You are on page 1of 9

Exam Assignment Systeembeheer

Frederik Geutjens, 3TX5
August 15, 2015

Contents
1 Introduction
2 Talking Points
2.1 General Network Infrastructure . .
2.1.1 Proposed Solution . . . . .
2.2 Acquisitions . . . . . . . . . . . . .
2.2.1 Proposed Solution . . . . .
2.3 Training Room . . . . . . . . . . .
2.3.1 Proposed Solution . . . . .
2.4 Per-floor Separation . . . . . . . .
2.4.1 Proposed Solution . . . . .
2.5 Mobile Employees . . . . . . . . .
2.5.1 Proposed Solution . . . . .
2.6 Email and Electronic Agenda . . .
2.6.1 Proposed Solution . . . . .
2.7 VoIP . . . . . . . . . . . . . . . . .
2.7.1 Proposed Solution . . . . .
2.8 Restriction of Internet Usage . . .
2.8.1 Proposed Solution . . . . .
2.9 Protecting Confidential Data . . .
2.9.1 Proposed Solution . . . . .
2.10 Helpdesk . . . . . . . . . . . . . .
2.10.1 Proposed Solution . . . . .
2.11 Centralization and Virtualization .
2.11.1 Proposed Solution . . . . .
2.12 Website . . . . . . . . . . . . . . .
2.12.1 Proposed Solution . . . . .
2.13 ISDN Lines . . . . . . . . . . . . .
2.13.1 Proposed Solution . . . . .
2.14 Restriction of Software Installation
2.14.1 Proposed Solution . . . . .
2.15 Server Access and Monitoring . . .
2.15.1 Proposed Solution . . . . .
2.16 Backups . . . . . . . . . . . . . . .
2.16.1 Proposed Solution . . . . .

2

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

1

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

2
2
2
4
4
4
4
5
5
5
5
5
5
6
6
6
6
6
6
7
7
7
7
8
8
8
8
8
8
9
9
9
9

It should not be possible to access the internal network or the Internet anonymously. which can use WPA2 authentication. Occasionally staff members work at their office.1 Proposed Solution Since a large part of the staff will be working in-house in Brussels.1x to provide security on the internal network. For this careful planning is necessary and surveys should be conducted. Thousand employees are working in Brussels. Site2site VPN connections can be configured on the firewalls to provide connectivity between HQ and branch offices. For added security. and the secured employee network. M¨ unchen. containing services such as a web server and file server. See figure 1: Proposed network topology This topology could be scaled down and applied to the internal networks of the international branches. The core routers will be connected to access switches. Multiple SSID’s will be set up within the network to ensure security between the open visitor network. and uses a company laptop. possibly using the ”AP-on-a-stick” method. but they will need a VPN setup. at least one per floor of the building. AD can be integrated with 802. From conversations with those involved the following points emerged: 2 2. to prevent the connection of non-company hardware to the network. The wired workstations will then be connected to these access switches.1. Connecting non company hardware to the wired network should be made impossible. a policy could be enforced which allows only company-approved devices such as company laptops on the employee wireless network.1 Introduction When planning the development of the ICT infrastructure of a multinational company you’re asked for advice. but more if needed. Madrid. 2 . connected to a switch where the wireless access points will be connected to. this would prevent unknown hardware to access the network. So they are able to print and access file servers. The remaining fourth of the staff is mobile. these branches probably won’t need their own web servers. In other words. The Belgian multinational Stark Industries has 7 branches. Edinburgh.1 Talking Points General Network Infrastructure Stark Industries has approximately 1500 employees. with offices in Milan. Careful placement of the wireless access points is recommended to ensure optimal coverage of the site. San Francisco and Tokyo. The DMZ in turn is connected to the internet through another external firewall. I would propose an internal network setup with two trunked core routers (for redundancy) connected through an internal firewall to the Demilitarized Zone (DMZ). It can be modified as needed. The guest users should be required to obtain a temporary user/password login to access the open visitor network. The headquarters are in Brussels. Proper user authentication and accounting is required. All the hardware for the internal network should be heavily secured in a room only accessible to relevant IT staffers. A wireless controller should also be set up. while the other branches each employ about one hundred staff members. This advisory must contain both technical aspects of the required hardware and software and also possible policy aspects. Active directory can be used for user authentication and accounting. For example. for them only wireless Internet access is provided. thus the internal network must also be made accessible wirelessly. a robust network setup there will be required. However these features are not intended for any visitors. Three quarters of the staff is spread over the different branches and use desktop computers. 2.

Figure 1: Proposed network topology 3 .

. E. Interconnection at the network layer is fairly simple and straightforward. which would be cheaper but less secure. 2.2.be” for example. To provide mobile employees access to these services. 2. As for the DNS domains. we will assume the company acquires a zone such as ”starkindustries. we will be using Site2site to provide connectivity between branches to company resources like fileservers and intranet websites. a single application platform should be used which can be accessed through a browser client (Using Citrix for example. I would suggest one of two options. When an acquisition occurs. cheaper options are also viable). or we provide employee devices with certificates for authentication. Either we use a standard login system to the application platform.2. Since most of them deal with confidential information it should be prevented that outsiders can ’read along’.2 Acquisitions Several acquisitions are planned. however the different dns domains could cause problems. However. Considering we are also using Active Directory. a router with QOS support should be chosen so we can enforce fair usage of this connection for all users involved. There should be sought for a simple solution which provides access to training materials on an external location. Fifteen computers with Internet access are available.3. Staff members should be able to read their email and access their les and folders in a secure way. One of the first steps after an acquisition is interconnecting company networks to provide access to resources like fileservers and intranet websites. such as: • www • files • webmail • etc . It should not be possible to spoof an email address to prevent maliciously sending email on behalf of someone else. . but other.3 Training Room The company headquarters in Brussels has a well-equipped training room which is used both for internal training. Now we should set up a DNS server that has a nameserver record (ns A record) and different CNAME records (domains) for each required application. it might be feasible to provide such a room with it’s own separate internet connection for training purposes.1 Proposed Solution First of all.1 Proposed Solution As said before. 2. This also allows building a trust relationship between Active Directory domains/forests. More and more customers want to save on relocation expenses and choose the courses to be held in their own premises. both network/DNS and application coupling. seeing as this access still needs to be regulated. 4 . for staff members as well as for external individuals. LDAP authentication based on the AD user identity would possibly be an even better solution. It is your task to prepare this thoroughly. which might be more expensive but is also more secure. a rack full of Cisco gear.g. As for authentication. their zones will have to be merged into out existing ones. Internet access should be regulated so it can’t be monopolized by a single person.

An SPF record should also be set up to prevent mail address spoofing. Employee devices can then be configured with Microsoft Outlook. These data rooms are connected to a central server room in the basement. email encryption solutions (e. some more expensive than others. with which they could access their email anywhere. 2. 2. However this should not compromise the security of the internal systems. The data rooms will then contain the switches needed for each floor.6. we can provide access to company files from anywhere in a secure fashion.1 Proposed Solution An enterprise mail server should be set up. A stock of required training materials would have to be made available and configured if needed by the Stark IT staff. 5 . Cisco IronPort) can be used to ensure information integrity for the mailing system. online training courses should be made available. Secure remote access is necessary. Using the Mobile User VPN combined with IPSec and a user-friendly web interface. any time.4. For users who wish to take training in their own premises. servers and firewalls can be housed in the server room in the basement. to exchange files between employees.4 Per-floor Separation All network connections come together on each floor in a data room. Both should be accessible from any location at all times. For this purpose each terminal should be enclosed as much as possible to prevent possible external individuals from ’reading along’. Using this method would allow only the hosts specified in A records to use our domain for email.1 Proposed Solution Again. 2.5. wireless controller. the room should be set up in such a way that each user can privately use their own terminal. by policy if necessary. The core routers. VPN connections are the way to go.5 Mobile Employees Mobile employees need external access to files on company servers. since I would imagine it is likely that a training device such as a router or laptop would need to be used for many different training purposes. separate queues can be set up to allow for more traffic usage for certain training-specific applications.6 Email and Electronic Agenda All employees should receive a company email address and an electronic agenda.On such a device. 2. One of the most used but also more expensive options is Microsoft Exchange. it is secluded from the internal network and thus it remains secure. The file server located in the DMZ should be used. 2. Many solutions for this exist. Because this file server is located in the DMZ. 2.1 Proposed Solution The network infrastructure for such a setup is already present in the topology presented in the first talking point. Alternatively. In a physical sense. open source software such as Postfix could be used.g. In a networking sense. A good example of such a course would be the Cisco CCNA on-line courses.

2. VoIP can also fall victim to Theft of Service. To save costs the company wants to switch to IP telephony and video conferencing. so the physical security measures stipulated in earlier talking points should suffice. This can be prevented by employing the authentication features of VoIP protocols and by encryption. 2. However. All suggestions are welcome. As such.1 Proposed Solution I would suggest setting up a proxy server between the company network and the internet which forwards traffic. 6 .1 Proposed Solution Securing data to someone who has physical access to a device is very difficult.9. This speeds up web traffic for the employees a considerable amount.7 VoIP There are frequent meetings between staff members of different sites. 2. and that only company issued storage devices are allowed.. with all costs involved. which allows for often-visited websites to be cached in case it needs to be accessed again. 2. To provide a secure VoIP service to employees. and only for work-related purposes. it might be necessary to upgrade to an infrastructure that allows for more bandwidth. Obviously..8. web traffic can be monitored (in large quantities in accordance with privacy laws) and regulated so certain unwanted websites (social media. there can be virtually not latency or packet loss on the connection used. They want to take measures to prevent losing equipment and mitigate the impact when it does happen. such as if the network has enough bandwidth and if the firewalls used can allow for VoIP traffic. The company IT specialists warn that security and quality of service might become an issue when moving towards a VoIP solution. but some measures can still be taken. Advanced products such as Microsoft’s Internet Security and Acceleration Server (ISA) are also available but of course come at a price. etc. They need some advice on how to best deal with them. certain things need to be taken into account. Calls can be intercepted but usually only by someone with access to the physical network. An added benefit of using a proxy server is caching. 2.8 Restriction of Internet Usage The management wants employees to keep focus in their work and not able to use the Internet freely. On the other hand they do not want to act too strict. streaming services. but can sometimes still be circumvented. I would suggest adding a clause to the company regulations which states that employees are not allowed to use their own USB storage devices. VoIP needs a very stable connection to work properly. pornography. standard logins to the machines help somewhat. it could be possible to merge the VoIP network into the existing data network. By using filters on this proxy server. USB storage devices and the like are not trusted. To provide adequate quality of service.1 Proposed Solution Depending on the strength of the internal network. several things need to be taken into account.) are not available to employees within the company network.7.2.9 Protecting Confidential Data The IT staff are worried about the leaking of confidential data when company laptops or smartphones are lost or stolen.

2. this could possibly slow down performance on these machines that use it. A seperate encrypted partition would be created (on a laptop for example) which is used for data storage only. That way. helpdesk staff can use the built-in Windows Remote Assistance features. This process should be simple and straightforward. In addition one also thinks about consolidating the servers. web and mail servers can be kept there. If the helpdesk staffer is working from home. Secondly the IT staff should be able to diagnose and solve system and network problems remotely. It is also possible to provide branch offices with only thin clients and a mobile user VPN setup on the firewall. both for the helpdesk and the staff member needing assistance. since it required large amounts of storage space. in combination with systems to remotely provide access to the network such as TACACS or Radius. so the employee needing assistance can tell the helpdesk staffer their machine name.11. he should first make a VPN connection to the company network. They could be consolidated on one server running different virtual machines for different purposes. Propose a suitable visualization solution and determine which servers can be virtualized and which should remain physical. Therefore the above should also be possible from their home location. This way.1 Proposed Solution The proposed network topology already allows for a lot of centralization in Brussels. Other environment related suggestions are welcome. reduced power consumption and raising the company image concerning green IT. but without any reduced performance or reliability for the smaller offices. Employees working at the helpdesk are allowed to work at home 2 days a week.11 Centralization and Virtualization They also want to centralize their IT infrastructure as much as possible in Brussels. It’s up to you to determine which equipment is eligible for centralization. In extreme cases.10. And of course all with security in mind. 7 . All the servers such as a the file. a remote network monitoring software package should be installed such as Nagios. all the other equipment can be kept in Brussels. but the management wants to add support for all offices from the main location in Brussels. and go from there as described before. The file server I wouldn’t recommend virtualizing however.1 Proposed Solution To facilitate remote access. However. can allow helpdesk staff to achieve this goal.10 Helpdesk A helpdesk is provided for the staff. this would be fairly straightforward as the helpdesk employee would only need to ask the name of the machine the other person is working on. 2. Virtualization is definitely possible for most of the servers.A policy which states that employees should attempt to use company file servers for data storage as much as possible could also be an option. Within the internal company network. This. data encryption could also be used. These names could be printed on a sticker and pasted on the machines themselves. the devices themselves would not contain as much confidential data. This means that helpdesk staff should be able to take over company computers remotely. To solve network problems remotely. 2. Obviously one does not want to lose on performance. The main reasons for the above are simplified administration. 2. which is best kept physical to ensure smooth operation.

This cumbersome process must be as easy and straightforward as possible. they provide relatively low bandwidth. it is possible. Asia. 2. although quite expensive.1 Proposed Solution Users can be prevented from installing software on computers by adjusting their rights accordingly in Active Directory. since the user’s IP address might be coming from a proxy for example.. A feature could be added to the website which asks to user to indicate on a map which continent (Europe West. the decision on where a request from a user should go can be made on the county he lives in (which can be determined by the user’s IP address). 2. one active and a backup in case the primary fails. etc. To keep software up-to-date. either from the IT staff at Stark or external consultants. These provide much more bandwidth. Software packaging specialists will be needed to provide customized silent installers for specific software. 2.13. America. and they are relatively cheap to employ and maintain.13 ISDN Lines Currently all branches with headquarters are connected by a number of ISDN lines. 2. by using VPN services. to replace the ISDN lines with Fibre Optic lines.1 Proposed Solution While ISDN lines are an option for long distance connections. This isn’t full proof however. Installed software must be kept up-to-date on servers and all client computers. physical lines between branches are not necessary. These would then communicate with the web server in Brussels. The IT staff wants to spend as little time as possible on the management of computers and software installation. I would suggest using two redundant load balancers placed in the core network in Brussels.) he or she resides in.14. While not compromising on the safety and reliability of the interconnections. Given the high cost and limited bandwidth they want to upgrade these links to better and possibly cheaper alternatives. Unfortunately there are often problems due to high load on the web server and database. Europe East.12. and a second one placed in either San Francisco or Tokyo (to ensure maximum proximity to potential users of the web site). in which case he would appear to be located in a different country than he actually resides in.14 Restriction of Software Installation Users cannot install their own software on company computers.12 Website Stark Industries attaches great importance to its website because this represents the company on the Internet.2.1 Proposed Solution While a second server in another branch might seem contradictory to the centralization proposed earlier. By using geographic load balancing. To minimize the impact of network problems at one location they believe it is best to place the second website at another site. Alternatively. Software can then be installed and updated without almost any interference in the user’s work. 2. Once again. Moreover a significant part of the sales runs through this website and availability and reliability should be guaranteed at all times. 8 . I would suggest setting up a Systems Management Server such as Microsoft SCCM or Dell Kace. The IT staff wonders if a second web server can be set up with some form of load balancing between them..

9 . Traffic between servers should be monitored strictly. For disaster recovery. at a price.1 Proposed Solution Servers that should be accessible from the outside should be placed in the DMZ.While all of this can be quite costly.15 Server Access and Monitoring Most servers should only be accessible from the inside.16.g. For monitoring. The only exceptions are the mail and web servers. 2. a second (or more) NAS can be set up at one of the branch offices which is then synchronized with the primary one.1 Proposed Solution Several options for backup strategies exist. • Finally. 2. In our case. • A NAS (Network Attached Storage) could be set up in the internal network of HQ (and branch offices if desired) to which data can be written. taking into account the available budget. and in the DMZ it is protected from the internal network thanks to the internal firewall. • Disaster protected storage is also available. I would suggest a combination of these options. preferably at an off site location. because it would be nice to have it accessible to employees outside of the internal network. If preferable. online storage solutions can also be used. it is protected even more. Everything should be setup with security in mind. 2. By uploading data to a third party or private cloud service. To provide redundancy. Most commercial IDS/IPS are expensive however. That is to say. easy bare metal recovery of a crashed server. between the internal and external firewalls. The company also needs tested disaster recovery procedures which allow e. an Intrustion Detection System (IDS) or even IPS (Prevention) can be set up to allow system administrators to keep tabs on traffic going in and out of company servers. This can be especially useful for security as it allows for detection of possible hacking attempts or virus traffic.16 Backups Obviously backups of all data should be taken at regular intervals. the file server should be placed in the DMZ. These devices can withstand disaster situations such as fire for a short while. one of the most used procedures is to take disk images of servers using a disk imaging application such as dd for linux or Wbadmin for Windows which allows recovery of the affected system to a new physical device or virtual machine. In my opinion. but open source options are also available such as Snort & BASE. 2. they can provide great reduction in costs in work needed to maintain software without them.15. we can always set up a second file server within the internal network as well.