NETWORK Environment Management

Network Environment Management Industrial Report

By Adrijon Zaci
Date: 07/06/2012 ID: k0922013

Adrijon Zaci

Page 1

NETWORK Environment Management

Contents
Introduction ..............................................................................................................................................................3 Executive Summary...................................................................................................................................................4 Requirements summary............................................................................................................................................5 Assumptions..............................................................................................................................................................6 Logical network design .............................................................................................................................................7 Network layout .................................................................................................................................................8 IP Address Schema ....................................................................................................................................................9 Head Office (Bristol)..................................................................................................................................................9 Branch office1 (Plymouth) ........................................................................................................................................9 Branch office2 (Exeter) .......................................................................................................................................... 10 Active Directory Naming Design ............................................................................................................................ 10 Naming convention ........................................................................................................................................ 10 Adding groups ........................................................................................................................................................ 11 Adding using account ............................................................................................................................................. 11 Users and permissions ............................................................................................... Error! Bookmark not defined. Layout of Permission for groups and networks ......................................................... Error! Bookmark not defined. Security policy for the network ............................................................................................................................. 14 Expansion of network in future ............................................................................................................................. 14 Justification ............................................................................................................................................................ 15 Security .................................................................................................................................................................. 16 Conclusion.............................................................................................................................................................. 17 Referencing ............................................................................................................................................................ 18

Adrijon Zaci

Page 2

NETWORK Environment Management

Introduction
I have been hired as a consultant by West Products (WP) a growing company which is distributed around the West of England to design and develop a new network for their three branches based on windows server 2008. I also have to write an industrial report based on their requirements. The report should include an appropriate solution for the sales travelling team which require access to the network and the data which is being shared whilst on customers site. However, the new network design must include the three branches of the company. In addition, the report will be separated into three parts as this will make it easier for others to get a better understand. The first part of the report will be written for non-technical personnel which can be understood by everyone and gain the general idea of the purposed solution. The second part of the report will be written for the technical stuff and administrators and will include all the technical details of the design. The third part of the report will be written for both technical and non-technical personnel but it must present the assessment of the solution in a non-technical fashion. As well as, the report will also include details of the access rights of the following staff, who work for the company: Managers (including the MD), Engineer, Sales staff, Finance staff and Secretaries. Details about high internet connection which will be linked to the head office of the company and a detailed solution for travailing team so that they can remotely access the network and share data on the network, should also be include included. The security of the network is also very important and should be considered carefully and given high priority. Even though the finance department will have access to all billing and payroll information the rest of the departments should be assign appropriately and according to the needs and responsibilities of the employees, also the correct grouping of departments and members must be done appropriately.

Adrijon Zaci

Page 3

NETWORK Environment Management

Part 1 of the report Executive Summary

West product a growing company which is based on the West of England has hired me as their network consultant to design and develop a suitable network for their company. I will be designing and developing an appropriate network for West Products Company which will link all the three branches together so they could access each other and bearing in mind that the network will be based around windows server 2008. I will be using the Virtual Private Network (VPN) method to give access to the users which will allow them to share of data and access to network resources. However, the members of the sales team work mainly off site and require access to the network, for example the members of the travelling sales team will need to have access to estimated schedules and quotes whilst they are at customers sites. The travelling sales team will also need access to the severs to add customs information as they will need access to the program for doing so as this program is not stored on their laptops anymore. This will be done via company internet connection through Universal Mobile Telecommunications System (UMTS) and their 3G phones. This is a secure way of connecting mobile users to the network to gain access to all the resources shared on the network. This way any member of stuff can connect to the network securely using their mobile. An administrator has also been employed by the company to oversee the running of the network. The administrator will set up group accounts and access rights depending on the users job and responsibilities. Its important that employees should be getting appropriate access right to the data/information as they require in order for them to carry out their day to day tasks at work. They should not be granted excessive access right for security reasons. For account setups the network administrator will use active directory and privileges will be added to groups rather than to individual. By doing so will reduce more administration work in case of new user join the company as their access right will be automatically added via the group settings. Active directory can restrict access to certain files, by safe guarding data from unauthorised users and certain groups of users so they cannot access certain files. However, data should be backed up and stored on a backup server in case of data loss the information can be retrieved from the backup server; this will reduce the impact on the company in case of data loss or other problems with the information being shared on the network.
Adrijon Zaci Page 4

NETWORK Environment Management

Requirements summary
After considering the information provided on the scenario I have come with the following requirements and missing points that have not been mention: Requirements: Design and develop a network architecture The network design should be based on windows server 2008 Access to the network for the travelling sales team Secure sensitive data/information Creating group accounts and access rights for the staff

Missing Points: The name of the Branches The number of staff working in each branch The Bandwidth of each branch

Access to data which is being shared on the network should be available to all three branches of the company; all three offices should be linked to each others and should have the ability to share data/resources on the network. Members of the travelling sales team should have the access to the information shared on the network via a VPN connection which will enable the member of the sales team to connect to the network remotely by making the use of windows remote desktop, in addition this method will also allow them to make the use of any applications which are stored and running on the server of the company. A backup server will be required where all the data in backed up so that in case of data loss the information can be retrieved from the backup server, this will reduce the impact on the company in case of data loss or other problems with the information being shared on the network. The users on the network should be members of appropriate groups on the network and access to the data/information on the network should be assigned according to their needs and responsibilities, at last the main head office should have a high speed internetwork connection available.

Adrijon Zaci

Page 5

NETWORK Environment Management

Assumptions
After considering the information gathered from the scenario assumption have been made in order to successfully complete the specified report and meet the customers requirements. As the offices have not been named I have assumed that the head office is based in Bristol and the other two sub offices are based in Plymouth and Exeter. I assume that the entire network will have a total of 70 users. Each branch will have different number of users. The Head Office which is located in Bristol will have 35 users and a bandwidth link of 8Mbps. However Bristol will also have an extra 1Mbps SDSL link which will be used to help maintain the server link in case the Asymmetric digital subscriber line (ADSL) fails or overload. The Branch office1 which is located in Plymouth will have 18 users and a bandwidth link of 8Mbps. The Branch Office2 which is located in Exeter will have 18 users and a bandwidth link of 8Mbps. So the three offices will have 8Mbps ADSL link via a virtual private network (VPN) which will also require user passwords. The network will be using the two types of the VPNs, the remote access VPNs and site to site VPNs. As the Bristol branch is the head office of the company, the account department will be held at this office and it will therefore hold the main server which holds the companys data base and all the client information. Bristol will be the route domain for WP Company which will have access and control for the other branches. Plymouth and Exeter will be the child domains for the WP Company. However, the Head Office site will be secured by passwords and encryptions which mean that every user will be issued different level of security depending on their requirements of the job. The Travelling sales team will have access to the server via there UMTS Technologies and their 3G phones. Therefore, the networks will also use an offsite backup system were they will be storing the data on a daily bases and their own system will do automatic back during the day. The networks will also be using a private class C subnet to access files on the main server which are held the individual offices. Layout of the network: Head office Branch office1 Branch office2
Adrijon Zaci

Bristol Plymouth Exeter

172.18.1.0 172.18.2.0 172.18.3.0

255.255.255.0 255.255.255.0 255.255.255.0

Page 6

NETWORK Environment Management

Part 2 of the report Logical network design

Below I have design the logical structure of the network for the West Product Company.

HeadOffice

HeadOffice_Bristol.com Root Domain

BranchOffice 2 BranchOffice 1
BranchOffice_Exeter.com Child Domain

BranchOffice_Plymouth.com Child Domain

Naming strategy Head Office: HeadOffice_Bristol.com Contains the head office and will be the root domain for the directory structure Branch Office: BranchOffice_Plymouth.com Contains the Plymouth branch office, will be a sub domain of the hierarchy and will hold program needed for the remote travelling sale team. Branch Office2 - BranchOffice_Exeter.com Contains the Exeter branch office2, will be a sub domain of the hierarchy and will hold program needed for the remote travelling sale team. To secure each site and the LAN connection I will be using firewall which will help to maintain the level of security on the network. In addition, VPN connection will be established which will enable to mobile users to connect to the network over UMTP for example 3G technology once they can establish the connection the authorisation processes will take place over the active directory, to gain access to the relevant data/information on the network.
Adrijon Zaci Page 7

NETWORK Environment Management

Network layout

West Products is a company that deal with wireless networks and technologies and is located in the west of England where their head office is in Bristol and their branch offices are in Plymouth and Exeter. As mentioned before the company will be using windows 2008 active directory. All the 3 offices have the same ADSL 8Mbs link connection to the internet via a VPN over the internet but the main office also has an extra 1Mbps SDSL which deals with load balancing and fail over this will also be able to cope with the upload of data from the branch offices/remote travailing salesmen at the end of the day. The internet connection is a VPN method and the IP address schema that the West products company will be using is the private class C IP Address as shown below. Head Office: Bristol - Network 192.168.1.0 255.255.255.0 Branch office1: Plymouth - Network 192.168.2.0 255.255.255.0 Branch office2: Exeter - Network 192.168.3.0 255.255.255.0 The travailing sales steam use a wireless connection via UMTS on laptops and via 3G phones for connection to the main server.

Adrijon Zaci

Page 8

NETWORK Environment Management

IP Address Schema Head Office (Bristol)

The domain network is the head office in Bristol which will hold the main data server and file server for the entire network the other sites will have to log on to the main server for customer information and files. As well as, it will also hold Application server which runs their application and programs. For the travailing sales team a wireless connection will be established via UMTS which they will be using from their laptops and via their 3G phones for connection to the main server. In addition, the Bristol network has an ADSL of up to 8Mbps link to the VPN and also has a 1Mbps SDSL link if the network is over loaded or fails. Users Managing directors Managers office Engineers Accounts Secretaries Sales office Rooter Switch Server Members 1 5 10 1 1 14 1 1 1 IP address Range (from) 192.168.1.2 192.168.1.4 192.168.1.9 192.168.1.19 192.168.1.21 192.168.1.23 192.168.1.36 192.168.1.38 192.168.4.18 IP address Range (to) 192.168.1.3 192.168.1.8 192.168.1.18 192.168.1.20 192.168.1.22 192.168.1.35

Branch office1 (Plymouth)

Branch Office1 which is based in Plymouth will be collecting customer information from the head office. However, Plymouth will be holding an application file sever which will allow access to local files and applications. Plymouth has an ADSL of up to 8Mbps link to the VPN and the travailing sales team will use the wireless connection via UMTS on their laptops and via their 3G phones for connection to the main server. Users Managing directors Managers office Engineers Accounts Secretaries Sales office Rooter Switch Server
Adrijon Zaci

Members 0 2 5 1 1 6 1 1 1

IP address Range (from) 192.168.2.2 192.168.2.5 192.168.2.10 192.168.2.11 192.168.2.12 192.168.2.18 192.168.2.19 192.168.2.20

IP address Range (to) 192.168.2.4 192.168.2.9 192.168.1.17

Page 9

NETWORK Environment Management

Branch office2 (Exeter)

Branch Office 2 which is based in Plymouth Exeter just like branch office 1 will also be collecting customer information from the head office and also will be holding an application file sever which will allow access to local files and applications. It has an ADSL of up to 8Mbps link to the VPN and the travailing sales team will use the wireless connection via UMTS on their laptops and via their 3G phones for connection to the main server. Users Managing directors Managers office Engineers Accounts Secretaries Sales office Rooter Switch Server Members 0 2 5 1 1 6 1 1 1 IP address Range (from) 192.168.3.2 192.168.3.5 192.168.3.10 192.168.3.11 192.168.3.12 192.168.3.18 192.168.3.19 192.168.3.20 IP address Range (to) 192.168.2.4 192.168.2.9 192.168.1.17 -

Active Directory Naming Design

Naming convention
The table below is the naming convention schema for the users of the network in order to gain access. The way the naming convention works is that each user has been given the first two letter of their department e.g. the managing directors has been given (MD), managers (MA), accounts (AC), sales (SA), secretaries (SE)engineers (EN) and the last two letters of their first name followed by their first 2 letter of the last name and ending with a number starting from 1 and so on. This way there will be no duplicated usernames which means that users on the network can be recognised uniquely. Users
Managing Directors Managers Name David White Jason Smith Daniel Russell Cairo john Tony Bennett wood Nelson Addison Webb Albern Sherwood Carl Webb Claude Simes Colin Crowley Username mdidwh1 maonsm2 maelru2 marojo3 acnybe1 acodne2 aconwe3 acrnsh4 ssrlwe1 ssdesi2 ssincr3 Page 10

Accounts

Sales staff

Adrijon Zaci

NETWORK Environment Management

Sectaries

Engineers

Dalton Nelson Eldon wood Albion Hagger Evan Webb Morris West Albert Simes Davin Nelson Noel Crowley

Seonne1 Seonwo2 Seonha3 Seanwe4 Seiswe5 Enrtsi1 Eninne2 Enelcr3

Adding groups

Adding using account

Adrijon Zaci

Page 11

NETWORK Environment Management

Users and permissions

File sharing and permissions are done on most restricted with NTFS permission, but have still give them the amount of access that they will require to do their jobs. The administration will set up group permission rather than individual permissions. Group permission are easier to control than individual accounts because if any changes are to be made to that department/account, say new equipment then the administrator only has to change one account rather than several. It also comes in handy when new staff start it is easier just to add them to an existing group as the permission are already set up and less chance of making errors. West products have separated there departments into groups so that permissions can be set for each group Users Managing director Managers Sales staff Engineers Permissions Managing directors will have full access to the system Managers will have different levels of access depending on their requirements and depending on their location at head office or branches Sales staff has been set with no access and with restricted access to certain files. This is because they will be dealing directly with customer accounts. Engineer has been set with limited access. This is because they will deal mainly with the design products and they will not deal directly with the customer but through the sales department. For security reasons the account staff will be the only one with access to staff data and the staff wages will be dealt by head office accounts only. Secretaries have been set with full control, however depending on their location restriction may apply. This is because they are the first person that the directors and manger will have contact with. Additional access may be required to certain files for the secretaries at head office which also will deals with personal information from the managing directors

Accounts Secretaries

Layout of Permission for groups and networks The XP professional is been used for West products company which is also compatible with NTFS and the type of file sharing that they require. In any case an administrator can restrict certain users from the network or from part of the network if the company thinks that there might be potential security risks: for example, they can restrict or disable the download executable files which the specific users wont be able to download.

Adrijon Zaci

Page 12

NETWORK Environment Management

Head office
Managing Directors Sales staff Sales managers Engineers Engineer manager accounts Accounts manager secretaries External sales

Staff 1 10 2 5 1 5 2 4 5

Billing accounts Full control read modify No access No access Full control Full control Full control No access

Sales Full control Read/execute Full control read Read/write Read/execute Full control Full control read

Scheduling Full control Read/execute Full control read modify Full control Full control Full control read

Payroll Full control No access No access No access No access Full control Full control No access No access

Branch office1
Sales staff managers secretaries Engineers accounts

Staff 10 2 1 4 1

Billing accounts Read modify Full control No access Full control

Sales Read/execute Full control Full control Read/write Full control

Scheduling Read/execute Full control Full control Full control Full control

Payroll No access No access No access No access Read/write

Branch office2
sales managers secretaries Engineers accounts

Staff 10 2 1 4 1

Billing accounts Read modify Full control No access Full control

Sales Read/execute Full control Full control Read/write Full control

Scheduling Read/execute Full control Full control Full control Full control

Payroll No access No access No access No access Read/write

Adrijon Zaci

Page 13

NETWORK Environment Management The tables above show how rights have been assigned to different groups on the network. If in the future a new member joins the company then the network administrator will have to decide in which group does the new employee belongs, after the administrator have decided the appropriate group he/she can then proceed of adding the new employee to the network. After the new employee has been added to the appropriate group, all the rights that have been assigned to that particular group will also apply to the new member in order for them to have access to recourses which he/she requires carry out day to day activities.

Security policy for the network

Security policy it is very important when it comes to network security as if the policy is not followed it could lead to attackers birching the network security. So In order to improve the security of the network and other important information such as credential information and data which is being shared on the network I would recommend that everyone in the company follows the use of password policies on the network. This way the network and other information being shared on the network will be more secured. Also, this means that the chances of data getting hacked from the network and being misused will reduce.

User Account policy

Below is an example of a password policy which should be taken into consideration when setting up policies on the network. This is very important as in securing the network and reducing the risk of unauthorised access to data and information. A user must change their password every 30 days. By changing the password regularly you will minimize the chances of someone gaining access to your account and pretending identify their self as you the account holder. A user should not use any previous password. When a user resets their password on the network they should not be able to use the previous (6-8) passwords they should think of a new password to change or reset. Your password should be mixed of numbers, letter and symbols. By using a mixture of letters, numbers and symbols you will create a much stronger password and lower the chances of someone trying to guess your password. The user should only use an internal e-mail account when passing information onto another user on the network. Using only internal e-mail account you will reduce the risks of attacks such as DoS, viruses etc. If passwords are disclosed on a system, change them immediately. If your password is disclosed then you are in risk of someone else accessing your account without your permission. Passwords should be stored in encrypted form. Having passwords in encrypted form it is almost impossible for someone to crack your password which means your password will be much more secured.

Adrijon Zaci

Page 14

NETWORK Environment Management

Expansion of network in future

In case of business expansion, the current network is designed in a way that could handle expansion easily and add more departments. For example, if the company decides to open other departments within the network they can add more Organisation Units to the Active Directory (AD) which they could also be named after the department. They can also add more groups and users to the AD and assign access rights. If more people where to be added to the network, more switches or hubs could be also added to the network to expand in size. However, the network is set up in a way that makes the job easier for the administrators to manage the network. If the network were to get very big and difficult to manage in the future, VLANs could also be added to divide the network in to smaller parts so that it becomes easier for administrator to manage and carry out maintenance work. To satisfy the members of the travel sales team with their requirements I have recommended using the VPN (Virtual Private Network) which is a secure way of connecting to the network and access all the resources shared whilst travelling around. As well as, they are also able to access the software which was required in order for them to do their work.

Justification
As West Products required for the sales team to have access to the recourses shared on the network I have recommended them to use VPN connection which will allow them to have access on to the resources shared on the network and also the Universal Mobile Telecommunications System (MUTS) method will also be used to enable the mobile users to connect to the network and utilize the shared recourses on the network. As West Products company is a medium size business I have recommended to use ADSL internet connections which will provide a bandwidth link of 8Mbps for the three branches. However, I have also recommended that the head office will also have an extra a 1Mbps SDSL link which will be used to help maintain the server link in case the Asymmetric digital subscriber line (ADSL) fails or overload. My recommendation for the users access right is that I will be giving access to groups according to their needs and responsibilities in order for them to carry on with their day to day tasks. To make sure that the network is up and running I have recommended that a back up server should be used in case of something goes wrong. This way the backup server can be used to restore and get back in business. In addition, I have also recommended for the company to implement some security policies in order to prevent attacks from unauthorised access in the network.

Adrijon Zaci

Page 15

NETWORK Environment Management

Network Security
File sharing Files sharing will allow you to set restriction on access and change to files. There are two types of files sharing Fat and NTFS most small to medium company now use NTFS File synchronization is the process of making sure that files in two or more locations are updated through certain rules. In one-way synchronization, update files are copied only from a 'source' location to a 'target' location, but no files are copied back to the source location and in two-way synchronization, updated files are copied in both directions, usually with the purpose of keeping the two locations identical to each other. Accessed at: http://windows.microsoft.com/enus/windows7/File-sharing-essentials

File and folder management

Security settings

Firewalls

Files of data can be grouped in a directory for easy access and have passwords to protect each file. A directory can contain different sub directories and sub folders. Administrators can set up offline Files with the Synchronization Manager Administrators can also use the Synchronization Manager to control what files and Web pages are synchronized when any network connection becomes available. Accessed at: http://windows.microsoft.com/enus/windows7/File-sharing-essentials Physical security Physical security can range from security guards monitoring doors and video surveillance day or night. Physical can also be the introduction of locks that secure systems devices and rooms these can be keys or cards to enter certain areas. These will be restricted to certain users if for any reason the key or card is lost the best policy would be to change all keys and cards. Data security Data security will protect data from unauthorised users. Data Security would be via access rights and passwords to certain files Data security also covers the up to date firewall and security patches on all programs. Hardware fire are found on routers and the will inspect data and deny or allow data to pass through the system Software firewall can be installed on user individual systems. Accessed at: http://searchsecurity.techtarget.com/definition/firewall Passwords are used to protect your data from unwanted access but these should not be stored in plain text on the system but should be encrypted to restrict access. There is software on the market can encrypt passwords so that any hacker would first have to decode the passwords from the system before being
Page 16

Passwords

Adrijon Zaci

NETWORK Environment Management Encryption able to have access to them. Encryption is very important when sending classified data over a wireless network because data can be intercepted This can be done by different methods, most will use a type of code/key but both systems would have to be using the same code/key to be able to access the data. accessed at: http://www.ed.uiuc.edu/wp/privacy/encrypt.html Auditing of who access the account and how long they use that account should be kept and monitored by the administrator. This will help in preventing any security issues and will notify the administrator of anyone who has tried to access account without permission. accessed at:
www.chrispeiris.com/articles/Article_2_Security_Auditing_1.doc

Enabling auditing

Logging and auditing

Logging and auditing should be enabled Administrators can monitor the network activity and check to see who has log on, at what terminal and when Administrators would be able to check what files they access and how long there were in the files for and how many changes made to documents. Accessed at:
www.chrispeiris.com/articles/Article_2_Security_Auditing_1.doc

Backups

Backups are important to a company Up to date backup are important to companies in case the worse was to happen There are several different types of backup to choose from these should always be pass word protected and should be store off site in a secure place These should always be easy to retrieve so that data can be restored if only to yesterdays settings or last saved settings.

Conclusion
I can now conclude that undertaking this work has been very helpful as I have learned the conceptual of network design and security. I can now say confidently that I can design and identify the components needed for a network. I am very happy with my work as I have achieved most of the goals, which the company required. Undertaking the process of report writing analysing a computer network design helps me understand the user's requirements and it enables me to build a system that is more reflective of the user's requirements and business rules. I conclude that the current network which I have recommended meets the overall requirements of the company. I have design the network in a way that could expand in the future and easy to manage.
Adrijon Zaci Page 17

NETWORK Environment Management

Referencing
www.chrispeiris.com/articles/Article_2_Security_Auditing_1.doc

http://www.ed.uiuc.edu/wp/privacy/encrypt.html http://searchsecurity.techtarget.com/definition/firewall http://windows.microsoft.com/en-us/windows7/File-sharing-essentials

Adrijon Zaci

Page 18