IT Infrastructure and Secure Solution Proposal Reference Example

ABC Accounting Inc. Network Infrastructure Proposal

Table of Contents

  • Network Topology
  • Type of Network and Design
  • Client Network Devices
  • Firewall
  • Switch
  • Wireless
  • Printer
  • IP Infrastructure
  • Logical topology
  • IP Addressing Scheme
  • Security
  • Security Appliances
  • Web Filtering and Access list
  • Authentication and Encryption
  • Antivirus Software and Network Monitoring Conclusion
    • References

ABC Accounting Inc. has made significant progress from the past year. The expanded of the business have grown from five employees expected up to three hundred fifty employees. There would be a need for an enterprise scale network infrastructure. As facing rapid expansion in ABC Accounting Inc, there would be a consideration in how the network design should look in an expanding office space to three office floors in the same building. A third of the employees are laptop users that travel occasionally, and all users are using windows 7. In the current network infrastructure, it would not be able to serve future expansion of this business, and it would be critical to consider an upgrade at this time

Network Topology

Type of Network and Design

To meet the technology we have today, it is crucial to gain the necessary network infrastructure to create an enterprise scale, dynamically scalable, and secure system. Network infrastructure for this company would need to cover over 350 employees with networking devices such as router, firewall, switch, server, printer, access points, and guest devices. There would be a need for a large-scale network with the right devices to consider.

For the Wide Area Network (WAN) connection, for better redundancy, I suggest having two network carrier which is ATT, which would be ATT business and Comcast business circuits. We would have a static IP from ATT and Comcast a total of eight. There download, and upload speed for these circuits would have 100Mbps upload, and 100Mpbs download network fiber circuit speed from both carriers. The ATT network circuit would be used as a backup line, and the Comcast circuit would be used as a primary network circuit. We would only allow remote users to access the corporate network securely through the backup line of the network. Users would be able to access the company file directory through an entirely separate Global IP Address from the primary IP Address to prevent unwanted intruders to gain access.

Client Network Devices

The client devices specification would need to satisfy some resources programs and application would use. Users would most importantly use email and file share for the majority of their operation. For desktop users, the Dell OptiPlex 3050 Small form factor would be recommended. The desktop would come with the power cable, keyboard, and mouse. Users would not not need too many resources since they would need to run simple applications such as web browser and windows explorer for network file share. The desktop computer has Intel® Core™ i3-7100 (DC/3MB/4T/3.9GHz/65W) and 4GB (1x4GB) 2400MHz DDR4 Memory, with the 3.5 inch 500GB 7200rpm Hard Disk Drive. The computer would be having a 3 Years ProSupport with Next Business Day Onsite Service for all desktop computer. Desktop users would only use an RJ45 Ethernet port to connect to the internet. We would have the users to use the LED-backlit LCD 24 inch Dell E2417H model monitor, with 1920 x 1080 resolution. The display cable that the monitor would be connecting to the desktop would be Display cable. The display cable would come with the cable along with the power cable.

There would be a need for a portable and lightweight solution for users that comes and goes outside of the company. Laptop users would be users that would go out for sales or out of the office occasionally. We recommend the Dell Inspiron 5000 Series laptop computer for these users. The laptop would be equipped with 8GB of RAM with Intel Core i5 CPU. Lightweight, robust, and optimal laptop. These laptops would not have an RJ-45 network port on the laptop. The laptop users would be using the wireless NIC built in the laptop to connect to the network.

For this new network infrastructure, there would be a couple of servers that would be necessary to create this system. First would be file servers. There should be one file server for users and one file server to store logs and backup for fault tolerance. There would also be a need for a domain controller for our network environment. For redundancy, there would be a need for two servers used for the primary and secondary domain controller. It the two servers would be replicating instantly and securely authenticate users. We recommend having a total of servers.

One for a file server and one for a domain controller for this office. We would be selecting the Dell PowerEdge R430 Rack Server for with 32GB DDR4 DIMM, 128GB SSD, three 1TB SAS HDD for each, and Intel® Xeon® processor with two processor socket. We would need one hundred seventy-five desktop computer and another one hundred seventy-five laptop computer to serve users. Also, we would need four servers to have as a server.

Firewall

For the firewall for this network infrastructure would be the key for security and routing of the network architecture. There would be a need to have high reliability for this device, and a good solution would be configuring a high availability for two firewalls. The firewall that has been configured for high availability active standby would allow the network device create a cluster that automatically detects a fault on the other firewall and enable its interface. For the firewall, I would be recommending the FortiGate 200D. We would have a WAN interface connection from two separate internet carrier, which we would be load balancing and route accordingly. If one network circuit goes offline, the firewall will route network to the backup circuit which would be the ATT circuit. Another important role that the firewall would be playing in this network infrastructure is that the network firewall would be used for securing accessing the file system and company resource through a technology called the IPSec VPN tunnel. A virtual private network, or VPN, provides a solution in which, it supports the creation of virtual links that join far-flung nodes via the Internet which is by creating a logical encrypted tunnel between the nodes to pass traffic. (Doral, 2014) Users that would have to connect the company resource would be using a VPN client agent called the Forti Client, installed on the user’s computer, to load a VPN profile with all the correct parameters and the preshared key to access the network.

Switch

The desktop user would be connecting to their jack port under their desk, which is patched to the server patch panel. From there, the network cable is cabled to the network switch. There would be at least one hundred and seventy-five necessary network ports and more for servers and other networking devices. There would be a need for eight network switch for the network infrastructure. I would recommend the Cisco Catalyst 2960 series switch to be used for the network infrastructure. In the first floor, there would be four network switch that would be set, two network switch on the second floor, and another two network switch on the third floor.

Switch partake managing this important feature in the network architecture which acts as a set of ports attached to one or more Ethernet switches, which is a called the virtual local area network (VLAN), which runs one MAC learning algorithm for each Virtual LAN. (Bonaventure, 2011, pg. 240) We would be using this switch as a layer two switch and would primary carrying VLAN network through trunk connection from the firewall to each switch. Spanning tree root priority is higher on the first floor switches. In each floor, the switches are connected with a stacking cable.

Wireless

Laptop users would need to connect to the network using wifi. Since we would be covering a large amount of space for the network infrastructure, we would need multiple access points to provide full coverage. On the first floor, there would be a need of three access points, two access points on the second floor, and another two access points on the third floor. For the wireless access points, we would recommend the Cisco WAP371 Wireless-AC/N Dual Radio Access Points for the laptop users. There would be a need for a total of seven Cisco WAP371 wireless access points to be set up for the network. All of the wireless access points would be mounted on the ceiling, placed separately access the floor. There would be another cabling necessary to reach the wireless access point mounted to the wall through the ceiling to the server room. The wireless access point would be POE powered so there would be a need a power injector between the patch panel and the network switch. The SSID for the would be “ABC-OFFICE, ” and for security purposes, the SSID would not be broadcasted. The security for the SSID would be using WPA2 Enterprise, which would be authenticated with the RADIUS server in the local network. Since there would be no POE switch, we would need a two POE power injector to light up the wireless access points.

Since there would be multiple wireless access points that would be needed to be managed in the network, there would be a need for a scalable solution for this case. We recommend adding a wireless controller in the network to handle the wireless access points. We suggest adding the CISCO AIR-CT2504-5-K9 2504 Wireless Controller Network Management Device for the wireless controller for these Cisco access points.

Printer

For the printers for the network, we would like to minimize the use of paper at the same time, make life easier when we need it. We would get the most affordable network printer on the network which can authenticate the user through RADIUS server. The network printer that we would be implementing our new IT infrastructure would be the HP LaserJet Pro M477fdw Wireless Color Laser Printer. If you attach a printer to one computer and share it when that computer is off, nobody can print, but an alternative is to purchase a network printer. (FunctionX, Inc., 2014) The printer would be able to use wireless. However, we would be only using an ethernet connection for this case. It has the capability of the copier, scanner, fax, and mobile printing. The printer would be setup scan to email and also scanned documents to the network file share folder.

IP Infrastructure

Logical topology

IP Addressing Scheme

IP addressing of such network infrastructure require a more extensive office network addressing scheme due to some users that are expected to be using and the number of users that would be expecting to increase. There would be two logical networks in the Local Area Network (LAN) which would be the office network and the server network. Something called the VLAN divides this two network. The office network would be the network that would be used for office users including desktops, laptop, wireless access points, and printer. The network address range is expanded to subnet mask 255.255.0.0 or /16. The IP address range would be 10.222.0.0/16.

This network does have DHCP server enabled, which would be enabled from the Fortigate firewall. The DHCP would address from 10.222.0.2 to 10.222.254.254, and the 10.222.255.1 to 10.222.255.255 address ranges would be used for network devices such as printers, firewall, and wireless access point. The default gateway for this network would be 10.222.255.254, and the DNS server would be facing the domain controllers.

The server network does not have a DHCP enabled in the network and had a subnet mask of 255.255.255.0 with 172.22.2.0/24 range. The IP Address of the primary file server would be 172.22.2.20, secondary file server 172.22.2.21, primary domain controller 172.22.2.10, and the secondary domain controller 172.22.2.11. The two network is divided by a VLAN and the network has a security preference called the access list. The network devices would only have specific network port access for granted services such as FTP, SMB, Bonjour, CIFS, LDAP, RPC, HTTPS, etc. The default office network would be routed to the Comcast circuit as a default route, and if there were a down detected in the WAN interface facing the Comcast modem, the network traffic would be routed towards the ATT modem as a backup.

As the network diagram above, it is essential to have a neatly, outlined diagram that can be understood easily. Any mistake in the documentation can be costly. Network documentation is a are the blueprint of the network configuration, and when a problem needs to be solved, a service provider will use the network documentation to obtain an understanding of the network, which results in less time and lower cost. (Colorado State University-Global Campus, 2017). For instance, suppose there were a router needed to be replaced and the service provider purchases a replacement, but there is no router configuration documentation, which leads to two hours to replace the router.

Security

Social Engineering and Cyber Threats

Regarding security threats, it would be very important to get all the basic security setup correctly and monitor all the networking devices including the firewall, the network switch, the wireless access point, and network printer. Also, there would be a need to monitor the server event log and resource statics for measuring stability. Security precautions must be taken seriously, and we are planning to implement enterprise-level security system to protect the important asset the company holds. For security in the OS level, there would be a antivirus software install to prevent malicious file coming in or preventing attacks from the network. They would be having Symantec Endpoint Protection Small Business Cloud installed, which is the most trusted enterprise antivirus solution hosted from the cloud. Privacy of information is said to never to be able to stay hidden forever and would someday expose. Privacy can be seen as the friction that reduces the spread of personal information that makes it more difficult and economically inconvenient to gain access to it. The merit of this definition is to put the privacy into a relative perspective, which excludes the extremes that advocate no friction at all or so much friction to stop the flow of information. (Vacca, & Vacca, 2013). There cannot be a completely secure system, and we are only able to lower the possibility of exposure through security. It is always important to patch security updates to servers and update the firmware on the network devices as well. Routine maintenance would help engineers aware of the issue earlier than it to be too late.

An authentication method that we would use for our new network architecture would be the domain authentication through Microsoft Windows Active Directory. Through domain security, any authentication would be lookup the users in the Active Directory Database. Windows login, file server access, and email would all be using this company active directory server for authentication. For wireless network access, users would be also using the active directory credentials but through an authentification protocol called RADIUS. Wireless access point would have a RADIUS client enabled with the profile information facing the RADIUS server, which would be installed in the Active Directory server. The RADIUS server acknowledges the request to grant permission to the network.

Although, through network security appliances such as the next generation firewall or scaling different separate network through VLAN may not be enough to be protected from recent security threats today. Some of the most common security threat that we have is social engineering. Intruders use social engineering to exploit human by convincing that you are someone that you reveal that you are and gain access. “The most effective countermeasure for a social engineering is employee awareness training on how to recognize social engineering schemes and how to respond appropriately” (LabSim Online Labs, 2017). Not only that we would scale network security through the network architecture but to prevent any single point of failure but human error.

Project Expense

ITEM

DESCRIPTION

QTY

UNIT

AMOUNT

A

Hardware Equipment

<Network>

1

Forigate 200D

2

$2,540.00

$5,080.00

2

Cisco Catalyst 2960

12

$3,295.00

$39,540.00

3

Cisco WAP371

7

$160.99

$1,126.93

4

Power Injector

7

$15.00

$105.00

<Computer>

1

Dell OptiPlex 3050 (Desktop Computers)

175

$489.00

$85,575.00

2

Dell PowerEdge R430 Rack Server

5

$1,329.00

$6,645.00

3

Dell Inspirion 5000 Series All in One (Laptop)

175

$499.00

$87,325.00

<Other>

Dell E2417H 21.5″ LED Monitor

175

$125.00

$21,875.00

RJ45 Straight through cable

1750

$4.99

$8,732.50

HP LaserJet Pro M477fdw Wireless Color Laser Printer

3

$529.99

$1,589.97

B

License and Warranty

<License>

Fortigate FortiCare Security License Bundle

2

$1,235.00

$2,470.00

Symantec Endpoint Protection Small Business Cloud

355

$54.18

$19,233.90

<Warranty>

Cisco SmartNet Extended Warranty

19

$33.48

$636.12

Dell Extended Hardware Warranty

355

$150.00

$53,250.00

C

Labor

1 man x per hour

120

$35 per

hour

$4,200.00

E

Project Management

– Meetings, Scheduling, and Documenting

$2,500.00

Shipping and Handling

$1,500.00

Taxable Total (Tax Rate: 9.00%)

$333,184.42

Sales Tax

$29,986.60

Non Taxable Total

$6,700.00

Total

$371,371.02

Conclusion

ABC Accounting Inc. has made significant progress through the past year. There would be a need for a new network infrastructure for this rapid growth of employee at ABC Acccounting Inc. To achieve an enterprise network infrastructure, there would be a need for a scalable, secure, reliable, fast, and redundant network that can be easily managed with remote dial-up VPN access. The expanded of the business have grown from five employees expected up to three hundred fifty employees. With a three-floor office, we would consider future scalability and minimize the cost as much as possible, cutting unnecessary high speciation. In the current network infrastructure, it would not be able to serve next expansion of this business, and it would be entirely critical to consider an upgrade at this time.

References

LabSim Online Labs. (2017). TestOut Network Pro ISBN: 978-1-935080-43-5. Pleasant Grove, UT.

Bonaventure, O., Open Textbook Library, distributor, & University of Minnesota. College of Education & Human Development. (2011). Computer Networking : Principles, Protocols and Practice.

Dordal, P., Open Textbook Library, distributor, & University of Minnesota. College of Education & Human Development. (2014). An Introduction to Computer Networks.

FunctionX, Inc. (2012) Network Hardware. Retrieved , from http://www.functionx.com/networking/Lesson02.htm

Vacca, & Vacca, John R. (2013). Computer and information security handbook (2nd ed., Elsevier Science Direct E-books). Amsterdam: Morgan Kaufmann is an imprint of Elsevier.

CSU-Global (2017). Introduction to Networks, Module 1 to Module 8. Greenwood Village, CO.