MOR

Data Center and Network Infrastructure Consultancy Service

Project
Network and system infrastructures

Context Understanding and Requirement Analysis

Version: 1.2
By
Information Network Security Administration (INSA)

Cloud and Computing Division

 July 2022
Document Management
Version control form

Versio Revision Revised by Remarks/ Description Document/asset classification

n date level
1.0 INSA First version Internal
1.1 INSA Second Version
1.2 INSA Third Version

Approval form

Approved by Signature Date of approval

 Acronyms

Abbreviation Definition
MoR Ministry of Revenue

INSA Information Network Security Administration

DC Data center
DR Disaster Recovery
WAN Wide Area Network
LAN Local Area Network
SIEM Secure information and event management
VPN Virtual Private Network
NAC Network Access Control
WAF Web Appliance Firewall
IT Information Technology
NDR Network Design Requirement
IR Infrastructure Requirement
SOC Security Operation Center
UC Unified Communication
HCI Hyper Converged Infrastructure
 Executive Summary

Minister of Revenues (MoR) has requested for a data center and disaster recovery center
network infrastructure in order to run the different applications and activity of the institute.
Minister of Revenues (MoR) has been engaged in different information technology activities in
the past and INSA has collected all the necessary information during the site visit, technical
group discussion and using questioner. In response to the requirements a secure, reliable and
manageable infrastructure that can server as the backbone to the existing and upcoming activities
of the organization is designed. While price, performance, ease of management and scalability
issues continue to remain key requirements, the network infrastructure has to support the mission
critical application that will be deployed on top of this infrastructure. This project is aimed at
addressing the above-mentioned issues as per the envisioned software architecture delivered by
the To-be document of the requirement analysis. This document addresses the proposed possible
network infrastructure design, server and storage, material and operating environment
requirement for the goal of maintaining a stable, responsive, reliable and secure Local Area
Network (LAN), Data Centre network and wide area network (WAN). In this high-level design,
the security risk and vulnerability analysis are done to come up with a full-fledged security
design. The document also addresses the impact of the network design on the daily activities of
MoR.

Introduction
Minister of Revenues (MoR) is a governmental organization in Ethiopia which is responsible for
collecting and administration for both domestic and customs tax. Therefore, performing those
tasks in manual procedure is very tedious and ineffective. MoR deployed Customs Management
System (Asycuda++) for customs tax administration and SIGTAS (Standard integrated Tax
Administration System) for the management of domestic tax administration. The realization of
MoR service will create high reliance on the cyber space to facilitate tax collection and
administration processes. However, due to the nature of cyber and importance value of the MoR
systems and infrastructure might be prone to different cyber-attacks. Many threat agents like
cyber criminals, hackers, attackers, terrorist groups, insiders, enemy countries, and other
motivated individuals or groups may launch cyber-attacks. Due to these attacks, the MoR might
face a huge risk in losing its valuable assets. This document outlines the current network
infrastructure's computing and storage capabilities, along with a gap analysis conducted by
INSA. Additionally, it provides recommendations for the implementation of a new infrastructure.

Objectives

The objective of this document is to provide brief overview of the existing ICT infrastructure and
network security in order to briefly list and know new requirements of the MOR in all ICT areas.
This document will also help to prepare future documents likes of HLD and RFP.

Scope

The scope of the context understanding will focus on: -

 Understand the business goals of the MOR
 Study the existing core business applications and systems.
 Understanding the existing network infrastructure and system processes.
 Understanding network, systems, security and access policy.

The scope of the requirement analysis will focus on: -

 Determine MOR Network Design Requirements.
 Determine MOR WAN edge requirement.
 Determine MOR Internet edge requirement.
 Determine MOR Core module requirement.
 Determine MOR server farm module requirement.
 Determine MOR DMZ module requirement.
 Determine MOR Network Security requirement.
 Determine MOR compute and storage requirements.
 Determine MOR backup and archive requirement
 Determine MOR disk backup requirement
 Determine MOR directory and email service requirement
 Determine endpoint security requirement
 Determine email security requirement
  Determine DR requirement

Business Context Understanding

Business Context Understanding enables an organization to comprehend its present condition

and evaluate the resources at its disposal, potential avenues for expansion, and competitive
strengths. It establishes a solid groundwork for constructing a secure and dependable
infrastructure. The objective of conducting a business assessment is to ensure that companies
remain in sync with their objectives and gain insight into the essential steps required to
efficiently attain them.

Existing Network Infrastructure

The below map illustrates how MoR network is physically connected. The design has a
Redundant Core Switches and Routers. The network is made up of several segments, including a
core network, server farm, DMZ (demilitarized zone), and an internet segment. The core network
is the central part of the network and contains the most critical devices, such as the servers and
storage. The DMZ and Internet zone is a buffer zone between the core network and the internet
that contains less critical devices, such as web servers. The internet segment is the connection to
the public internet. The network uses a variety of devices, including routers, switches, firewalls,
and load balancers. Routers direct traffic between different segments of the network. Switches
connect devices within a subnet. Firewalls protect the network from unauthorized access. Load
balancers distribute traffic across multiple servers to improve performance.
Existing Network Infrastructure Design
1.1 List of the Network and Security Devices.

- ASR 1001-X Router: This is a Cisco high-performance router designed

for enterprise and service provider networks. It is commonly used in
applications such as branch office connectivity, virtual private networks
(VPNs), and internet access.
- ISR4321/k9 Router: This is a Cisco integrated services router (ISR) that
is designed for small and medium-sized businesses (SMBs). It is
commonly used in applications such as secure remote access, wireless
networking, and voice over IP (VoIP).
- ISR4400 Router: This is a Cisco high-performance ISR that is designed
for enterprise and service provider networks. It is commonly used in
applications such as data center access, VPNs, and security.
- 6807-X Core Switch: This is a Cisco Catalyst 6800 Series core switch. It
is a high- performance switch that is designed for large enterprise and
service provider networks. It is commonly used in applications such as
data center fabric, high- bandwidth server connections, and storage area
networks (SANs).
- 3560 G Switches: These are Cisco Catalyst 3560 Series switches. They
are a family of mid-range switches that are designed for enterprise and
service provider networks. They are commonly used in applications such
as campus networks, data center access, and wireless LANs.
- C9300 Switch: This is a Cisco Catalyst 9300 Series switch. It is a high-
performance switch that is designed for enterprise and service provider
networks. It is commonly used in applications such as wireless LANs,
data center access, and edge computing.
- C3850 Switch: This is a Cisco Catalyst 3850 Series switch. It is a mid-
 range switch that is designed for enterprise and service provider
networks. It is commonly used in applications such as campus networks,
data center access, and wireless LANs.
- ZTE Switch:
- Brocade Switch:
- Access Switch (Cisco Catalyst 2960 Series switch). It is a family of
entry-level switches that are designed for small and medium-sized
businesses (SMBs). They are commonly used in applications such as
office networks, retail networks, and branch offices.
- ASA 5510 Firewall: It is a family of mid-range firewalls that are
designed for enterprise and service provider networks. They are
commonly used in applications such as border security, data center
security, and remote office security.
- ASA 5516-X Firewall: This is a Cisco ASA 5500 Series firewall. It is a
family of mid- range firewalls that are designed for enterprise and service
provider networks. They are commonly used in applications such as
border security, data center security, and remote office security.
- ASA 5555 Firewall: This is a Cisco ASA 5500 Series firewall. It is a
family of mid-range firewalls that are designed for enterprise and service
provider networks. They are commonly used in applications such as
border security, data center security, and remote office security.
- FortiGate 1500D Firewall: This is a Fortinet FortiGate firewall. Fortinet
is a US-based company that manufactures a wide range of network
security appliances. The FortiGate 1500D is a mid-range firewall that is
designed for enterprise and service provider networks. It is commonly
used in applications such as border security, data center security, and
remote office security.
- XG 650 Firewall: it is high-performance firewalls equipped to provide
protection for larger distributed and growing organizations.
 Table 1: List of the Network and Security Devices.

No Device Vendor Full Model Qty End of SW End of New End of Last Date Remark
Maintenan Service Vulnerabilit of
ce Attachment y/ Security Support:
Releases Date: HW Support: HW/SW
Date: HW

1 ASR Cisco ASR 1001-X 2 August 1, August 1, 2023 July 31, 2025 July 31, 2025
Router 2023
2 ISR Cisco ISR4321/k9 3 August 31, November 6, November 30, November
Router 2025 2024 2028 30,2028
ISR4400 1 August 31, November 6, November 30, November 30,
2025 2024 2028 2028
3 Core Cisco 6807 -x 02 April 30, April 30, 2023 April 30, 2027 April 30, 2027
switch 2023
4 L3 3560 G 2 January January 30,2014 January 30, 2016 January 31,
switche 30,2014 2018
s C9300 5
C3850 1 May 30, 2024 May 30, 2024 May 31, 2028 May 31, 2028
5 ZTE 3
switch
6 Brodcat HP 2
e Brocade
switch
7 Access Cisco C2960 2 October 31, October 31, 2015 October 30, October 31,
switch 2015 2017 2019
8 Firewall Cisco ASA 5510 01 August 25, September 16, September 30,
2018 2014 2018
ASA 5516-X 01 August 25, August 2, 2022 August 31, 2026 August 31,
2018 2026
ASA 5555 September 2, September 2, September 30, September 30,
2023 2023 2025 2025
Fortinat FortiGate 02 10-04-2015
e 1500D
09 Sophos XG 650 02 Not declared Not declared Not declared Not declared
10 Load Alte 02 EOL
Balanc on
er NG-
 Radware

MOR HQ and Branches user information

Site Number of users Remark
HQ Management and Technical 20(Mang’t) + 113 =133
Users
End Users 323(…………)
Total Campus Users 850
Branches
Federal Tax Authority = 22
Regional Tax Authorities =
680
City Administrations = 51
Total Branch = 753 -- > 25,853 20% (5,170) =
20% (150) = 903 31,023

Total Branch Users

Tax 17,169,488 For the next 10
Payers years
 1.1.1. Connectivity and Bandwidth
MOR internal users, both technical and non-technical, have access to the essential applications
via a wireless, wired local area network, and branches have WAN connectivity with the Head
Office.
Type of User Types of connection (Wireless, Wired, VPN, Remark
Internet)
MOR Internal User Wired, Wireless, Internet Local area network
MOR Branch Users VPN
Stakeholders
Types of connectivity.

Current Network Bandwidth Monitoring Report

PRTG Network Monitor is an agentless network monitoring software from Paessler AG. It can
monitor and classify system conditions like bandwidth usage or uptime and collect statistics from
miscellaneous hosts as switches, routers, servers and other devices and applications.
We already measured the network bandwidth for three days by selecting core switch, Internet
router, VPN router and Server Farm switch. The graph shows the bandwidth consumption of
each devise at a specific time.