Montalvo - Network Design Proposal All Parts PDF

Preview

Summary

Download Montalvo - Network Design Proposal All Parts PDF

Description

Network Design Proposal

Network Design Proposal

FUNDAMENTALS OF NETWORKING CMIT 265 7380 – Summer 2019

Ashley Montalvo

1

Network Design Proposal

Network Design – Part 1 Network Topology A. Technical Requirements The University recently leased a new building in the pursuit of providing more space and technology improvements for faculty and students. A request has been made that all junior network engineers provide a proposal for the architecture of networking equipment and technology in this newly leased building. There will be administrative offices, faculty offices, a library, technology labs and classrooms. A requirement was set in place to separate the network infrastructure of the administrator offices to protect personal identifiable information of students and financial records. A separate Local Area Network (LAN) will be setup for the new building and will connect to the campus Wide Area Network (WAN). Transitioning between buildings and networks within the campus infrastructure is paramount and the architecture will meet and/or exceed these requirements and expectations. B. Proposed Topology In the building, the best network topology would be a Star topology integrating both wireless and hard line infrastructure. The hard line (physical star topology) utilizes a centralized connecting device. This usually involves either a switch or server. The wireless network will utilize hard line wireless access points (WAPs) to send data back and forth to this central device. The star topology allows for multiple beneficial security features such as redundancy, troubleshooting ease, availability to expand the network infrastructure and the connection to the campus WAN.

Figure 1. Example of proposed Star Topology [1] A bus topology is not being proposed, despite more cost-effectiveness. The reasoning behind this is that the bus topology is technologically obsolete for large networks, and the infrastructure involved may have packet collisions and loss of data. The ring topology is also not being considered for this proposal as the physical infrastructure being proposed is an ethernet and wireless based LAN.

2

Network Design Proposal

Cables and Connectors C. Technical Requirements and Justifications Unshielded Twisted Pair (UTP) ethernet cabling with RJ45 connectors are the industry standard for LAN’s. It is recommended that Cat6a be used for personal devices and networked printers for access to gigabit speeds and some electromagnetic interference (EMI) protection. In order to further prevent EMI, careful cabling to avoid sources is strongly recommended. In high risks architectural areas, shielded twisted pair (STP) can be utilized, although it is much more costly. For longer cable runs, such as cabling connections between campus buildings and network infrastructure, Cat7 or fiber optic cabling can be utilized. Cat7 is a more economical choice and very close in performance to fiber optics in both cabling and supporting infrastructure. It is recommended that fiber optic cabling is utilized to connect the Campus WAN to the Internet Service Provider.] Fiber optic cabling will be utilized to connect the WAN ethernet to the ISP. D. Proposed Cables and Connectors  Monoprice Cat6A Ethernet Cable 1000ft, Black - $179.99 [3]  CableCreation 100 pack Cat 6 RJ45 Plug with Hood Connector - $11.59 [4]  Cat7 Shielded Ethernet RJ45 10 Gigabit, 200ft, Black - $49.95 [5] Networking and Internetworking Hardware E. Technical Requirements and Justifications Switches: The Ubiquiti UniFi Switches (250W) will be utilized for devices requiring Power over Ethernet, such as VoIP phones and WAP’s on this network. For non-PoE switchport needs, the Ubiquiti UniFi Switch 24 ports will be adequate. Switches are a multi-port Layer 2 device that connects multiple subnets on a singular subnet. It also screens traffic by MAC address Switches are important to utilize to provide guaranteed bandwidth by the device processing the network traffic with little or no collisions when properly configured. The non-PoE 24 port switches will be placed in a network closet designed in the computer lab, each classroom, the library. In the admissions office and where wireless access points will be connected, a PoE 24 port switch will be installed. The classrooms will have the ability to support one server computer; a faculty PC; and 23 student computers. The faculty and administrator computers will each be placed together on their own separate subnets based upon their need to protect sensitive course material, financial and personal information. Routers: The LAN’s will utilize Ubiquiti EdgeRouter Pro to connect to the WAN. The router requires an IP address that is valid on the network, a subnet mask that designates which part of the IP address identifies a computer and which part identifies the network. The router will properly be configured with: IP address; subnet mask; DNS server all obtained from the ISP or Campus WAN Server all on a default static route used as the internet interface. User devices on the LAN will be configured with the provided default gateway, the router IP address, subnet mask, DNS all obtained from the router in the same manner. Wireless Controller: In order to segment the network between wireless; student wired; faculty and administrator network access, the Ubiquiti UniFi Security Gateway Pro coupled with the UniFi Switches will be utilized in the networking closets in critical areas. [10] The Gateway device utilized with the Application server built-in UniFi Controller software provides real-time communications between all devices and monitors connections detailed analytics and captive login capability further ensuring network security. One device will be paired with a PoE switch in the server room of each building to connect each of the wireless access points. F. Proposed Networking and Internetworking Devices  Networking Devices: o Switches: 2 x UniFi Switch 24 (250W) - $399 [6]; 5 x UniFi Switch 24 Port - $215 [7] o Wireless Controller: 2 x UniFi Security Gateway Pro $344 [10]

3

Network Design Proposal

Wireless Access Points: 2 x UniFi AP 3-Pack - $199 [9]; 1 x UniFi AC Mesh AP 5-Pack $480 [11] Inter-networking devices: o Routers: Ubiquiti EdgeRouter Pro $399 [13] o Servers: UniFi Application Server XG $1999 Xeon-D 1521 4-Core, 8-Thread, 2.4GHz; 16GB DDR4; 120GB M.2 SATA SSD; (1) 8TB Hard Drive in a removable tray, userupgradeable; (2) 10GBase-T 1G/10G RJ45 LAN Ports; 1GBase-T Dedicated IPMI Management Port; (2) USB 2.0 Ports on Front Panel; (2) USB 3.0 Ports on back panel; VGA Display [8] o Firewall: Cisco ASA 5540 Series $1999 [12] o



Wide Area Network (WAN) Design G. Technical Requirements and Justification The Internet Service Provider (ISP) will be accessed through Ethernet WAN, which uses fiber optic cables to access the LAN. Ethernet WAN reduces expenses and administration while enhancing productivity. The purpose of the Wide Area Network is to connect the LANs in a building or a small geographical area to create a network. The ISP utilized for the University campus is Network Maryland, which is a statewide high speed network for public sector use. H. Proposed Wide Area Network (WAN) Design Wi-Fi access will be available throughout the building for Visitors; Students and faculty from placing WAP’s both inside and outside the building. 802.11ac wireless networking standard will be utilized to provide these services. This standard operates at 5 GHz frequency to increase bandwidth and transmission distance. The UniFi AP and UniFi AC Mesh AP WAP’s will be utilized for this segment of the network. Three UniFi AP’s will be installed per floor and 5 total outdoor UniFi AC Mesh AP WAP’s on the outside of the building. SSID’s with captive login capability will be created, one for the students and faculty to utilize Campus-Wide account access for seamless transitioning and the other for visitors. The SSID for students and faculty will be on one VLAN; whereas the visitor’s SSID will be another. Separate VLAN’s will be created for Faculty classroom PC’s; Student Classroom PC’s and Administrative PC’s. The PC’s in the Library and Computer Lab that are open to student access will also reside on the Student PC VLAN. A wireless LAN subnet will be created on the network which allows for multiple wireless VLAN’s. As an added security measure and to support seamless transitioning between all campus buildings, students and faculty who can register all their devices prior to use with administration on white list access. Otherwise the user will have to login upon entering new WAP coverage. A stringent “acceptable use policy’ will be created and enforced for all individuals access the campus network-including WiFi. Computer Systems Hardware I. Proposed Computer Systems Hardware Student Computers: Dell Optiplex 990 i5 $310 [14]; Includes 22-in monitor; keyboard; mouse; 16GB Memory; Intel Core i5 processor; 2TB Hard Drive; Windows 10 Pro Operating System; Microsoft Office 365 (Per UMUC Transition); Windows Defender Antivirus/Spyware Protection – Or Campus Host Based Security System Faculty Computers: Dell Optiplex 990 i5 $310 [14]; Includes 22-in monitor; keyboard; mouse; 16GB Memory; Intel Core i5 processor; 2TB Hard Drive; Windows 10 Pro Operating System; Microsoft Office 365 (Per UMUC Transition); Windows Defender Antivirus/Spyware Protection – Or Campus Host Based Security System.

4

Network Design Proposal

Network Addressing and Security – Part 2 A. Subnetting Technical Requirements

Figure 2. First Floor Blueprint.

Figure 3. Second Floor Blueprint.

5

Network Design Proposal

Subnet Description

Required Hosts

Classroom 1 (First Floor)

25 Computers

Classroom 2 (First Floor)

25 Computers

Classroom 4 (First Floor)

25 Computers

Classroom 1 (Second Floor)

25 Computers

Classroom 5 (Second Floor)

25 Computers

Office 5 – Admissions (Second Floor)

25 Computers

Student Computer Lab

25 Computers

Library

15 Computers Figure 4. IP Address Required.

Proposed Subnet Location/Equipment Server/VLAN DHCP DNS SMTP FTP Telnet WiFi Administrative/Library Classroom 1 Classroom 2 Classroom 3 Classroom 4 Classroom 5 Classroom 6

B.

IP Address Host Address Range 10.1.1.0/24 10.1.1.6 10.1.1.7 10.1.1.8 10.1.1.9 10.1.1.5 Subnet Mask: 255.255.255.0 10.1.2.0/24 168.10.1.1-30 Subnet Mask: 255.255.255.224 10.1.4.0/27 168.10.2.1-28 10.1.4.30 168.10.2.30-58 10.1.4.60 168.10.2.60-88 10.1.4.90 168.10.2.90-118 10.1.4.120 168.10.2.120-148 10.1.4.150 168.10.2.150-178 10.1.4.180 168.10.2.180-108 Figure 5. Proposed Subnet

Broadcast Address

168.10.1.31 168.10.2.29 168.10.2.59 168.10.2.89 168.10.2.119 168.10.2.149 168.10.2.179 168.10.2.109

Firewall Implementation

Technical Requirements and Justification A firewall is a networked device that puts in place policies to secure a network from malicious traffic. It puts in place rule sets that allow certain internet activity to pass if normal condition sets and can find signatures of attempted hacking and viruses and other unwanted traffic. This device is in place protecting the network before any packets even reach the destination. There are two different types of firewalls. A host based firewall that is located on a server. A network based firewall is a piece of hardware that is apart from the network itself. A network based appliance is recommended to be installed on the new building’s network to provide for an enhanced network security option on the network. The proposed device is the 6

Network Design Proposal

Cisco Adaptive Security Appliance (ASA) 5540 series firewall. This device is an identity-based network firewall in which it can allow individual users or created groups access the network allows certain users and groups to access the network under their policy set. This ability to set and define rules for groups improves network security and allows administrators to better control network management. Proposed Firewall Implementation Cisco ASA 5540 Series $1999 [12] C.

Intrusion Detection System / Intrusion Protection System

Technical Requirements and Justification With the above proposed firewall option, and onboard software version of an Intrusion Prevention System (IPS) is included. This ability is better than an Intrusion Detection System (IDS) as a preventative system is preferred rather than a detection system. The built-in IPS option is also cost effective and can help prevent viruses, hackers, worms and other unwanted network traffic before it even pass packets through the network behind the firewall. Proposed Intrusion Detection System / Intrusion Protection System Cisco ASA 5540 Series $1999 [12] D.

DMZ Implementation

Technical Requirements and Justification Alike the proposed IPS option, the Cisco ASA Device also allows for the creation of a De-Militarized Zone (DMZ). Onboard software and networking capabilities with the device allows for a DMZ to be created further improving network security. Proposed DMZ Implementation Cisco ASA 5540 Series $1999 [12] E.

Physical Security Measures

Technical Requirements and Justification Access to the building will be limited to professors, students, active employees assigned to the new building. Visitors will be limited to public areas such as a hallway, lobby or library. Rooms not actively used will be locked (classrooms, offices, computer lab). An attendant will be positioned in all public areas such as campus security by the entrance and also security on the second floor between the stairs and a library/lab attendant. Computers will be chained in place. Networking closets will be secured with a cypher or badge lock to be accessed only by appropriate network administrators. The entire building will have security cameras including the outside. All files will be secured and Personally Identifiable Information will be disposed of appropriately. These policies will be administered and enforced by an Information Assurance Manager on the Information Technology staff. F. Additional Network Security Measures Technical Requirements and Justification Each network is segmented via an individual VPN that will also be separate servers on the network. This will provide separation of critical information networks from potential malicious traffic. Each device will be required by group policy to have campus Host Based Security Software installed and monitored by the Information Technology Services. This will allow for network wide security scanning from a central area in order to ensure secure networks throughout the campus. Username and password logons for all 7

Network Design Proposal

networked devices will be required with an Active Directory based account authentication system. This will allow for account access to computers to be separated via Organizational Units. A Administration person with access to PII and sensitive financial information will be the only one authorized to access devices, files and folders with this information and so forth for each user type and access level needed.

8

Network Design Proposal

Network Customization and Optimization – Part 3 A. Network and Cloud Based Storage Technical Requirements and Justification The new building will be equipped with a network attached storage (NAS) device integrated into the network to allow for supplemental storage of files and the ability of a more fluid transition between devices anywhere on the WAN. It will be installed in the server room and will be networked via the physical switch onboard. As is true on the network, this device will be segmented for both the VLAN’s for the administration and professors to allow for their exclusive use and to disallow unwanted access to sensitive files. A private cloud will be implemented for the students and faculty at UMUC. The goal of this cloud is to provide users to easily provision and utilize available resources throughout the campus and elsewhere. The goal would be to create a learning system to be utilized for learning resources for both students and professors. Individual courses can be created and assignments, discussions and other support for classrooms for both in person and distance learning can be exchanged in this medium. Although this proposal is for a new building, it would be imperative this solution would be utilized throughout the University campus and beyond. Proposed Network and Cloud Based Storage Netapp DS2246 24x 900GB NAS - $3151.27 [15] Amazon Cloud Services - ~$1000/monthly (Based upon need and individual quotation of services required-Would be seeking Platform as a Service (PaaS))[16] B. Data Protection and Backup Technical Requirements and Justification In order to provide protection from critical data loss, data protection will be implemented. This process is utilized to protect data from disasters, corruption, compromise, and poor backup procedures. Individual devices will have antivirus protection and regular group policy updates to ensure that the images on the computer are up to date with the latest patches for the software and Operating Systems onboard. The firewall and other network based security will all work together to prevent data loss from a virus or other malicious occurrences leading to data loss. The campus will implement an offsite backup solution for all critical network infrastructure data. This With these offsite backups, data protection will be ensured via regular recovery checks of the network image. This means a member of the IT department for the campus will ensure that the backups being stored are actually accurate to the network configuration and the data being stored on the NAS. Proposed Data Protection and Backup Amazon Glacier $.004/GB/Month [17] C. Network Monitoring Technical Requirements and Justification For the new building, network monitoring will be implemented utilizing both active monitoring by IT personnel utilizing software services. This will allow for constant monitoring for failures, outages, security violations or service degradation. LogicMonitor [18] will be employed to monitor network PoE ports and their loads; Wireless Access Points and the metrics of their interfaces; devices on the network, their interfaces, fan speeds, temperature, hardware; and everything else that is critical to monitoring and

9

Network Design Proposal

establishing baseline metrics to ensure nothing out of the ordinary is occurring on the network-and if there is, finding it and resolving issues quickly. Another software that will be utilized in network monitoring will be SolarWinds NetFlow Traffic Analyzer. This software monitors network traffic and provides other features such as bandwidth monitoring; application traffic alerting; network traffic analysis; Quality of Service optimization; malicious/malformed traffic flow identification; WLC traffic monitoring. This allows network administrators the ability to view packet traffic in reports easier to analyze and understand. [19] Proposed Network Monitoring LogicMonitor Network Monitoring - $7/device/month [18] SolarWinds NetFlow Traffic Analyzer - $1945/year [19] D. Log Storage and Management Technical Requirements and Justification The network will be utilizing a central log storage and management solution in order to provide the opportunity to network administrators to go back and analyze these logs and provide a snapshot of events that have occurred on all devices. SolarWinds Security Event Manager [20] will be utilized as the central logging system for this network. It will be installed on the server and is utilized to quickly specify and automatically send events from workstations and servers to a logging database. [20] This tool can also be used to search logs for...