Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Adrijon Zaci
Page 1
Contents
Introduction ..............................................................................................................................................................3 Executive Summary...................................................................................................................................................4 Requirements summary............................................................................................................................................5 Assumptions..............................................................................................................................................................6 Logical network design .............................................................................................................................................7 Network layout .................................................................................................................................................8 IP Address Schema ....................................................................................................................................................9 Head Office (Bristol)..................................................................................................................................................9 Branch office1 (Plymouth) ........................................................................................................................................9 Branch office2 (Exeter) .......................................................................................................................................... 10 Active Directory Naming Design ............................................................................................................................ 10 Naming convention ........................................................................................................................................ 10 Adding groups ........................................................................................................................................................ 11 Adding using account ............................................................................................................................................. 11 Users and permissions ............................................................................................... Error! Bookmark not defined. Layout of Permission for groups and networks ......................................................... Error! Bookmark not defined. Security policy for the network ............................................................................................................................. 14 Expansion of network in future ............................................................................................................................. 14 Justification ............................................................................................................................................................ 15 Security .................................................................................................................................................................. 16 Conclusion.............................................................................................................................................................. 17 Referencing ............................................................................................................................................................ 18
Adrijon Zaci
Page 2
Introduction
I have been hired as a consultant by West Products (WP) a growing company which is distributed around the West of England to design and develop a new network for their three branches based on windows server 2008. I also have to write an industrial report based on their requirements. The report should include an appropriate solution for the sales travelling team which require access to the network and the data which is being shared whilst on customers site. However, the new network design must include the three branches of the company. In addition, the report will be separated into three parts as this will make it easier for others to get a better understand. The first part of the report will be written for non-technical personnel which can be understood by everyone and gain the general idea of the purposed solution. The second part of the report will be written for the technical stuff and administrators and will include all the technical details of the design. The third part of the report will be written for both technical and non-technical personnel but it must present the assessment of the solution in a non-technical fashion. As well as, the report will also include details of the access rights of the following staff, who work for the company: Managers (including the MD), Engineer, Sales staff, Finance staff and Secretaries. Details about high internet connection which will be linked to the head office of the company and a detailed solution for travailing team so that they can remotely access the network and share data on the network, should also be include included. The security of the network is also very important and should be considered carefully and given high priority. Even though the finance department will have access to all billing and payroll information the rest of the departments should be assign appropriately and according to the needs and responsibilities of the employees, also the correct grouping of departments and members must be done appropriately.
Adrijon Zaci
Page 3
Requirements summary
After considering the information provided on the scenario I have come with the following requirements and missing points that have not been mention: Requirements: Design and develop a network architecture The network design should be based on windows server 2008 Access to the network for the travelling sales team Secure sensitive data/information Creating group accounts and access rights for the staff
Missing Points: The name of the Branches The number of staff working in each branch The Bandwidth of each branch
Access to data which is being shared on the network should be available to all three branches of the company; all three offices should be linked to each others and should have the ability to share data/resources on the network. Members of the travelling sales team should have the access to the information shared on the network via a VPN connection which will enable the member of the sales team to connect to the network remotely by making the use of windows remote desktop, in addition this method will also allow them to make the use of any applications which are stored and running on the server of the company. A backup server will be required where all the data in backed up so that in case of data loss the information can be retrieved from the backup server, this will reduce the impact on the company in case of data loss or other problems with the information being shared on the network. The users on the network should be members of appropriate groups on the network and access to the data/information on the network should be assigned according to their needs and responsibilities, at last the main head office should have a high speed internetwork connection available.
Adrijon Zaci
Page 5
Assumptions
After considering the information gathered from the scenario assumption have been made in order to successfully complete the specified report and meet the customers requirements. As the offices have not been named I have assumed that the head office is based in Bristol and the other two sub offices are based in Plymouth and Exeter. I assume that the entire network will have a total of 70 users. Each branch will have different number of users. The Head Office which is located in Bristol will have 35 users and a bandwidth link of 8Mbps. However Bristol will also have an extra 1Mbps SDSL link which will be used to help maintain the server link in case the Asymmetric digital subscriber line (ADSL) fails or overload. The Branch office1 which is located in Plymouth will have 18 users and a bandwidth link of 8Mbps. The Branch Office2 which is located in Exeter will have 18 users and a bandwidth link of 8Mbps. So the three offices will have 8Mbps ADSL link via a virtual private network (VPN) which will also require user passwords. The network will be using the two types of the VPNs, the remote access VPNs and site to site VPNs. As the Bristol branch is the head office of the company, the account department will be held at this office and it will therefore hold the main server which holds the companys data base and all the client information. Bristol will be the route domain for WP Company which will have access and control for the other branches. Plymouth and Exeter will be the child domains for the WP Company. However, the Head Office site will be secured by passwords and encryptions which mean that every user will be issued different level of security depending on their requirements of the job. The Travelling sales team will have access to the server via there UMTS Technologies and their 3G phones. Therefore, the networks will also use an offsite backup system were they will be storing the data on a daily bases and their own system will do automatic back during the day. The networks will also be using a private class C subnet to access files on the main server which are held the individual offices. Layout of the network: Head office Branch office1 Branch office2
Adrijon Zaci
HeadOffice
BranchOffice 2 BranchOffice 1
BranchOffice_Exeter.com Child Domain
Naming strategy Head Office: HeadOffice_Bristol.com Contains the head office and will be the root domain for the directory structure Branch Office: BranchOffice_Plymouth.com Contains the Plymouth branch office, will be a sub domain of the hierarchy and will hold program needed for the remote travelling sale team. Branch Office2 - BranchOffice_Exeter.com Contains the Exeter branch office2, will be a sub domain of the hierarchy and will hold program needed for the remote travelling sale team. To secure each site and the LAN connection I will be using firewall which will help to maintain the level of security on the network. In addition, VPN connection will be established which will enable to mobile users to connect to the network over UMTP for example 3G technology once they can establish the connection the authorisation processes will take place over the active directory, to gain access to the relevant data/information on the network.
Adrijon Zaci Page 7
Network layout
West Products is a company that deal with wireless networks and technologies and is located in the west of England where their head office is in Bristol and their branch offices are in Plymouth and Exeter. As mentioned before the company will be using windows 2008 active directory. All the 3 offices have the same ADSL 8Mbs link connection to the internet via a VPN over the internet but the main office also has an extra 1Mbps SDSL which deals with load balancing and fail over this will also be able to cope with the upload of data from the branch offices/remote travailing salesmen at the end of the day. The internet connection is a VPN method and the IP address schema that the West products company will be using is the private class C IP Address as shown below. Head Office: Bristol - Network 192.168.1.0 255.255.255.0 Branch office1: Plymouth - Network 192.168.2.0 255.255.255.0 Branch office2: Exeter - Network 192.168.3.0 255.255.255.0 The travailing sales steam use a wireless connection via UMTS on laptops and via 3G phones for connection to the main server.
Adrijon Zaci
Page 8
Members 0 2 5 1 1 6 1 1 1
IP address Range (from) 192.168.2.2 192.168.2.5 192.168.2.10 192.168.2.11 192.168.2.12 192.168.2.18 192.168.2.19 192.168.2.20
Page 9
Accounts
Sales staff
Adrijon Zaci
Sectaries
Engineers
Dalton Nelson Eldon wood Albion Hagger Evan Webb Morris West Albert Simes Davin Nelson Noel Crowley
Adding groups
Adrijon Zaci
Page 11
Accounts Secretaries
Layout of Permission for groups and networks The XP professional is been used for West products company which is also compatible with NTFS and the type of file sharing that they require. In any case an administrator can restrict certain users from the network or from part of the network if the company thinks that there might be potential security risks: for example, they can restrict or disable the download executable files which the specific users wont be able to download.
Adrijon Zaci
Page 12
Head office
Managing Directors Sales staff Sales managers Engineers Engineer manager accounts Accounts manager secretaries External sales
Staff 1 10 2 5 1 5 2 4 5
Billing accounts Full control read modify No access No access Full control Full control Full control No access
Sales Full control Read/execute Full control read Read/write Read/execute Full control Full control read
Scheduling Full control Read/execute Full control read modify Full control Full control Full control read
Payroll Full control No access No access No access No access Full control Full control No access No access
Branch office1
Sales staff managers secretaries Engineers accounts
Staff 10 2 1 4 1
Scheduling Read/execute Full control Full control Full control Full control
Branch office2
sales managers secretaries Engineers accounts
Staff 10 2 1 4 1
Scheduling Read/execute Full control Full control Full control Full control
Adrijon Zaci
Page 13
NETWORK Environment Management The tables above show how rights have been assigned to different groups on the network. If in the future a new member joins the company then the network administrator will have to decide in which group does the new employee belongs, after the administrator have decided the appropriate group he/she can then proceed of adding the new employee to the network. After the new employee has been added to the appropriate group, all the rights that have been assigned to that particular group will also apply to the new member in order for them to have access to recourses which he/she requires carry out day to day activities.
Adrijon Zaci
Page 14
Justification
As West Products required for the sales team to have access to the recourses shared on the network I have recommended them to use VPN connection which will allow them to have access on to the resources shared on the network and also the Universal Mobile Telecommunications System (MUTS) method will also be used to enable the mobile users to connect to the network and utilize the shared recourses on the network. As West Products company is a medium size business I have recommended to use ADSL internet connections which will provide a bandwidth link of 8Mbps for the three branches. However, I have also recommended that the head office will also have an extra a 1Mbps SDSL link which will be used to help maintain the server link in case the Asymmetric digital subscriber line (ADSL) fails or overload. My recommendation for the users access right is that I will be giving access to groups according to their needs and responsibilities in order for them to carry on with their day to day tasks. To make sure that the network is up and running I have recommended that a back up server should be used in case of something goes wrong. This way the backup server can be used to restore and get back in business. In addition, I have also recommended for the company to implement some security policies in order to prevent attacks from unauthorised access in the network.
Adrijon Zaci
Page 15
Network Security
File sharing Files sharing will allow you to set restriction on access and change to files. There are two types of files sharing Fat and NTFS most small to medium company now use NTFS File synchronization is the process of making sure that files in two or more locations are updated through certain rules. In one-way synchronization, update files are copied only from a 'source' location to a 'target' location, but no files are copied back to the source location and in two-way synchronization, updated files are copied in both directions, usually with the purpose of keeping the two locations identical to each other. Accessed at: http://windows.microsoft.com/enus/windows7/File-sharing-essentials
Security settings
Firewalls
Files of data can be grouped in a directory for easy access and have passwords to protect each file. A directory can contain different sub directories and sub folders. Administrators can set up offline Files with the Synchronization Manager Administrators can also use the Synchronization Manager to control what files and Web pages are synchronized when any network connection becomes available. Accessed at: http://windows.microsoft.com/enus/windows7/File-sharing-essentials Physical security Physical security can range from security guards monitoring doors and video surveillance day or night. Physical can also be the introduction of locks that secure systems devices and rooms these can be keys or cards to enter certain areas. These will be restricted to certain users if for any reason the key or card is lost the best policy would be to change all keys and cards. Data security Data security will protect data from unauthorised users. Data Security would be via access rights and passwords to certain files Data security also covers the up to date firewall and security patches on all programs. Hardware fire are found on routers and the will inspect data and deny or allow data to pass through the system Software firewall can be installed on user individual systems. Accessed at: http://searchsecurity.techtarget.com/definition/firewall Passwords are used to protect your data from unwanted access but these should not be stored in plain text on the system but should be encrypted to restrict access. There is software on the market can encrypt passwords so that any hacker would first have to decode the passwords from the system before being
Page 16
Passwords
Adrijon Zaci
NETWORK Environment Management Encryption able to have access to them. Encryption is very important when sending classified data over a wireless network because data can be intercepted This can be done by different methods, most will use a type of code/key but both systems would have to be using the same code/key to be able to access the data. accessed at: http://www.ed.uiuc.edu/wp/privacy/encrypt.html Auditing of who access the account and how long they use that account should be kept and monitored by the administrator. This will help in preventing any security issues and will notify the administrator of anyone who has tried to access account without permission. accessed at:
www.chrispeiris.com/articles/Article_2_Security_Auditing_1.doc
Enabling auditing
Logging and auditing should be enabled Administrators can monitor the network activity and check to see who has log on, at what terminal and when Administrators would be able to check what files they access and how long there were in the files for and how many changes made to documents. Accessed at:
www.chrispeiris.com/articles/Article_2_Security_Auditing_1.doc
Backups
Backups are important to a company Up to date backup are important to companies in case the worse was to happen There are several different types of backup to choose from these should always be pass word protected and should be store off site in a secure place These should always be easy to retrieve so that data can be restored if only to yesterdays settings or last saved settings.
Conclusion
I can now conclude that undertaking this work has been very helpful as I have learned the conceptual of network design and security. I can now say confidently that I can design and identify the components needed for a network. I am very happy with my work as I have achieved most of the goals, which the company required. Undertaking the process of report writing analysing a computer network design helps me understand the user's requirements and it enables me to build a system that is more reflective of the user's requirements and business rules. I conclude that the current network which I have recommended meets the overall requirements of the company. I have design the network in a way that could expand in the future and easy to manage.
Adrijon Zaci Page 17
Referencing
www.chrispeiris.com/articles/Article_2_Security_Auditing_1.doc
Adrijon Zaci
Page 18