. Enabling public servers on the DMZ prevents the public from external attacks through securing the NY.WWTC.com network.
IPSEC Configuration of the VPN in ASA 5500
The following steps will be followed in IPSEC configuration.
Configuration of the site-to site VPN wizard. This will be achieved through creation of an IP sec site-to site tunnel in between the two ASAs to enable clients run either the IPsec IKEv2 VPN or the SSL protocols.
Access of portal pages after authentication for specified resources with internal support. Access to resources by users will be provided by the organization’s IT team on a departmental basis. In this case, ACLs will be embraced to allow or restrict access to the organization’s resources.
The IPsec remote access VPN wizard will be used in the configuration of VPN remote access for all IPsec Cisco clients.
Physical Installation of Cisco IPS 4270
The Cisco IPS 4270 in the unclassified IT closet to act as the intrusion prevention system. Traffic will be forwarded to the firewall checks via the IP. The IPS shall take an inline mode with the firewall based on the order of traffic highlighted below:
Traffic entry into IPS
Security policies supplied by the IPs to the traffic
Traffic takes action
Traffic entry into the ASA
Application of firewall policies
Decryption of incoming traffic
Encryption of outgoing VPN network
IPS configuration for “inline mode” between the WWTC network and ASA 5500
The figure below reveals how the IPs inline mode will function
Figure 1: IPS inline mode
In this process;
All connections will be accomplished by the use of CAT 5e/6 certified connections
Configuration of interfaces will be done in such a way that they are in line with the interfaces of the appliances used to enable negotiations of the auto/audio and speed/ duplex
Spanning tree forward delays will be cut down through enabling of the port fast on connected switch posts.
Installation of the McAfee E-Policy Orchestrator
The McAfee EPO server will be adopted as a source of antivirus as well as a Host Intrusion Prevention (HIP) measure to all domains of the NY.WWTC.com host system.
For proper configuration, a 2008R2 Server/64 bit will be used in the installation of the McAfee EPO software. The IP of the server will then be configured for 192.168.22.10 on the classified and unclassified servers. All client systems availed in the NY.WWTC.com domain will then be deployed with the McAfee agent which will install a Virus Scan Enterprise (VSE) and a system to aid in Host Intrusion Prevention (HIP).
Installation and Configuration of Cisco Access Control Server (ACS)
An unclassified IT closet will be used to house the ACS. For confirmation of user identity, authentication will be required. While traditional methods of authentication make use of user names and fixed passwords to confirm identification, the system will apply cryptographic techniques which are looked at as being more secure. The ACS applied boasts of its ability to support a wide range of cryptographic authentication methods like Challenge Authentication Handshake Protocol (CHAP), advanced EAP based protocols and OTP (Durai, Lynn, & Srivastava, 2016). Further, the system will be set in such a way that it allows the existence of a more explicit relationship between the processes of authentication and authorization. This is done with the belief that stronger authentication will be achieved through granting more authorization privileges to system users. The ACS system upholds this through providing for varied means of authentication. First, network devices and users can be added through creation of authorization rules to allow or deny user accesses by applying RADIUS authentication. Sukhov, Sagatov, & Baskakov (2014) explain that 1812 is the port number for RADIUS authentication. Second, an ACS license, and system certificates can be installed then password policy rules configured for users and administrators.
Installation and Configuration of KG-175
The KG-175 will act as a TACLINE that applies communication security to aid in separating unclassified data from one that is classified. This is a two phase process which starts by installing KG-175D then its configuration for separation as elaborated below
Phase 1: physical installation of KG-175
Earth the system on the ground by attaching a wire
The nut from the GND binding post assembled in the in the TACLANE should then be extracted as required
Power off TACLANE
In the standard 110 VAC power outlet, plug in a power supply cable
Connect an Ethernet cable to the CT RJ-45 jack located on the TACLANE
Phase 2: Configuration of KG-175
The ASA 5500 should be configured halfway along the path of the communicating TACLANE to enable the passing of SDD, ESP and IKE
Insert the CIK
Power on the TACLANE
VLAN Configuration on Security Network Devices
All ports which are not put to use will be placed in a black hole VLAN. Isolation of these ports disables any trunking. Further, the Dynamic Trunk Protocol will be switched off as a way of dealing with automated negotiations in the trunking mode. This will only allow for manual configuration of trunking ports. “(config. if) # switch port negotiate on the interface” is the command to be applied.
Configuration of Port Security on Network Devices
To control the number of MAC addresses with the ability to send data on the ports they are directly connected to, port security is enabled. This limits the extents to which unauthorized MAC addresses accesses the network. The command (config-if) # switch port security will be used for the interface. As a way of shutting down any unauthorized access, the command will be (config-if) # switch port negotiate with interface.
Creation of the Forest Root; WWTC.com
The following steps will be followed in creating a parent domain:
Step 1: Enabling advanced features of Windows Server 2012 R2 AD DS advanced features
This will be achieved through raising the system’s domain as well as forest functional levels. These functional levels will be raised while running an Active Directory Domain Services Installation Wizard or the Depromo.exe (Hannah & Behl, 2016).
Step 2: Creation of a forest route domain
Taking into consideration the fact that WWTC’s office in Hong Kong has already adopted the WWWTC.com domain, it will be easy to create root domain in the NY office. The Honk Kong office has an installed Active Directory Domain Name Service (AD DS) into their domain through a Windows Server 2012R2 Server Manger. AD DS installation is achieved using an “Add roles and features” wizard which systematically adds the features required for efficient directory. The Server managers will then alert the administrator on the need for post deployment actions. Based on the procedure followed by the Hong Kong office, the following steps will be followed to come up with a child domain in New York.
Deployment of the first controller in New York
Installation of AD DS by running the active Domain Services Installation Wizard
Addition of a new domain to the forest in existence
Configuration of Routers
Taking into consideration the fact that the routers contain default configurations from Cisco since it will be the first time they are accessed, it is important to align them with the operations of WWTC. The routers hold an Interwork Operating System (IOS): proprietary software which needs to be handled by the WWTC’s IT team before any modification is done. The commands below will be used in assigning IP addresses to interfaces as well as login banners:
Screen display
Command(s)
1
CR (configuration)#
Insert IP domain name NY.WWTC.com
2
CR1(configuration)#
Insert router eigrp 1
3
CR1(configuration of router)#
Insert no auto summary
4
CR1(configure-if )#
Insert interface Gi0/1
5
CR1(configure-if )#
Insert ip address 192.168.23.205.255.255.255.0
6
CR1(configure-if )#
Insert no shut
7
CR1(configure-if )#
Insert interface Gi0/1
8
CR1(configure-if )#
Insert ip address 192.168.23.205.255.255.255.0
9
CR1(configure-if )#
Insert no shut
10
CR1(configure-if )#
Insert interface Gi0/1
11
CR1(configure-if )#
Insert IP address 192.168.23.205.255.255.255.0
12
CR1(configure-if )#
Insert no shut—Insert exit
13
CR1(configuration)#
Insert banner motd # (the terminal displays: Enter TEXT message. The person entering should End with the character #)
14
CR1(configuration)#
Insert exit
15
CR1#
Insert copy run start
Use normal shutdown procedures to power off the laptop then remove its console cable and assemble the CR1 router console.
Generally, all WWTC.com computers will be of a single domain. The domain will be created bearing in mind the local resources’ physical location. While Hong Kong users will be categorized under WWTC.com, those in New York will belong to NY.WWTC.com. The office in New York will establish OUs to monitor its logical structure and operations. The figure below shows NY.WWTC office structure:
Budgets/Resources
LAN Section
WWTC Equipment
QTY
Unit Cost ($)
Total cost ($)
Laptops (for brokers)
20
900
18,000
Docking stations (brokers)
20
900
18,000
Monitors
80
150
12,000
Company printers
20
300
600
Storage area network (SAN)
1
50
50
Servers
8
5,000
40,000
Access layer switches
3
4,000
12,000
Distribution layer switches
3
50,000
150,000
Core layer routers
3
12,000
36,000
Core layer firewall
3
5,000
15,000
Cisco intrusion prevention sensor
4
5,000
20,000
Cisco access control system
2
500
1,000
Polycom speaker phones
3
400
1,200
Suite entry security system
4
100
400
Facility video monitoring system
3
100
300
Server backup battery power
3
5,000
15,000
Server cabinets
10
5,500
55,000
Microsoft Office 2017
80
150
12,000
Microsoft Exchange CAIs
80
150
12,000
McAfee Antivirus
150
200
30,000
Total Cost
448,550
Classified Network
Computer workstations
3
700
2,100
Monitors
3
150
450
Servers
3
5,000
15,000
Access layer switches
2
4,000
8,000
Distribution layer switches
2
50,000
100,000
Core layer routers
2
12,000
24,000
Intrusion prevention sensor
2
5,000
10,000
IP encryptor
2
2,500
5,000
Suite entry security system
2
100
200
Total cost
154,750
Wireless Equipment
Cisco wireless access points (1250) series
8
250
2,000
Cisco WLAN 4404 Series controller
2
8,000
16,000
Total cost
18,000
VoIP Equipment
Cisco 7912 IP phone
100
60
6,000
Cisco unified communication 500
1
2,000
2,000
Cisco VG350 144 FXS bundle
1
25,000
25,000
Total cost
43,000
Overall Total Cost
664,300
Deliverables Schedule/Timeline
Completed
Project Milestone
January 12
Identification of business and design requirements.
February 2
Wireless, LAN and VoIP preliminary design and submission to the client for review
February 19
Modification of VoIP, LAN and Wireless designs base on the client’s remarks.
February 24
Submission of preliminary security design to the client for review.
February 26
Modification of the security design based on the client’s remarks.
March 2
Submission of preliminary active directory design to the client for review.
March 4
Modification of preliminary active directory design based on the demands of the client.
March 8
Final design and submission of VoIP, Wireless, LAN and Active directory to the client for review.
References
Bassey, D. E., Ogbulezie, J. C., & Effiom, E. O. (2016). Local Area Network (LAN) mock-up and the prevention of cybernetics related crimes in Nigermills Company using Firewall Security Device. International Journal of Scientific & Engineering Research, 7(3), 1124-1130.
Cisco. (2011). Wireless LAN design guide for high density client environments in highereducation. Retrieved from http://www.cisco.com/c/dam/en_us/solutions/industries/docs/education/cisco_wlan_design_guie.pdf
Durai, A., Lynn, S., & Srivastava, A. (2016). Virtual routing in the cloud. Cisco Press.
Hannah, W. A., & Behl, A. (2016). Implementing Cisco IP telephony and video, Part 2 (CIPTV2) Foundation Learning Guide (CCNP Collaboration Exam 300-075 CIPTV2). Cisco Press.
Sukhov, A. M., Sagatov, E. S., & Baskakov, A. V. (2014, November). Analysis of Internet service user audiences for network security problems. In Telecommunication Technologies (ISTT), 2014 IEEE 2nd International Symposium on (pp. 214-219). IEEE.
Xu, Z., Mei, L., Liu, Y., Hu, C., & Chen, L. (2016). Semantic enhanced cloud environment for surveillance data management using video structural description. Computing. Archives for Informatics and Numerical Computation, 98(1-2), 35.
