August 14, 2017
IT INFRASTRUCTURE FOR A SMALL FIRM
As a remote office for one the largest jeans distributor and producer in New York, the new office has just opened and begun with just the basic network environment and hardware for users in place. Once the new office project has just successfully ended, several improvements were necessary for networking. There was some need to have a domain controller server and a file server in the office. Some of the improvements were necessary to meet the service level and auditing of the head quarter office in New York. As an engineer, I was requested to have a highly available connection WAN network and strong security measures to prevent attackers from the inside to reach the servers. The New York headquarter also required to form a plan to for the New York office to securely monitor the servers and the network devices. In security, it is always important to
There would be two internet carriers from ATT business and Comcast business circuits. I have ordered a 25Mbps/25Mpbs network fiber circuit from both carriers. The WAN IP Addresses provided as static IP WAN Global IP Addresses.
For the firewall for this project, we would be using two FortiGate 60D to perform high availability WAN connection from carrier modem, physically and logically. It would be configured with two physical FortiGate devices to form a high availability cluster for hot standby failover redundancy. Also, Fortigate would be used to separate and secure network by using VLANs and access list to protect connection coming to a valuable resource. Another important task the firewall would perform is creating a secure IPSec VPN tunnel with the New York Office to allow ICMP and SNMP traffic to monitor monitoring devices in California office. IPSec tunnel is also used for the California office’s Domain controller to replicate with headquarter domain controller.
Even though rigorous security policy and monitoring set on the firewall, it ‘s a bad idea to rely on it too much. It is always important to keep security tight on the internal area network. Attacks from the internal network are the most dangerous. “An insider can easily bypass border network protection of an organization that has a firewall in the border network while neglecting to protect its Local Area Network (LAN)” (Supriyanto, Hasbullah, Murugesan & Ramadass 2013, p. 65). It is important not only to apply security measures on the firewalls but to secure devices on the network to make a real secure network.
The switch for this project that we would be using is the Cisco Catalyst 2960 series switch. We would be using this switch as a layer two switch; primary carrying VLAN network moved through trunk connection from the firewall. One of the network security concern that switches have is accessing the management interface. Today telnet connections are known to be vulnerable and to avoid such vulnerability, SSH connection through the secure shell is most recommended, even in network switches. “SSH Secure Shell, a product designed to provide end users and businesses secure access to the corporate network by securing e- mail and file transfers, has received “Best Communications Security Solution” honors in the SC Awards program each year since 2001″ (PR Newswire, 2003). For the more secure network, making sure to disable telnet access and only allowing ssh management access only through designated host, is required.
Wireless Access Points
For laptop users, there would be no RJ45 port for wired Ethernet connection but only wireless network connection. There would be two Cisco WAP371 Wireless-AC/N Dual Radio Access Points on the ceiling, patched across the server room, to the network switch. Since the switches are not POE, the wireless access points would need a POE power injector to power up. The SSID for the laptop users would be “JEANS_OFFICE” and the SSID would not be broadcasted. Also, the security for this SSID would be using a WPA2 Enterprise, authenticating with the Active Directory server that is with the domain controller.
Another device that would be on the network would be the HP LaserJet Pro M477fdw Wireless Color Laser Printer. The network connection that this printer would be using is through wired RJ45 ethernet. In a local area network, one of the most vulnerable networking devices would be printers. “An attacker could find passwords for LDAP, POP3, SMTP, outbound HTTP proxy, FTP, SMB, and WebDAV as well as the IPsec pre-shared keys” (Kovacs, 2017). With evolving printers with new features scanning to email and share folder, comes more vulnerability. Printers are local area network device that has practical vulnerability potentials.
There are several cables to prepare to get these devices running and working. For the network connection cables, we would be using an RJ45 Straight through Cat 6 cable for cable connection inside the server room. The patch cables and the cubical to desktop cable connections, Cat 5e can be used for cost effective options.
Other Networking Device
As a plus, I would like users to be using a Bluetooth enabled portable chargeable mouse for laptop users. For laptop users to use the laptop entirely as a portable computer, The Bluetooth is a technology, recognized as using personal area network (PAN).
Below would be a logical network diagram for this project.
IP Addresses and Segments
Above Diagram would be the network diagram for this project. The DHCP server would be from the firewall to automatically assign IP Addresses for each device. Only the Office network would have a DHCP on the network. The DNS thrown in the DHCP would use both ATT and Comcast DNS server. For this infrastructure, we would be using an IPv4 for the IP addressing. We are not using IPv6 in our network infrastructure since this is a remote office and there are not as much network segments to actual make IPv6 effective in its advantage in address scheme. Aside from the security advantages, there is very less engineer that are fully adapted to the IPv6 environment. Management would be difficult.
There would be two separate internet carrier, load balancing the two network with a firewall. For the IP address, there would be static IP Addresses assigned from ATT and Comcast, as in the diagram, for the WAN connection. We would like to manage all the routing, access list, and VLAN network on the firewall. The switch beneath it would just act as a layer two switch, receiving the VLANs from the trunk connection from the firewall. There would be two primary local area network (LAN) used to divide the office user network and the network used for server network connection. The office user network would be primarily be routed the ATT internet connection. The server network would be mostly be routed to the Comcast internet. The IPSec VPN would be connecting from the Comcast network interface from the California office. The management network that is the network that is used to enter the management interface of each networking devices is using a 172.16.255.0/24 network. As in the diagram, Fortigate would be having a 172.16.255.254 IP address and the switch to have 172.16.255.1 IP Address. The office network would have a 172.16.1.0/24 network address range. The server network would have a 172.16.2.0/24 address field.
Security can not be taken granted and is important to keep in watch for every network device. It is always important to carry out security, on every networking devices. Making sure the only ssh is used to access management shell of networking devices and protect printers from entering sensitive information. Most critical cyber attacks would be from the inside. This design has provided separate network connection from office network to server network for better security measure. Also using an encrypted IPSec VPN tunnel for secure encrypted traffic for monitoring is a secure way for communication through the internet.
Supriyanto, Hasbullah, I. H., Murugesan, R. K., & Ramadass, S. (2013). Survey of internet
protocol version 6 link local communication security vulnerability and mitigation methods.
IETE Technical Review (Medknow Publications & Media Pvt. Ltd.), 30(1), 64-71.
SSH secure shell receives ‘best communications security product’ honor at SC awards 2003.
(2003). PR Newswire Retrieved from
Kovacs, E. (2017) Printer Vulnerabilities Expose Organizations to Attacks. Retrieved from