Order 1548415: Network Design

profiletutorthammy
Proposalanswerspart31.pdf

StuDocu is not sponsored or endorsed by any college or university

Network Design Proposal Part 3

Fundamentals of Networking (University of Maryland University College)

StuDocu is not sponsored or endorsed by any college or university

Network Design Proposal Part 3

Fundamentals of Networking (University of Maryland University College)

Downloaded by Davidjh15 ([email protected])

lOMoARcPSD|3241324

Network Design Proposal:

Network Customization &

Optimization (Part 3)

Prepared for:

University of Maryland University College

Prepared by:

Kellie Keiser

Downloaded by Davidjh15 ([email protected])

lOMoARcPSD|3241324

Network Design Proposal Part 3

A.) Identify Network Services

The University needs to function like a well oiled machine, and the implementation of

certain network services will help make that possible. In order to fully create a client-server

network model, servers must be used so the client, or the user, can access the services they need

on the network. The main services UMUC requires are: email, online/internet access and file

and print sharing services. [1]

An email server is used to send and receive emails. The Microsoft Exchange server

works with Microsoft Outlook, the software that comes with Microsoft Office. A mail server

also preforms functions such as collaboration features which allows faculty to create tasks and

meetings from the calendar portion of the software. It also provides video and audio

conferencing and instant messaging (IM) services. A web server is a server computer running

software enabling a computer to host a web page. One of the more popular web servers today is

an Apache web server, which will be used for the University. One of the most important

functions of a server operating system is sharing resources between users. A file server is a

computer used specifically for centralized file storage with the ability to share the files between

computers and other devices on the network. A print server is a computer utilized specifically

for sharing printers on the network. The sole purpose of a print server is to collect the files and

documents sent to a printer by a user on the network, send the document to a printer on the

network at which point the printer would print it out. [2]

B.) Additional Servers or Network Devices

In addition to email, internet access, file and print servers, UMUC will also require a

directory service, a Domain Controller and DHCP server. A directory service stores user and

computer profiles and access privileges on the domain controller (DC). It can be used to

authenticate and authorize users to allow secure access to internet services and applications. [3]

The Microsoft Active Directory Domain Services (ADDS) is included in the Windows Server

2016 software and will be utilized for the UMUC network. ADDS is installed on a domain

controller, which authenticates users and controls access in a network, enforces security policies

and installs and updates software for all computers on the network. [4] A separate server will be

needed for the Domain Controller (DC). Once the IP address is configured on the DC, DNS will

need to be configured. Upon completion of the DC and DNS, the DHCP should be set-up and

the scopes configured. [5]

Downloaded by Davidjh15 ([email protected])

lOMoARcPSD|3241324

The DHCP (Dynamic Host Configuration Protocol) server automatically provides TCP/IP

settings, such as IP address, subnet mask, default gateway, and DNS server to each computer or

device on the network. It also keeps track of all the IP addresses already in use on the network to

avoid two clients getting the same IP address. [2] The DHCP server is included in the Microsoft

Windows Server 2016 software and will be utilized for the UMUC network.

C.) Security Measures

Security measures start with the user. User accounts are granted access to certain

network resources by the system administrator and they are secured using a password.

Therefore, making sure those user accounts have excellent passwords by implementing a

password policy is top priority when maintaining network security. [2]. A one-factor

authentication method requiring a username and password as well as a log-in pass phrase would

be sufficient for students logging into the network. Faculty will require a two-factor

authentication type: type 1 and a type 2 identification process. Type 1 requires the user to provide

a password or a pass phrase or cognitive information such as mother’s maiden name and the city

in which you were born. Faculty members will be required to enter a password to log onto the

network just like the students. Additionally, they will be required to use a type 2 form of

authentication such as an access card to enter the building during “off” hours which are 8pm

through 8am and to enter their office. [1]. The password will need to be strong, which will

require enforcement of strict password guidelines. Each user should create a password containing

8-12 upper and lowercase letters, at least one number and one symbol. Passwords will need to be

changed every 90 days and a user cannot use the same password twice within a year.

In addition to strong authentication a vulnerability scanner needs to be purchased and

implemented on the network, which will be ran by the network administrator on a weekly basis.

A vulnerability scan will look for weaknesses such as open ports, active IP addresses, running

applications or services, missing critical patches across all platforms, user accounts that have not

been disabled, default or blank passwords, misconfigurations and missing security controls.

Since all the computers run on the Microsoft Windows operating system, the Microsoft Baseline

Security Analyzer (MBSA) will be downloaded. [1]

SSH (Secure Shell) Protocol is software that enables secure system administration

and file transfers over insecure networks. Encryption of all user authentications, commands,

output and file transfers is used to secure the connection between a client and a server and to

prevent attacks on the network. Tectia SSH for Windows OP client and server is an enterprise

grade SSH and will be implemented on the network. It protects organizations against internal and

external attacks on user identities, password or login credential theft and data theft and allows

Downloaded by Davidjh15 ([email protected])

lOMoARcPSD|3241324

automated secure processes for remote command execution and file transfer. In addition to the

Tectia SSH, the Universal SSH key manager is required to manage the SSH keys and implement

a controlled provisioning process, termination process and assists in the discovery and

remediation of existing keys. The Universal SSH key manager is required to maintain

government mandated compliance with PCI-DSS, Sarbanes-Oxley, HIPAA and FISMA/NIST

800-53. [6]

D.) Justification for Additional Servers and security measures

ADDS on the Domain Controller is a necessity for a college campus like UMUC

primarily due to the security measures it provides. An administrator alone would not be able to

keep track of every employee and their access rights and every student as well as every guest

device. The domain controller works as an invisible administrator for all end users on the

network, providing or denying access resourced on the network. These resources include

everything from email, the Learning Management System

A DHCP server automatically configures the IP address for every device on the network

which ensures a valid, unique IP address for each and every device. DHCP also automatically

configures devices as they are added and dropped from the network which is a big help to a

network administrator. Configuring IP addresses statically would be a mistake for any network

larger than a few devices. Since the UMUC network contains over 100 devices, a DHCP server

is the best option to prevent connectivity issues and troubleshooting issues. [2]

A DNS server maps the logical name to its IP address. It is a necessity on a network with

internet access because it translates the IP address into the URL and vice versa. [1] Users on a

network are not going to remember an IP address but they will remember a website name like

www.UMUC.edu. Also, maintaining two DNS servers on a network provides a back-up in case

the primary fails. If one DNS server is configured through the Microsoft Windows Server 2016

software and the other is configured through the router, it could prevent possible connectivity

issues on the network.

A vulnerability scanner is required because it helps to maintain a network and its devices

without having to employ an entire IT department. Being able to run a scan periodically to check

for any vulnerabilities on the network is simple and cost-effective when compared to paying

additional salaries and benefits.

SSH software and key management is required to secure the Universities network using

encryption known as Public Key Cryptography (PKI), and uses an authentication mechanism

requiring users to authenticate before they are able to transmit data over the transmission

channels within the UMUC network. This prevents unauthorized users from accessing data on

the network. [1]

Downloaded by Davidjh15 ([email protected])

lOMoARcPSD|3241324

E.) Network Storage and Cloud Based Services

A network attached storage (NAS) device will be used for additional file storage on the

network. The NAS will be placed directly to the network through a switch using a wired

interface. The NAS provides better performance because its sole purpose is file storage. The

NAS is a viable option because it can be integrated into an existing network and the active

directory. This prevents IT from having to configure duplicate accounts for each user as they will

authenticate to the NAS. [1] The NAS will be primarily used by faculty and administration. The

switch connecting the NAS will maintain two separate VLANs, one for professors and one for

administrators. This will prevent professors from accessing protected information such as

financial data, social security numbers, etc.

The NETGEAR ReadyNAS RN628X Ultimate Performance 10GbE 4-bay Diskless

Network Attached Storage will be implemented onto the network. It provides 80TB of storage

with a maximum of 130TB with expansion bays. It features a 2.2 GHz Intel Xeon quad-core

processor and 8GB of DDR4 RAM. It offers 5 levels of data protection including built-in anti-

virus and incremental backup copies. It also includes Gigabit and 10 Gigabit Ethernet ports, as

well as USB 3.0. It is also VMWare vSphere ESXi 6.0 certified and is priced at approximately

$2000. [10]

A private cloud will be implemented for the students and faculty at UMUC. A private

cloud provides flexibility of access, ease of use and allows users to provision their own

resources. [1] The private cloud will house the Learning Management System to be used by both

faculty and students. Amazon Web Services (AWS) provides hybrid cloud computing to connect

infrastructure and applications between cloud based computing and existing on premises

infrastructure. UMUC will implement platform as a service (PaaS) cloud computing to provide

users with the Learning Management System while not having to worry about software

maintenance, capacity planning or patching. [7] The monthly average cost of a large web

application on Amazon Cloud services is $1000.

F.) Data Protection and Back-up Implementation

Data protection is the process of safeguarding information from corruption, compromise

or loss through operational backup of data. Data protection also includes business continuity/

disaster recovery which ensures the recovery of data quickly after a loss. There are two main

areas of data management: Data Lifecycle Management and Information Lifecycle Management.

Data lifecycle management automatically moves critical data from online to offline storage.

Information lifecycle management is a strategy for valuing, cataloging and protecting

information assets from application and user errors, malware and virus attacks, machine failure,

or facility outages and disruptions.

Downloaded by Davidjh15 ([email protected])

lOMoARcPSD|3241324

Continuous Data Protection (CDP) is a form of data replication that backs up data as

changes are made. With CDP, a system or network can be restored to any previous point in time

which is extremely useful after corruption or data loss. A true CDP systems records every

change and stores it in a log. If a physical system failure occurs, the CDP system will keep all

changes up to the last write before failure, then you can restore the system prior to any

corruption. CDP can be implemented via software running on a server or as a hardware

appliance. For UMUC, the software option that will be implemented is the Dell EMC Data

Protection Suite Enterprise Edition. The software will be placed on a server and the data will be

stored in separate locations: the cloud and on a physical storage device or server. The software

will be accessible to all faculty, students and administrators connected to the UMUC network. [8]

The Dell EMC Data Protection Suite Enterprise Edition will cost approximately $13,500.

G.) Network Monitoring Solution

Network monitoring is a service conducted by software in conjunction with the network

administrator and/or an IT department to constantly monitor a network for possible outages or

failures. A network monitoring system is implemented to ensure the availability and

performance of all devices and components on the network by implementing software to search

for inconsistencies and connectivity issues. Logic Monitor automated network monitor will be

implemented for network monitoring. It is rated one of the best network monitoring softwares of

2018. It automatically discovers all network devices and interfaces, monitors CPU, memory,

temperature, fan and other hardware, monitors PoE loads, wireless access points and interface

metrics. Monitoring a network is critical because it detects, monitors and analyzes the network

while examining applications and devices in real time which allows IT to respond quickly. [9]

A packet sniffer can also be used on the system to capture data being transmitted on a

device or over a network. Once all the data is captured, the packet sniffer holds the data until it

can be analyzed. A packet sniffer is useful to see what is on the device or network and exactly

what is being sent to the device. This is a useful tool because it can help prevent attacks to a

specific device on the network. Once it is determined the device should not be receiving a

certain type of traffic, steps can be taken to remove that device from the network. [1] Paessler’s

packet sniffer sensor tool PRTG will be implemented on the network to monitor total traffic, port

sniffer, web traffic (HTTP, HTTPS), mail traffic (IMAP, POP3, SMTP), file transfer traffic (FTP,

P2P), infrastructure traffic (DHCP, DNS, ICMP, SNMP), and Remote control (RDP, SSH, VNC).

It is an all-in-one packet sniffing tool that filters according to IP addresses, protocols and types of

data. The XL1 unlimited license will be purchased at a one time price of $16,900. Each year the

software maintenance fee will be renewed at 25% of the current list price of the original license.

[11]

Downloaded by Davidjh15 ([email protected])

lOMoARcPSD|3241324

H.) Storage and Management of Logs

System logs are extremely important because they provide a snapshot of all the events

that occurred on the system. The log entries are generated by the operating system and any other

applications running on the system. A log entry could be caused by a variety of events including,

failed login attempts or a change to the system. Each log is created and stored on each device on

the network. Implementing centralized logging is the best way to review what’s happening on

the system because all the logging files from all devices on the network end up in a centralized

device, most often the logging server also known as the Syslog server. [1] Since Windows

servers do not contain a version of syslog process, Datagram SyslogServer Suite will be

downloaded onto the Windows 2016 server. Once all the logs are on the server, a log file

analyzer such as Datagram Syslog agent will be used to create a system wide analysis and store

the logs in a SQL database through the Amazon Rational Database Service (RDS) on the

Amazon cloud previously implemented. The IT administrator will then review the analysis and

make corrections and changes accordingly. Datagram Syslog Server Suite edition will cost

approximately $900 for 5000 IP addresses. [12]

I.) IT Troubleshooting Methodology

The troubleshooting methodology that will be used by IT personnel at UMUC is as

follows:

• Identify the problem by making a list of the symptoms and identifying who is

experiencing those symptoms. Check for changes that occurred prior to the start of the

symptoms then try to duplicate the problem.

• Establish a theory of probable cause by analyzing the symptoms and determining the

most likely cause. Keep in mind the flow of data through the OSI model. Check for the

most common issues with the list of symptoms reported first.

• Test the theory. If the theory is proven, take the appropriate steps to research fixes to

the problem. If the theory is not proven, start the process over again or escalate the

issue to a supervisor.

• If the theory proven and a resolution found, complete a plan of action.

• After the action plan is complete, implement the solution and a series of tests to

determine if the action plan worked.

• Finally, complete a standard operating procedure guide for this problem in the future

containing any preventative measures. [1]

Downloaded by Davidjh15 ([email protected])

lOMoARcPSD|3241324

References

[1] TestOut Network Pro. Pleasant Grove, Utah: LabSim, 2018.

[2] D. Lowe, Networking for dummies. .

[3] "Chapter 2 Introduction to Directory Services and Directory Server", Docs.oracle.com.

[Online]. Available: https://docs.oracle.com/cd/E19396-01/817-7619/intro.html.

[4] "Active Directory Collection: Active Directory", Technet.microsoft.com, 2014. [Online].

Available: https://technet.microsoft.com/en-us/library/cc780036(WS.

10).aspx#w2k3tr_ad_over_qbjd.

[5] "Configure DHCP Server in Windows Server 2016 Step By Step", ProTechGurus, 2016.

[Online]. Available: https://protechgurus.com/configure-dhcp-server-in-windows-

server-2016/.

[6] "SSH (Secure Shell) Home Page | SSH.COM", Ssh.com, 2017. [Online]. Available: https://

www.ssh.com/ssh/.

[7] "Types of Cloud Computing", Amazon Web Services, Inc.. [Online]. Available: https://

aws.amazon.com/types-of-cloud-computing/.

[8] S. Peterson and K. Hefner, "What is data protection?", TechTarget.com. [Online]. Available:

http://searchdatabackup.techtarget.com/definition/data-protection.

[9] P. Ferrill, "The Best Network Monitoring Software of 2018", PCMAG, 2017. [Online].

Available: https://www.pcmag.com/article2/0,2817,2495263,00.asp.

[10] S. Aslam, "The 12 Best NAS (Network Attached Storage) to Buy in 2018",

Omnicoreagency.com, 2018. [Online]. Available: https://www.omnicoreagency.com/best-

nas-network-attached-storage/.

[11] "PRTG Price List - Overview, Licenses, Prices", Paessler.com. [Online]. Available: https://

www.paessler.com/prtg/price_list.

[12] "Datagram Syslogserver Suite Review", Network Admin Tools, 2016. [Online]. Available:

https://www.netadmintools.com/syslog-server/datagram/.

Downloaded by Davidjh15 ([email protected])

lOMoARcPSD|3241324