Security policies and design.

User Generated


Computer Science


See attached files for question. Also, attached is the previous 2 assignments, Design Req. and LAN & VoIP word docs.

Unformatted Attachment Preview

Background Information for World-Wide Trading Company World-Wide Trading (WWTC) is a large online broker firm in the Hong Kong. The trading company has a staff of 9,000 who are scattered around the globe. Due to aggressive growth in business, they want to establish a regional office in New York City. They leased the entire floor of a building on Wall Street. You were hired as the director of the IT Department. The President of the company asked you to set up the state of the art network by end of this year. He shared with you the organizational structure and a list of the staff. You hired a consultant to test the network infrastructure and power requirement at WWTC office space. The consultant reported that the network infrastructure is solid and gigabit network can be set up on existing network wiring. Also, the existing power supply will meet their current and future demand. The President has reiterated these business goals. Business and Technical Goals ▪ ▪ ▪ ▪ ▪ ▪ ▪ Increase revenue from 10 billion to 40 billion in three to four years Reduce the operating cost from 30 to 15 percent in two to three years by using an automated system for buying and selling. Provide secure means of customer purchase and payment over Internet. Allow employee to attach their notebook computers to the WWTC network and Internet services. Provide state of the art VoIP and Data Network Provide faster Network services Provide fast and secure wireless services in the lobby and two large conference rooms (100x60) On the basis of these business goals, you prepared a RFP to solicit a proposal for designing and implementing a fast, reliable and secure network. The purpose of this Request for Proposal is to solicit from qualified vendors proposals for a secure and fast network to ensure proper operation of the network. To prepare a design for a state of the art network at the Wall Street location of World-Wide Trading. Propose a Network design that solves the current security audit problems (see security sections), to meet business and technical goals. Provide a modular, scalable and network. Provide redundancy at building core layer and building distribution layer and access layer and at workstation level to avoid failure at one point. For Building Access layer provide redundant uplinks connection to Building Distribution layer. Select appropriate Cisco switch model for each part of your enterprise campus model design from the Cisco Products Link, and use the following assumptions in your selection process. Selecting the Access layers switches: a. Provide one port to each device b. Make provision for 100% growth Server farm switches • Assume 6 NIC cards in each server and one NIC card uses one port of switch • Dual processors and dual power supply Propose an IP addressing redesign that optimizes IP addressing and IP routing (including the use of route summarization). Provide migration provision to IPv6 protocol in future. Propose a High Level security plans to secure key applications and servers but encryption of all application is not acceptable. Develop security policy to stop sniffing and man-in-the-middle attack. Your security plan must be based on current industry standards. Multilayer security or defense-in-depth. Integrate voice and data network to reduce cost. For dialing outside, the World-Wide Trading Company proposes a plan for 100% connectivity with a minimum number of outside lines. For telephone requirements, see the Organization Chart and Telephone Equipment Table. Provide aggregate routing protocols with hierarchal IP scheme. Centralize all services and servers to make the network easier to manage and more cost-effective. Provide LAN speed minimum 100 MB and Internet speed minimum 54 MB. Provide wireless network access to network users and guest users in limited area (Lobby and Conference room). In conference room and the lobby, the user will get a minimum 54 Mbps of bandwidth. (You can assume that site survey is done and no sources of interference or RF were discovered.) Provide provisions for video conference and multicast services. Standardize on TCP/IP protocols for the network. Macintoshes will be accessible only on guest notebook but must use TCP/IP protocols or the Apple Talk Filling Protocol (AFP) running on top of TCP. Provide extra capacity at switches so authorized users can attach their notebook PCs to the network Install DHCP software to support notebook PCs The World-Wide Trading Company will use the following applications: ▪ Microsoft Office 2014 ▪ Sending and receiving e-mail ▪ ▪ ▪ Surfing the Web using Netscape or Microsoft’s Internet Explorer applications to access information, participate in chat rooms, and use other typical Web services Accessing the library card-catalog File Server application. Associate will use the following Custom Applications ▪ Market Tracking Application. This application will provide real-time status of stock and bond market to brokers and their clients. ▪ Stock and Bond Analytical Application. This application will provide analysis of stock and Bond to Brokers only. ▪ On Line Trading. The Company wishes to train new clients in online trading to attract new customer. The Company will sign up new client to receive streaming video and instructions 2. Assume any information (with proper justification) which you think is missing and critical to the development of the design. WWTC Security: Although WTC has strong security requirements at other locations (see network diagram below), you will need to move to a significantly more secure network than WTC currently has available. At other places, lack of strong authentication, data confidentiality and separations between internal protected server and public server are principal areas that need to improve at this location. Audit results of other locations identified the following problems • E-mail had been inappropriately used at times to communicate Business sensitive information. • Confidential business information and public data were connected to the same physical network. • End users systems had inappropriately housed confidential data should have resided only on servers. In addition, some of the end-user systems were found to be laptops, which had left the facility in clear violation of security policies. • Some logical control systems were found to rely on username and password combinations only. • Some sensitive business information was found to be transmitted in clear text between server and client. In order to address these audit findings, you decided to firm up security policies in these areas. Internet Connectivity Internet connectivity and any other unclassified network must be physically separate from the network Classified Network The classified network must be physically secure to prevent any access to the classified network’s data. Control should be put in place to prevent local users from removing data from the systems in any way. This includes removable media, AV recorders, pen and paper, and any form of printer. All data transmitted on the classified network must be cryptographically protected throughout the network. All classified data must be centrally stored and secured in a physically separate area from the unclassified network. WAN Connectivity In addition to the cryptographic protections of the data within the classified network, all data crossing wide-area links should undergo another layer of cryptographic protection such as IPSec/VPN/SSL. Public Servers All public servers must configured HTTPS connections and accept all requests that are on valid IP addresses and pass through firewall. Server must ask some identity of the connecting party. Site-to-site VPN tunnels All devices must be mutually authenticated and cryptographic protection should be provided. PSTN dial-up Dial-up client must authenticate with username and OTP User Education All users should undergo periodic user awareness training program on network threats and good security practices. Deliverables These are only recommendations on the general approach you might take for this project. 1. 2. 3. 4. 5. 6. Determine the most important assets of the company, which must be protected Determine general security architecture for the company Develop a list of 12specific policies that could be applied. Write specific details along with the rationale for each policy Integrate and write up the final version of the Security Policy Document for submittal Develop a High availability secure design for this locations addressing above considerations and mitigating 4 primary networks attacks categories mentioned below. The Four Primary Attack Categories: • Reconnaissance attacks: An intruder attempts to discover and map systems, services, and vulnerabilities. • Access attacks: An intruder attacks networks and systems to retrieve data, or gain access, or escalate access privileges • Denial of Service attacks: An intruder attacks your network in a way that damages or corrupts your computer system or denies you and others access to your networks, system, or services. • Worms, viruses, and Trojan horses: Malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself, or deny services or access to networks, system or services. The following are the guidelines for security policies. Security Policies: • • • • • • Policies defining acceptable use Policies governing connections to remote network Polices outlining the sensitivity level of the various types of information held within an organization Policies protecting the privacy of the network’s user and any customer data Policies defining security baselines to be met by devices before connecting them to the network. Creates a basis for legal action if necessary. The key components of security policies: • Statement of authority and scope: Define the name of security authority and areas cover under that statement • Identification and authentication policy • Create Network access policy: How the user will use the company’s data infrastructure • Remote access policy • Incident handling policy: This topic specifies how the company will create an incident response team and the procedure to be used during and after an incident WWTC Active Directory Design WWTC office at New York is largely autonomous and few IT personnel to take care of day-today IT support activities such as password resets troubleshoot virus problems. You are concerned about sensitive data store in this location. You want to deploy a highly developed OU structure to implement security policies uniformly through GPO automatically at all domains, OU, and workstations. At this location Windows Server 2014 is required providing the following AD features: • • • • • • • • • • Use BitLocker encryption technology for devices (server and Work station) disc space and volume. Enables a BitLocker system on a wired network to automatically unlock the system volume during boot (on capable Windows Server 2014 networks), reducing internal help desk call volumes for lost PINs. Create group policies settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive. Enable BranchCache in Windows Server 2014 for substantial performance, manageability, scalability, and availability improvements Implement Cache Encryption to store encrypted data by default. This allows you to ensure data security without using drive encryption technologies. Implement Failover cluster services Implement File classification infrastructure feature to provide automatic classification process. IP Address Management (IPAM) is an entirely new feature in Windows Server 2012 that provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network. Smart cards and their associated personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources. Implement Windows Deployment Services to enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation. Deliverables Deliverables • Create Active directory infrastructure to include recommended features • • Create OU level for users and devices in their respective OU Create Global, Universal, Local group.. Each global group will contain all users in the corresponding department. Membership in the universal group is restrictive and membership can be assigned on the basis of least privileged principle. (For design purpose, you can assume that WTC as a Single Forest with multiple domains). • Create appropriate GPO and GPO policies and determine where they will be applied. Reference: WWTC Organization Chart VP OPR, VP NW USA, VP SW USA, VP NE USA, VP SE USA, VP M USA Table:-1 Equipment Inventory Subnet Offices VP OPR VP OPR Office CEO IT CEO FIN CEO HR CEO IT’s Staff CEO FIN’s Staff CEO HR’s Staff VP NW USA, VP Office Manager 1 Telephone 2 2 2 2 2 2 2 Devices 1 1 1 1 1 1 1 Comment Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations 2 2 2 2 Work Stations Work Stations Manager 2 Broker 1 Broker 2 Broker 3 Broker 4 Staff 2 2 2 2 2 2 2 2 2 2 2 2 Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations VP SW USA VP SW Office Manager 1 Manager 2 Broker 1 Broker 2 Broker 3 Broker 4 Staff 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations VP NE USA VP NE Office Manager 1 Manager 2 Broker 1 Broker 2 Broker 3 Broker 4 Staff 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations VP SE USA VP SE Office Manager 1 Manager 2 Broker 1 Broker 2 Broker 3 Broker 4 Staff 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations VP M USA VP M Offices Manager 1 Manager 2 Broker 1 Broker 2 Broker 3 Broker 4 Staff 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Work Stations Printer 20 Server 40 At various offices. Exact location to be determined. These does not include DNS, DHCP, Domain Controller. Need to be determined by designer Note: WWTC is opening an office only at New York location. Please do not confuse Office holder’s title (VP NW USA) with the location. WLC and AP ordering Guide Table 4. Ordering Information for Cisco Wireless LAN Controllers Product Features Customer Requirements Part Number Wireless LAN Controllers Cisco 4400 Series Wireless LAN • Modular support of 12, 25, 50, or 100 Cisco Aironet access points • The Cisco 4402 with 2 • For midsize to large deployments • High • AIR-WLC440212-K9 • AIR-WLC440225-K9 Controller Cisco 2100 Series Wireless LAN Controller Cisco Catalyst® 6500 Series /7600 Series Wireless Services Module (WiSM) Cisco Catalyst 3750G Integrated WLAN Controller Gigabit Ethernet ports supports configurations for 12, 25, and 50 access points • The Cisco 4404 with 4 Gigabit Ethernet ports supports configurations for 100 access points • IEEE 802.1D Spanning Tree Protocol for higher availability • IPSec encryption • Industrial-grade resistance to electromagnetic interferences (EMI) availability • AIR-WLC440250-K9 • AIR-WLC4404100-K9 See the Cisco Wireless LAN Controllers Data Sheet for more information. • Supports up to 6, 12 or 25 Cisco Aironet access points • Eight Ethernet ports, two of which can provide power directly to Cisco APs • Desk mountable • For retail, enterprise branch offices, or SMB deployments • AIR-WLC2106K9 • AIR-WLC2112K9 • AIR-WLC2125K9 See the Cisco 2106 Wireless LAN Controller Data Sheet for more information. • Wireless LAN Controller for Cisco Catalyst 6500 or Cisco 7600 Series Router • Supports 300 Cisco Aironet access points • IPSec encryption • Industrial-grade resistance to electromagnetic interferences (EMI) • Intrachassis and interchassis failover • Interoperable with Cisco Catalyst 6500 Series Firewall and IDS services modules • Embedded system for the Cisco Catalyst 6500 Series and Cisco 7600 Series Router infrastructure • For large-scale deployments • High availability • WS-SVC-WISM1-K9 • WS-SVC-WISM1-K9= (spare) See the Cisco Catalyst Wireless Services Module Data Sheet for more information. • Cisco Catalyst 3750G Series Switch with wireless LAN controller capabilities • Modular support of 25 or 50 Cisco Aironet access points per switch (and up to 200 access points per stack*) • IPSec encryption • Industrial-grade resistance to electromagnetic interferences (EMI) • For midsize to large deployments • High availability • WS-C3750G24WS-S25 • WS-C3750G24WS-S50 See the Cisco Catalyst 3750G Integrated Wireless LAN Controller Data Sheet for more information. Cisco Wireless LAN Controller Module for Cisco Integrated Services Routers • Wireless LAN controller integrated into Cisco integrated services routers • Supports 6, 8, 12, or 25 Cisco Aironet access points • Embedded system for Cisco 2800/3800 Series and Cisco 3700 Series routers • For retail, small to medium-sized deployments or branch offices • NME-AIR-WLC6K9 • NME-AIR-WLC6K9= (spare) • NME-AIR-WLC8K9 • NME-AIR-WLC8K9= (spare) • NME-AIRWLC12-K9 • NME-AIRWLC12-K9= (spare) • NME-AIRWLC25-K9 • NME-AIRWLC25-K9= (spare) See the Cisco WLAN Controller Modules Data Sheet for more information. Please refer to the Cisco Wireless LAN Controller Ordering Guide supplement to learn when to add the following SKUs to track the deployment of voice and context-aware mobility applications. Table 2. Cisco Aironet Indoor Rugged, Indoor, Wireless Mesh, and Outdoor Rugged Access Points Product Features Customer Requirements Part Number Indoor Rugged Access Points Cisco Aironet 1250 Series • Industry's first business-class access point based on the IEEE 802.11n draft 2.0 standard • Provides reliable and predictable WLAN coverage to improve the end-user experience for both existing 802.11a/b/g clients and new 802.11n clients • Offers combined data rates of up to 600 Mbps to meet the most rigorous bandwidth requirements • Designed for both office and challenging RF environments • Especially beneficial for environments with the following characteristics: • Challenging RF environments (for example, manufacturing plants, warehouses, clinical environments) • Bandwidth-intensive applications (for example, digital imaging, file transfers, network backup) • Real-time, latencysensitive applications such as voice and video Access point platform with preinstalled radio modules: • AIR-AP1252AGx-K9: 802.11a/g/ndraft 2.0 2.4/5-GHz Modular Autonomous Access Point; 6 RP-TNC • AIR-AP1252G-xK9: 802.11g/n-draft 2.0 2.4-GHz Modular Autonomous Access Point; 3 RP-TNC • AIR-LAP1252AG- Cisco Aironet 1240AG Series • Second-generation 802.11a/g dual-band indoor rugged access point • 2.4-GHz and 5-GHz antenna connectors for greater range or coverage versatility and more flexible installation options using the broad selection of Cisco antennas available • Need to support existing 802.11a/b/g and new 802.11n wireless clients x-K9: 802.11a/g/ndraft 2.0 2.4/5-GHz Modular Unified Access Point; 6 RPTNC • AIR-LAP1252Gx-K9: 802.11g/ndraft 2.0 2.4-GHz Modular Unified Access Point; 3 RPTNC See the Cisco Aironet 1250 Series Ordering Guide for more information. • Ideal for challenging indoor RF environments • Recommended for offices and similar environments • Ideal for deployments above suspended ceilings • Recommended for outdoors when deployed in a weatherproof NEMArated enclosure • AIR-AP1242AGx-K9: 802.11a/g Nonmodular Cisco IOS SoftwareBased Access Point; RP-TNC • AIR-LAP1242AGx-K9: 802.11a/g Nonmodular LWAPP Access Point; RP-TNC See the Cisco Aironet 1240AG Series 802.11a/b/g Data Sheet for more information. Indoor Access Points Cisco Aironet 1130AG Series Low-profile, enterpriseclass 802.11a/g access point with integrated antennas for easy deployment in offices and similar RF environments Ideal for offices and similar environments • AIR-AP1131AG*X-K9 See the Cisco Aironet 1130AG Series Ordering Guide for more information. Wireless Mesh Access Points Cisco Aironet 1520 Series • Next-generation outdoor wireless mesh access point • Integrated dual band 802.11 a/b/g radios, Ethernet, fiber and cable modem interface • Ideal for outdoors • Recommended for industrial deployments and local government, public safety, and transit agencies • AIR-LAP1522AGX*-K9: See the Cisco Aironet 1520 Series Lightweight Outdoor Mesh • Provides easy and flexible deployments for outdoor wireless network • Available in a lightweight version only Cisco Aironet 1500 Series • Mesh access point that enables cost-effective, scalable deployment of secure outdoor wireless LANs for metropolitan networks or enterprise campuses • Available in a lightweight version only Access Point Ordering Guide for more information. • Ideal for outdoors • Recommended for providing wireless services and applications to local government, public safety, and transit agencies • AIR-LAP1510AG*X-K9: • Cisco Aironet 1510AG Lightweight Outdoor Mesh Access Point, FCC configuration See the Cisco Aironet 1500 Series Ordering Guide for more information. • High-speed building-tobuilding or campus connectivity • Share LAN/Internet access between two or more sites • Fast installation • AIR-BR1410A*X-K9: With integrated antenna • AIR-BR1410A-AK9-N: With N-Type connector for use with external antennas See the Cisco Aironet 1400 Series Bridge Data Sheet for more information. Outdoor Rugged Access Points Cisco Aironet 1400 Series Cisco Aironet 1300 Series • High-speed, highperformance outdoor bridging solution for line-of-sight applications • Offers affordable alternative to leased-line services • Available in a standalone version only Outdoor access point/bridge offers high-speed and costeffective wireless connectivity between multiple fixed or mobile networks and clients Ideal for outdoor areas, network connections within a campus area, temporary networks for portable or military operations, or outdoor infrastructure for mobile networks ● AIR-BR1310G-XK9: With integrated antenna ● AIR-BR1310G-XK9-R: With RPTNC connector for use with external antennas ● AIR-BR1310G-AK9-T: For transportation applications See the Cisco Aironet 1300 Series Ordering Guide for more information. *X = regulatory domain (Source: Curtsy Cisco Web site _Brochure.html) WLC and AP Placement Templates Suggested Placement Table Wireless Network Building Access Point Wireless LAN Requirements Controller Requirements Building Lobby Cafeteria Conference room Suggested Product Table (WLC) WLC Cisco Part Number Cisco 2100 Series Wireless LAN Controller AIR-WLC2106-K9 Suggested Product Table (AP) AP Cisco Part Number Cisco Aironet 1250 Series AIR-AP1252AG-x-K9: 802.11a/g/n-draft 2.0 2.4/5-GHz Modular Autonomous Access Point; 6 RP-TNC Total AP Total WLC Quantity 2 Cost Quantity 20 Cost Security Policies and Network Security Design This section will specify organizational security policies, standards, procedures, and guidelines in compliance with the appropriate laws and regulations. This section will lay out network security design implementing organizational security policies in compliance with the appropriate laws and regulations Deliverables • Determine the most important assets of the company, which must be protected • Determine general security architecture for the company • Develop a list of 12specific policies that could be applied. • Write specific details along with the rationale for each policy • Review the written policies and select the 12 most important policies for inclusion in the Security Policy Document • Integrate and write up the final version of the Security Policy Document for submittal • Develop a High availability secure design for this locations addressing above considerations and mitigating 4 primary networks attacks categories mentioned below. • Write up specific role of devices will play in securing • Develop high level security diagram. Business Requirement Document for World-Wide Trading Company (WWTC). Description of change The need to create a regional office in New York City is a significant milestone for this company. It is therefore essential to develop a network that meets the requirements of the organization and stakeholders too. There is also the need to take into considerations proper and state of the art network design principles such as scalability, agility, resiliency, and integration. 1. Introduction 1.1 Purpose The purpose of this Business Requirement Document is to analyze the network design needs for the company. The design needs will significantly try and optimize business success and propose design methods that will significantly reduce cost and improve performance. 1.2 Scope This document covers requirements for LAN, Wireless, and VoIP design. It also stretches and looks at the security design considerations to be made. The Active Directory requirements will analyze design requirements during its design. 1.3 References References are drawn from the WWTC organization Chart. This document also took into considerations the set Business and technical goals set by the Company’s president and stakeholders. 2. Assumptions and constraints The WWTC infrastructure has in place a robust Gigabit network and a proper power supply that meets future demands. 3. Functional requirements 3.1 Context During the process of designing a new network infrastructure, it becomes essential to balance security issues with the desire for an accessible data and information access and retrieval. It is also crucial to enhance redundancy into the network in case of breakdown. Standardizing hardware and software also becomes an integral during design. 3.2 Major undertakings This plan describes how the LAN design and configurations to support the development of a better state of the art network. The LAN implementation tasks will include: 1. Equipment list for the network infrastructure 2. Identify the proper physical topology of the network 3. How to enhance redundancy in the network connections 4. IP addressing scheme 5. Security Technologies to be employed. 6. Router, Switch and VLAN configurations across the network 7. Setting Active Directory implementation tasks and policies 8. Setting up an Active Directory Forest Domain OU formation 3.2.1 Equipment List Our LAN design will compose of all the network devices that will be involved in the distribution, core and Access layers of our network. There is the need for a better switching configuration which will offer faster performance and also in a way promote scalability. At the highest level, edge routers will be used to reach the Internet Service Provider(ISP). Dedicated Firewalls will be used to filter traffic, block malicious attacks which would otherwise breach network security. The company will use Cisco as its device manufacturer. 3.2.2 Adopting a proper physical Topology WWTC will be operating on a mesh physical topology. The fact that the company will be communicating and sending data between the different offices in the United States using redundant Internet Service Provider Links calls for an EIGRP routing protocol. EIGRP is a distance protocol uses path cost as the metric. The shortest path to the given destination becomes the data path. 3.2.3 Redundancy in Network connections Dual switching will help us achieve network redundancy. Any host which has dual network cards will connect to two different switches. The switches at the core layer will also have two separate cable connections. By doing this, each switch will connect to two other switches which will significantly improve redundancy. 3.2.4 IP addressing scheme The company will have EIGRP (Extended Interior Gateway Protocol) configured across the network then TCP/IP will be the default routing protocol. 3.2.5 Security implementation The steps that need to be followed to enhance security across the network infrastructure include: I. Physical installation of Cisco ASA 5500 firewall II. Configuring the ASA 55500 firewall III. Setting up access to public server farm IV. Configure rules for Cisco Firewall V. Physical installation of Cisco IPS 4720 VI. Installing McAfee EPO VII. Installing and configuring Cisco Access Control Server VIII. Configuring VLAN and port security to devices IX. Configuring DHCP snooping on devices 3.2.5(i). Installing Cisco ASA 5500 firewall Our Cisco firewall will act as a security mechanism against the stated network threats. The firewall will be kept in an identified secure IT room. 3.2.5(ii). Configuring our ASA firewall We will use the GUI feature provided by the ASA firewall so that we can set it. An end machine(PC) will be connected to the ASA firewall using an Ethernet cable. In the PC's browser enter URL: which pops a setup wizard. In the main window that appears we need to make the following configurations: Hostname: WWTC_F1 Domain name: Administrative password: icub4ucmi IP addresses: Static routes:,, DHCP server: After making these configurations press finish When configuring the ASA firewall, we need to enhance strong authentication measures. A site to site tunnel will ensure that the client can run either on Secure Shell or IPsec Virtual Private Network. Only after Authentication will the users access the internal resources. 3.2.5(iii). Setting up access to public server farm The server farm is located in a Demilitarized Zone (DMZ) to provide access to the public server. This server provides services such as email once required by an outside user. The DMZ helps us cope and prevent any external attacks to our network infrastructure. 3.2.5(iv). configure rules for Cisco Firewall The following table summarizes the rules to be configured on our firewall to support our network needs. Table 1.1: ASA firewall configurations 3.2.5(v). Physical installation of Cisco IPS 4720 Cisco IPS 4720 adds an extra defense mechanism against Intrusion. It creates an Intrusion Prevention mechanism. Its location could be in one of the IT secure rooms. Network traffic will pass through the IPS and then forwarded for further firewall checks. When traffic passes through this device, firewall policies will be greatly applied, and incoming traffic will undergo a process of decryption. 3.2.5(vi). Installing McAfee EPO McAfee EPO has a server that helps us control against Host Intrusion. This server needs to be at an IT room that is secure. We are going to install two of the servers in the network infrastructure. The software will be installed on our windows 2008R2 server. After installation, a login panel will appear. In it, specify the User name, Password. All clients in our network should have this service installed. 3.2.5(vii). Installing and configuring Cisco Access Control Server The server will provide authentication. It verifies and also confirms the user's identity. The server uses advanced cryptographic techniques, for example, OTP and CHAP. The server will provide authentication and authorization techniques so that a user with more authorization privileges will have stronger authentication. The following steps illustrate how the to should be configured: I.) Add all network devices and create rules that deny access after certain Radius. Ii). Install all ACS license and system certificates while configuring password policies. 3.2.5(viii). Configuring VLAN and port security to devices So that we can ensure VLAN security, any unused port should not be left open. DTP (Dynamic Trunking Protocol) will also be off so that trunks ports are on a no-negotiate mode. See table 1.4 on VLAN configurations 3.2.5(ix)Configuring DHCP snooping on devices To provide additional security, we are going to enable DHCP snooping on devices. See table 1.3on switch configurations. 3.2.6. Router, Switch and VLAN configurations across the network This section will explain how the routers and switches configurations across the network infrastructure. Setting the devices will require a PC and a terminal such as Putty. The peripheral devices should be connected correctly to ensure success. The following table outlines the commands used to configure the routers. Table 1.1: Router configurations To assign IP addresses to our routers, consider the table below: Table 1.2: Router IP configurations To set the switch name and set security features, the following table shows the commands used: Table 1.3: Switch configurations The below table shows the VLAN configurations across the network: Table 1.4: VLAN configurations 3.2.7. DHCP and DNS Implementation and planning To meet our network needs, we are going to install and configure forward and reverse DNS zones. Whereas the reverse DNS zone resolves an IP address to a name, forward DNS zone will resolve a name to an IP address. The global catalog domain controller will be assigned an IP address for example and will be considered as a Start of Authority record. A hostname record IPv4 will translate a given name to an IP address. During our design, all DNS records will reside in an Active Directory. DHCP (Dynamic Host Configuration Protocol) will be used to assign IP addresses to any host in our network. A DHCP server located on a given Domain will be responsible for this process. Our server will also help assign network masks to the end devices. Our hosts will be configured to have a default-gateway of say The devices will also be assigned a default DNS1 entry of say The following table shows DHCP pools that our network requires: Table 1.5: DHCP pool configurations 3.2.7. Setting Active Directory implementation tasks and policies To improve reliability and security, WWTC is going to use Windows BitLocker Device encryption across the network. To achieve this, every employee in the company will have a separate pen-drive that will store the pin or Access key. Policies that control data access are going to be put in place so that employees do not take private data off-site. These policies are found under Computer Configuration| Administrative Templates| windows components| BitLocker Drive Encryption. ( Since WWTC will also be handling data from all regional offices, BranchCode, a technology to improve manageability will be applied. What BranchCode does is copy contents from WWTC regional offices servers to the New York offices where the contents are accessed using WAN. This will also greatly improve in bandwidth usage. To enable BranchCode in our network, we are going to design a group policy. 3.2.8. Setting up an Active Directory Forest Domain OU formation An OU structure will help to implement security through the use of Group Policy Object(GPO). The implementation will be done on the company's domain and Workstations. By doing this, all hosts on the network will belong to a particular area. References: Chabarek, Joseph, et al. "Power awareness in network design and routing." INFOCOM 2008. The 27th Conference on Computer Communications. IEEE. IEEE, 2008. Johnson, David S., Jan Karel Lenstra, and A. H. G. Kan. "The complexity of the network design problem." Networks 8.4 (1978): 279-285. 1. Introduction 1.1 Purpose This plan provides LAN and VoIP and wireless submittal requirements for the WWTC project. It gives a detailed list of the equipment required to create the state of the art Network for WWTC company. The plan also provides the proposed Network Diagram for the entire project. The later section of the document shows a detail of the Network IP scheme and VLAN configurations. 1.2 System Overview WWTC is in the process of creating a state of the art network. This network aims at improving the company revenue and also reduce costs. 1.3 Assumptions and constraints The network infrastructure in place is solid with Gigabit network support. WWTC’s existing power supply is also capable of supporting the network. 2. Tools Requirement For WWTC to build the required state of the art network, it requires different tools for the various installation tasks. The below table shows the Basic Tools needed: 2 LAN Implementation Having the set business goals and objectives, WWTC is going to develop a network that supports the needs of the business with the aim of increasing revenue while reducing operational costs. The design of such a network infrastructure requires the following implementation tasks: 1. Providing a LAN, VoIP, and wireless equipment 2. Providing a High-Level Diagram 3.Providing a Hierarchical IP scheme and VLAN 4.Router, Switch and VLAN configuration. 5. Implementing the VoIP Network 2.1 LAN, VoIP, and Wireless Equipment List An IT team put in place came up with a list of networking devices required in designing the network. The company ought to use Cisco as its device manufacturer. Each department will follow the same design process as illustrated in the VPOPR office to achieve consistency and also help during troubleshooting. The following table summarizes the list of devices they require: Table 1.1 LAN equipment list 2.2 LAN High-Level Diagram Our WWTC LAN design the WWTC LAN design have network devices in the core, distribution and access layers. Correct cabling will connect these devices. Edge routers used for Internet Service Provider connectivity are provided at a higher level. The following figure shows a high-level diagram for WWTC: Fig 1. High-Level Diagram 2.3 Providing a Hierarchical IP scheme and VLAN WWTC is going to employ an IPv4 addressing scheme configured on an EIGRP protocol. The switches will provide VLAN summarization points. It is worth noting that WWTC has two Internet Service Providers ISP1, ISP2. We will also employ TCP/IP Protocol stack as the default routing protocol. The figure below shows two routers CR1 and CR2 connected to our ISP’s and our core switches. All the departments will follow suit the same example. Fig 2.0 IPV4 Routing Configuration The following tables show an IP Hierarchical Scheme for WWTC. Each VLAN scheme will be designed to meet the requirements of the network. VLAN has been designed to meet the needs of a particular group. Having different VLANs enhances management and also promotes network security. Table 1.2: IP Hierarchical scheme 2.4. Router, Switch and VLAN configuration 2.4.1 Configuring Routers Router CR1 shows an example of how the routers need to be configured. Any other router in the WWTC network follow the same configurations. The figure below shows the configurations: Fig 1.3 IP addressing 2.4.2Configuring Switches To configure the switches, SW1 shows a configuration example. Any other switch that needs to be configured will follow the given an example. Fig1.4 Switch IP addressing 2.4.3 VoIP Network Design WWTC requires a state of the art VoIP network. Data traffic is isolated from voice traffic to prevent data traffic. WWTC VoIP traffic will be isolated from the data traffic. This will be accompanied by the creation of separate VLANs. VLAN 2 will be used as the data traffic VLAN, and VLAN 3 will carry the VoIP traffic to separate it from data traffic. All our offices will follow the same example. Dedicating VoIP to a VLAN will help IT, managers, to manage voice traffic easily. The following figure gives an illustration: Fig 1.2 VLAN Network During our design, an Internet Router/IP PBX will be configured to provide the following additional functionality: • Route Voice to head Traffic over our WAN Link. A backup PSTN will also be configured in case WAN link fails. • Will act as a DHCP server to the VLANs in our offices • Whenever calls go unanswered, it will provide a mail functionality. • The figure below shows a high-level diagram showing our VoIP Network: For us to create state of the art VoIP Network, we will follow some implementation tasks: 1. Provide a VoIP Network Equipment List 2. Provide a link Bandwidth for our VoIP design 3. Bandwidth, Speech Compression and Voice Quality 4. Provide a PSTN Network VoIP Network Equipment List The table shown below shows the equipment required to design WWTC VoIP network: Bandwidth, Speech Compression and Voice Quality A test was done using a fixed connection to help us calculate the required bandwidth to transmit our Voice Data and get quality results. VoIP Bandwidth consumption highly depends on the Codec being used. For us to design state of the art VoIP Network, Codec G.711 was used for Full Quality Audio and Codec G.729 was used for Compressed Audio transmission. WWTC Network designer estimated the Bandwidth utilization per call in our VoIP Network. The below example illustrates the calculations: Codec G.729a- 8 kbps packetization period, 10 ms sample periodic two frames/packet Ethernet Transmission media one packet sent per 20 ms which means 50 packets per second. Payload=8000/50=160 bits (20 octets) Fixed Ethernet Overhead=38 octets Fixed IP overhead=40 octets Bandwidth= (20+40+38) *50 Bandwidth=4750kbs Considering that our VoIP network have fourteen IP phones per department and seventy percent of them are busy, then; required Bandwidth= (70/100*14)*4750 required Bandwidth=46550 kbps required Bandwidth=46.550Mbps VoIP PSTN Integration Our VoIP network will be connected to the PSTN using an FXO gateway. The gateway will act as a bridge between WWTC VoIP network and the PSTN. The FXO gateway will convert all our voice traffic into the relevant form. To enable us to communicate to our various branch offices, we are going to configure a PSTN to VOIP gateway function. To allow this, we are going to route calls between PSTN and VoIP using SPA3102. Reference: Wang, Wei, Soung Chang Liew, and Victor OK Li. "Solutions to performance problems in VoIP over an 802.11 wireless LAN." IEEE transactions on vehicular technology 54.1 (2005): 366-384. Chabarek, Joseph, et al. "Power awareness in network design and routing." INFOCOM 2008. The 27th Conference on Computer Communications. IEEE. IEEE, 2008. Buddhikot, Milind M., et al. "Design and implementation of a WLAN/CDMA2000 interworking architecture." IEEE Communications Magazine 41.11 (2003): 90-100. WWTC New York Office 85' 9" 86' 0" 85' 9" 86'0" 11'0' 11' 01 VP NW VACANT VP SW VP NE VP SE Executive Assistan VP SE VP M 68' 0" 680" 3110 Conference Room President STAFF STAFF STAFF STAFF STAFF STAFF Love 王王主 エギ王 54' 0" -13' 6" -13' 6" 5'0" 5' 0"- FEITA Reception Reception 23' 0" -3' 11" 3' 11" BROKER BROKER BROKER BROKER BROKER IL 13' 6" 13' 6" 136" o OL 80' 9" 81'0" VACANT VACANT VACANT VACANT VACANT CEO IT CEO FIN CEO HR 68' 0" 680" 31' 0" VP OPR STAFF STAFF STAFF STAFF STAFF STAFF CONF RM + FË 54' 0" 13' 6" -13' 6" 5' 0" Reception Reception 23' 0" 09 6' 3 23' 0" 3' 11" -23'0" 3' 11" BROKER BROKER BROKER BROKER 13' 6" -13' 6" [[[[[[[ [LILLED 86'4" 81'0" 81' 0"
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Answer posted please confirm.Kindly go through the work and let me know in case of any question,problem or clarificationPlease contact me in case of anything unsatisfactory.If the work is okay,looking forward to work with you again.Thank you

[Student Name]
[Lecturer's Name]

Information sensitivity policy
This policy is intended to help employees to determine what information employees can access and
that information they cannot outside WWTC. This kind of information includes information in
electronic form, on paper or visually transmitted. Any question involving the use of any information
should be addressed to the Company manager whereas any issue about the guidelines should be
directed to the Information Security team.

All information belonging to WWTC is either Public or Confidential. WWTC public information is
any information is any information declared to be public by someone with the required authority.
Public information can be disclosed to anyone without any possible damage to WWTC.
On the other hand, confidential information encompasses any additional information. It includes
sensitive information that needs close protection. Examples of this information include personal
information and telephone directories.

The following guidelines explain how to protect Confidential and Public information.
Minimal Sensitivity:Includes general corporate information, personnel and technical information.
Access: WWTC employees, company contractors
Distribution within WWTC: Standard Mail and all approved electronic mail.

Distribution outside WWTC: Any approved electronic mail or file transmission method.
The penalty for disclosure: Criminal persecution to any WWTC employee who handles sensitive
information deliberately.
Any WWTC employee found to have violated this policy will be subject to criminal persecution
which may end up to termination of employment.

Password policy
The policy creates a standard towards the creation of unique, secure passwords and also monitor
their modifications.

This policy cuts across personnel who possess any account with WWTC or requires at a particular
time access to our system or network.

System level passwords. Should be changed on a quarterly basis. System level passwords includes
passwords for administration accounts
Production level passwords should in a way be part of Information Security administered global
password in the management database.
Users should change their User-level passwords every four months. User-level passwords include
desktop computer passwords and e-mail passwords.
All user-level passwords must adjust to the set guidelines.

All WWTC employees should use strong passwords. The following guides elaborate on how to
create passwords:

The password should be more than eight characters.

The password should not be a word in the dictionary

Contain both upper and lower case characters.

Be at least eight alphanumeric characters

Passwords should not be stored online


Awesome! Perfect study aid.