SlideShare ist ein Scribd-Unternehmen logo

WWTC_implementation_plan_Group5_FINAL

J
John Bernal
1 von 39
Downloaden Sie, um offline zu lesen
New York, WWTC Network IMPLEMENTATION PLAN Group 5 CMIT 495 03/01/2015
Implementation Plan Template Group 5 UMUC CMIT 495 Table of Contents 1 INTRODUCTION ..............................................................ERROR! BOOKMARK NOT DEFINED. 1.1 PURPOSE ...................................................................................................................... 3 1.2 SYSTEM OVERVIEW....................................................................................................... 3 1.2.2 Assumptions and Constraints......................................................................................... 3 2 Implementation Requirements ................................................................................................. 3 2.1 DESCRIPTION OF IMPLEMENTATION ................................................................................. 3 2.2 POINTS-OF-CONTACT..................................................................................................... 3 2.3 MAJOR TASKS .............................................................................................................. 3 2.4 TOOLS REQUIREMENT.................................................................................................... 4 2.5 LAN IMPLEMENTATION ................................................................................................. 4 2.5.1 LAN High Level Diagram, IP scheme and Equipment List .......................................... 5 2.5.2 Switch Interconnections and Redundancy..................................................................... 6 2.5.3 IP Hierarchical Scheme.................................................................................................. 6 2.5.4 LAN, VoIP and Wireless Equipment List ..................................................................... 7 2.6 SECURITY IMPLEMENTATION TASKS ................................................................................ 9 2.6.1 Physically install Cisco ASA 5500 firewall................................................................... 9 2.6.2 Configure ASA 5500 firewall...................................................................................... 10 2.6.3 Setup access to the public server farm in DMZ in ASA 5500..................................... 11 2.6.4 Configure VPN for IPSEC in ASA 5500..................................................................... 11 2.6.5 Configure firewall rules in ASA 5500......................................................................... 12 2.6.6 Physically install Cisco IPS 4270 ................................................................................ 12 2.6.7 Configure IPS 4270 for “inline mode” between ASA 5500 and WWTC network ..... 12 2.6.8 Install McAfee E-Policy Orchestrator (EPO) .............................................................. 13 2.6.9 Install and configure Cisco Access Control Server (ACS) 5.4.................................... 14 2.6.10 Install and configure KG-175D ................................................................................. 14 2.6.11 Configure VLAN security on network devices ......................................................... 15 2.6.12 Configure port security on network devices .............................................................. 15 2.6.13 Configure DHCP snooping on network devices........................................................ 15 2.7 ACTIVE DIRECTORY IMPLEMENTATION .......................................................................... 15 2.7.1 Prepare the Forest Root/Parent Domain; WWTC.com................................................ 15 2.7.2 Create the Forest Root/Parent Domain; WWTC.com.................................................. 15 2.8 CONFIGURATION OF ROUTERS....................................................................................... 16 2.9 CONFIGURATION OF SWITCHES...................................................................................... 18 2.10 VLAN CONFIGURATIONS............................................................................................ 20 2.11 VOICE VLAN AND WIRELESS ...................................................................................... 21 2.12 SECURITY TECHNOLOGIES........................................................................................... 22 2.13 DHCP AND DNS....................................................................................................... 24 2.14 ACTIVE DIRECTORY POLICIES ..................................................................................... 26 2.14.1 Configure Global Catalog Servers and FSMO roles ................................................. 27 2.15 ACTIVE DIRECTORY FOREST DOMAIN OU FORMATION................................................... 28 2.16 ACTIVE DIRECTORY GROUP FORMATION ...................................................................... 30 2.17 ACTIVE DIRECTORY GPO IMPLEMENTATION................................................................. 32 2.18 PROJECT TIME LINE ................................................................................................... 35
Implementation Plan Template Group 5 UMUC CMIT 495 1 Introduction 1.1 Purpose Purpose of this plan is to implement LAN, Security, Active Directory and Wireless devices, configurations and policies into a state of the art network for WWTCs New York City office. 1.2 System Overview WWTC has a regional office located in New York City and as the Director of the IT Department, I and the IT team have been tasked to set up a state of the art network that can help increase company revenue and reduce company costs. 1.2.2 Assumptions and Constraints The network infrastructure is solid and a gigabit network is in place. All existing wiring has been tested and the connections are true. The existing power supply is sufficed to meet the current and future demand. 2 Implementation Requirements 2.1 Description of Implementation The IT team has proposed an implementation timeline. The network installation will be accomplished in separate phases. Our WWTC customer has received each phase proposal, and has decided to move forward with this project. 2.2 Points-of-Contact Consultant Project Team Customer Project Team  Project Manager: Steve Ricker  Telephone: 555-555-0001  Email: SteveRicker@consultant.com  Project Manager: Bill Gates  Telephone: 555-555-7889  Email: BillGates@WWTC.com  Configuration Engineer: Chanel Bernal  Telephone: 555-555-1000  Email: ChanelBernal@consultant.com  Configuration Engineer: Yin Chung  Telephone: 555-555-5555  Email: YinChung@WWTC.com  Project Coordinator: Mohamed Haidara  Telephone: 555-555-0023  Email: MohamedHaidara@consultant.com  Project Coordinator: Bhagwati Bansal  Telephone: 555-555-1234  Email: BhagwatiBansal@WWTC.com 2.3 Major Tasks  LAN Implementation  Security Implementation  Active Directory Implementation  Configuration of Routers  Configuration of Switches  VLAN configurations  Voice VLAN and wireless  Security technologies  DHCP and DNS  Active Directory Policies  Active Directory Forest Domain OU formation  Active Directory Group Formation  Active Directory GPO Implementation
Implementation Plan Template Group 5 UMUC CMIT 495  Project Time Line 2.4 Tools Requirement The NY.WWTC LAN will require several tools for different installation tasks. The tools in the following table are needed to complete the WWTC network installation. Tool # Tools Required 1 PC with VT100 emulator, SCP Server, TFTP Server, FTP Server, Text Editor 2 Console port cable DB-9-RJ45/ DB25 with USB Adapter 3 Standard Tools such as: screwdrivers, pliers, inspection mirror, ratchet drivers and socket bit set, electrical tape, multi-meter, tape measure and anti-static mat. 4 Fiber Optic installation kit 5 Ethernet installer kit which includes: Ethernet crimpers, UTP wire strippers, wire and Kevlar scissors, cable tester with remotes, and label maker. 6 Operating system software and drivers 7 USB optical drive 8 USB thumb drive 9 HyperTerminal.exe 10 Laptop (aka console terminal) 2.5 LAN Implementation Effective deployment of the NY.WWTC.com network infrastructure, with all of its collective services requires careful thought, rigorous planning, documentation and well-coordinated execution between all members involved with this deployment. NY.WWTC’s Local Area Network (LAN) implementation plan describes how the accumulation of materials relating to these objectives will be configured and transitioned into a leading edge operational networked IT system. Company leadership, management and implementation teams are focused and committed to excellence. WWTC’s executives have described the business goals of increasing revenue while reducing operating costs to the team with clarity and these have been at the forefront during this process. Under the leadership of WWTC’s president, schedules has been documented and the team is ready. To ensure a smooth and well-coordinated deployment, the following list outlines the sequence of details that will accomplish the specific hardware and software implementation for WWTC’s New York regional office. NY.WWTC planning consists of the following LAN Implementation Tasks:  Providing a high level diagram of the network  Providing the IP scheme of the intended network addresses  Identifying the equipment needed for this roll-out  Identifying the topology of how equipment will be connected  Descriptions of redundant connections to achieve 100% connectivity  Security technologies with solutions  Active Directory implementation tasks  Router, Switch and VLAN configurations (to include Voice and Wireless)
Implementation Plan Template Group 5 UMUC CMIT 495  VPN Configurations  Ant-virus Deployment and Management  DHCP and DNS Implementation Planning  AD and Group Policy Deployment and Configurations  Active Directory Organizational Unit Formations  Active Directory Group Formations  Project schedule release with time-line 2.5.1 LAN High Level Diagram, IP scheme and Equipment List The WWTC LAN design consists of network switching devices in the core, distribution and access layers of the network coupled with the in-place network cabling that connects all these devices together. WWTC’s network infrastructure is a model of a star topology. Focused and trained, WWTC’s IT staff present a switching configuration that offers fast network performance, efficient device management and plans for future company growth. This approach greatly enhances network performance that eliminates unnecessary interconnections, while offering scalability. At a high level, WWTC’s topology has a number of edge routers used for Internet Service Provider (ISP) connectivity, Firewalls and Intrusion Prevention Systems aimed to block intruders, routers and access switches that offer redundancy and end device connectivity. A Full-Mesh Topology WWTC operates a full-mesh topology. Within the New York regional office, WWTC communicates with its Hong Kong headquarters and several other WWTC offices located within the United States through redundant ISP links. NY.WWTC.com uses EIGRP as its routing protocol. “EIGRP is an enhanced distance vector protocol, relying on the Diffused Update Algorithm (DUAL) to calculate the shortest path to a destination within a network.” (Cisco.com, 2015). The NY.WWTC.com full-mesh architecture allows for continued connection between WWTC locations around the globe shown in Figure 1. Figure 1 High Level Design
Implementation Plan Template Group 5 UMUC CMIT 495 2.5.2 Switch Interconnections and Redundancy WWTC’s LAN design model consists of dual switching at each layer in order to achieve network device redundancy. Along with this two device design, WWTC ensures redundant cable connections are established beginning with each computer on the network. All computers are equipped with dual network cards and have been connected to two different switches. Redundancy is also built into the access layer and the distribution layer of its network. The distribution layer offers redundancy to core switches through similar cross-connected links. This means that each switch is connected to at least two other switches by two independent physical cable connections. Figure 1 above is a high level illustration that shows the implementation of the network architect supporting redundancy and all levels. Figure 2 below is a physical connection model planned for the NY.WWTC client computer roll-out. Figure 2 Redundant PC links 2.5.3 IP Hierarchical Scheme The following diagram and table (Fig. 3) provide a high level view of the IPv4 addressing scheme planned for NY.WWTC.com. The legend represents different color coded VLANs appropriate to Figure 1 (above), the topology diagram. The switches provide VLAN summarization points and NY.WWTC has provisioned two Internet Service Providers (ISP’s). The EIGRP protocol will be configured on the network and TCP/IP is used as the routing protocol. Figure 3 IP Hierarchical Scheme
Implementation Plan Template Group 5 UMUC CMIT 495 2.5.4 LAN, VoIP and Wireless Equipment List The IT team has evaluated the networking equipment requirements for WWTC’s New York based office. As a whole, WWTC recognizes Cisco equipment as being the industry leader regarding internetworking equipment. By utilizing Cisco as the standard manufacturer, WWTC’s qualified Cisco Certified Network Administrators (CCNA) can work within a common body of knowledge. This eliminates any possible learning curve and subsequent delay. Focused on efficient management, similar design and standardized configurations, the IT team presents the following equipment list. LAN EQUIPMENT SECTION WWTC Equipment QTY Description Cost Total Cost Unclassified Network Brokers laptops w/OS 20 Dell Laptops (Provided for Broker mobility) Windows 7 Ultimate $899.99 $17,999.80 Brokers Docking stations 20 Dell E-Port Plus port replicators USB 3.0 w/dual monitor capabilities $299.99 $5,999.80 Monitors 87 Dell 22" Monitors $149.99 $13,049.13 Computer Workstations w/OS 67 Dell Precision T1700 Workstations - Windows 7 Ultimate w/TPM $689.95 each $42,226.65 Total Unclassified Computers 87 Company printers 20 HP Color LaserJet Pro (MFP M176n) $249.99 each $4,999.80 Storage Area Network (SAN) 1 HP - HP Storage Works EVA4400 AG637BR Hard Drive Array $37,500 $3,750 Servers 7 HP ProLiant DL580 Servers $4,758 each $33,306 - Configured with Hyper-V - Dual processors and dual power supplies - Will Create 42 virtual servers to include (6 VM per server): Application, File, SQL, Web, Email, RADIUS, library card-catalog - Will Create 2 Domain controllers that include DNS & DHCP Access Layer Switches 2 Catalyst 4510R+E Switch $7,890 Names: ASW1, ASW2 10 slot Chassis with (2) Supervisor 8-E, and (6) line cards 288 PoE, Gb ports $3,945 each Distribution Layer Switch 2 Cisco Catalyst 6503-E $83,990 Names: DR1, DR2 34-Port GBIC-Based GB Ethernet Module Model: 6503-E $41,995 each Core Layer Routers 2 Cisco ASR 1001 Routers $23,610 Names: CR1, CR2 Dual power supply $11,805 each Core Layer Firewall 2 Cisco ASA 5500 $9,936 Names: CFW1, CFW2 6 Port Model: Cisco ASA 5500 $4,968 each Cisco Intrusion Prevention Sensor 3 Cisco IPS 4270 Sensor $4,995 each $14,985 Cisco Access Control System 5.4 1 Centralized identity and access policy solution $200 $200 Polycom Video Conferencing 2 RealPresence Group 500 Media Center System - Includes EagleEye Cameras - 65" Wall Mount LCD for video conferencing Conf. Rm
Implementation Plan Template Group 5 UMUC CMIT 495 Polycom speaker phones 2 Polycom SoundStation IP 6000 $379.95 $759.90 Suite Entry Security System 3 Biometric smart card reader for entry doors $99 $297 User ID Badge system 150 USB CAC Card readers (1 per pc) $20 $3,000 Model: SCR331 Server Room raised floors 2 Server Room raised floor systems Server rooms Server room cooling systems 2 Ceiling-Mounted with Direct Free-Cooling Server rooms Server room fire suppression 2 Server room fire suppression Server rooms Facility video monitoring system 10 Network Camera $99 each $990 Model: EN-7531HD Facility smoke detection system 4 Facility smoke detection system $79 each $316 - Very Early Smoke Detection Apparatus Server backup battery power 2 APC Smart-UPS SRT 5000VA 208V $4,150 each $8,300 Server cabinets 3 TrippLite 42U Rack Enclosure Server Cabinet $985 each $2,955 ISP 1 1 Verizon FiOS ISP 150x150 Mbps Internet Provider ISP 2 1 AT&T Metro Ethernet Internet Provider Microsoft Office 2012 87 Client Access Licenses $149 each $12,963 Microsoft Exchange 2013 1 Email application All Microsoft Exchange CALs 87 Email application licenses $149 each $12,963 Market Tracking Application 1 Provides real-time status of stock and bond market to brokers and their clients All Stock & Bond Analytical Application 1 Provides analysis of stock and Bond to WWTC Brokers All On Line Trading Training 1 Application for training new clients in online trading All McAfee Anti-virus 133 89 computers, 44 Servers $199 each Total Cost Total Cost $232,536.28 Classified Network Computer Workstations 2 Dell Precision T1700 Workstations (Classified side) $689.95 each $13,799 Monitors 2 Dell 22" Monitors $149.99 each $299.98 Total Class. Computers 2 Company Servers 2 HP ProLiant DL380 Servers $9,516 - Will Create 2 Domain controllers that include DNS & DHCP - Dual processors and dual power supplies $4,758 each Access Layer Switches 1 Cisco Catalyst 3560 $3,499 Name: CASW1 12 Port PoE Model: WS-C3560V2-12PS-S $3,499 each Distribution Layer Switch 1 Cisco Catalyst 6503-E $41,995 Name: CDR1 34-Port GBIC-Based GB Ethernet Module Model: 6503-E $41,995 Core Layer Routers 1 Cisco ASR 1001 Routers $11,805 Name: CCR1 Dual power supply $11,805 each Cisco Intrucion Prevention Sensor 1 Cisco IPS 4270 Sensor $4,995
Implementation Plan Template Group 5 UMUC CMIT 495 Taclane High Assurance IP Encryptor 1 Network Encryptor KG-175d $1,999 $1,999 Cisco Intrucion Prevention Sensor 1 Cisco IPS 4270 Sensor $4,995 $4,995 Suite Entry Security System 1 Biometric smart card reader for entry doors $99 $99 Total Cost Total Cost $88,006.98 Wireless Equipment Cisco Aironet 1250 Series 5 Wireless Access Point $200 $1,000 Cisco 4404 Series WLAN Controller 1 Wireless LAN Controller $7,899 $7,899 Total Total $8,899 VoIP Equipment Cisco 7912 IP Phone 94 Cisco VoIP Phones $55 $5,170 Cisco Unified Communications 560 1 Call Manager System $1,895 $1,895 Cisco VG350 144 FXS Bundle 1 Voice Gateway $24,500 $24,500 Total Total $31,565 2.6 Security Implementation Tasks Step # Task 1 Physically install Cisco ASA 5500 firewall 2 Configure ASA 5500 firewall 3 Setup access to the public server farm in DMZ in ASA 5500 4 Configure VPN for IPSEC in ASA 5500 5 Configure firewall rules in ASA 5500 6 Physically install Cisco IPS 4270 7 Configure IPS 4270 for “inline mode” between ASA 5500 and WWTC network 8 Install and configure McAfee E-Policy Orchestrator (EPO) 9 Install and configure Cisco Access Control Server (CACS) 5.4 10 Install and configure KG-175D 11 Configure VLAN security on network devices 12 Configure port security on network devices 13 Configure DHCP snooping on network devices 2.6.1 Physically install Cisco ASA 5500 firewall The device is a Cisco firewall and will be located in the unclassified IT closet, room 3 in Suite A. First step is to confirm all the equipment shown in Figure 4 is in package. Figure 4 Equipment Next step would be to connect a notebook directly with an Ethernet cable and configure the notebook with DHCP while connecting it to appropriate ports shown in Figure 5.
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 5 Configuration Ports 2.6.2 Configure ASA 5500 firewall Use the setup wizard to configure basic and advanced features thru the graphical user interface that allows you to manage the ASA from any location by using a web browser. Step 1 On the PC connected to the ASA, launch a web browser. Step 2 In the Address field, enter the following URL: https://192.168.1.1/admin. The Cisco ASDM web page appears shown in Figure 6. Figure 6 Cisco ASDM web Step 3 Click Run Startup Wizard. The main ASDM window appears and the Startup Wizard opens shown Figure 7 and enter the following configurations. Hostname: WWTC_NYFW_01 Domain name: NY.WWTC.com Administrative passwords: letmein IP addresses: 192.168.23.191/195 Static routes: 192.168.20.0, 192.168.21.0, 192.168.22.0 DHCP server: 192.168.20.189
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 7 Startup Wizard 2.6.3 Setup access to the public server farm in DMZ in ASA 5500 NY.WWTC.com has a DMZ that contains Public Server for the internal network, such as a web, email, which need to be available to an outside user. By placing the public servers on the DMZ, any attacks launched against the public servers do not affect inside NY.WWTC.com network. The figure below shows the setup process for each public server. For example Figure 8 is setup for the web server. Figure 8 Add Public Server 2.6.4 Configure VPN for IPSEC in ASA 5500 Step 1 Site-to-Site VPN Wizard—Create an IPsec site-to-site tunnel between two ASAs or the client can run either the SSL or IPsec IKEv2 VPN protocol. Step 2 After authentication, users access a portal page and can access specific, supported internal resources. The IT Team will provide access to resources by users on a group basis by department such as Execs/HR/Brokers/Management/Finance and IT. ACLs will be applied to restrict or allow access to WWTC resources. Step 3 IPsec (IKEv1) Remote Access VPN Wizard—Configures IPsec VPN remote access for the Cisco IPsec client shown in Figure 9. 192.168.10.10
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 9 VPN Wizard 2.6.5 Configure firewall rules in ASA 5500 Name Action Direction Protocol Port Allow Net Time Protocol Allow In/Out UDP/IP 123 Allow DNS Allow Out UDP/IP 53 Allow bootp Allow In/Out UDP/IP 68 Allow incoming bootp Allow In UDP/IP 68 Allow NetBIOS Allow In/Out TCP/IP Allow NetBIOS Allow In/Out UDP/IP Allow Ipsec ESP Allow In/Out IPSEC N/A Allow IKE Allow In UDP ike (500) All IKE Outbound Allow Out TCP Any Allow Client to Server Communication Allow In TCP http (80) Block incoming pings Not Allow In ICMP Echo Request Block ICMP Timestamp Not Allow In ICMP N/A Block ICMP Router Solicit Not Allow In ICMP N/A Block ICMP Redirect Not Allow In ICMP 5 Allow all ICMP Allow In/Out ICMP Any 2.6.6 Physically install Cisco IPS 4270 The Cisco IPS 4270 is a Intrusion Prevention System that will be located in the unclassified IT closet, room 4, Suite A and classified IT closet, room 4, Suite D. Traffic will go through the IP then forwarded to the firewall checks. The IPS is “inline mode” with the firewall. Order of traffic will be:  Traffic enters IPS  IPs applies security policies to traffic and takes action  Valid traffic is sent to ASA firewall  Traffic enters the ASA.  Firewall policies are applied.  Incoming traffic is decrypted  Outgoing VPN traffic is encrypted 2.6.7 Configure IPS 4270 for “inline mode” between ASA 5500 and WWTC network Figure 10 is an example of how the inline mode IPs works except the firewall is behind the IPS before the inside network:
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 10 IPS inline mode Connecting device:  Use CAT 5e/6-certified cabling for all connections.  The interfaces will be configured to match the interfaces of the appliance for speed/duplex negotiation (auto/auto).  Portfast will be enabled on connected switchports to reduce spanning-tree forwarding delays. 2.6.8 Install McAfee E-Policy Orchestrator (EPO) The McAfee EPO server provides Antivirus and Host Intrusion Prevention (HIP) to all host systems in NY.WWTC.com domain. The server will be located in the unclassified IT closet, room 4, Suite A and classified IT closet, room 4, Suite D. Step 1 McAfee EPO software will be installed on 2008R2 Server/64bit. Configure IP of Server for 192.168.22.10 for unclassified and classified server. Once software fully installs by default configurations, the following logon will appear and username is defaulted admin with password: admin. The following logon is shown in Figure 11. Figure 11 McAfee EPO installation Step 2 Deploy the McAfee agent to all client systems in the NY.WWTC.com domain which will install Virus Scan Enterprise (VSE) and Host Intrusion Prevention (HIP) on all systems. Below is the setup process to install the agent on all systems from the EPO Server. After the agent deploys to all systems, ensure the clients are pulling VSE and HIPs which is shown Figure 12 and 13.
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 12 Virus Scan Enterprise Figure 13 Host Intrusion Prevention 2.6.9 Install and configure Cisco Access Control Server (ACS) 5.4 The ACS will be located in the unclassified IT closet, room 4, Suite A and classified IT closet, room 4, Suite D. Authentication verifies user information to confirm the user's identity. Traditional authentication uses a name and a fixed password. More secure methods use cryptographic techniques, such as those used inside the Challenge Authentication Handshake Protocol (CHAP), OTP, and advanced EAP-based protocols (User Guide for Cisco Secure Access Control System 5.4, 2015). ACS supports a variety of these authentication methods (User Guide for Cisco Secure Access Control System 5.4, 2015). A fundamental implicit relationship will exist between authentication and authorization. The more authorization privileges granted to a user, the stronger the authentication should be. ACS supports this relationship by providing various methods of authentication (User Guide for Cisco Secure Access Control System 5.4, 2015) Step 1 Add network devices, users and create authorization rules to allow or deny access through RADIUS authentication. RADIUS authentication port number is 1812. Step 2 Install ACS license, system certificates and configure password policy rules for administrators and users. 2.6.10 Install and configure KG-175D The KG-175D is a TACLANE that separates the classified data from the unclassified data through communication security. Step 1 Physically install KG-175D  Attach a ground wire to an earth ground  Loosen or remove the nut from the “GND” ground binding post on the TACLANE as needed.  Attach the ground wire to the “GND” ground binding post on the TACLANE and tighten the nut.  Make sure that the TACLANE is powered off.
Implementation Plan Template Group 5 UMUC CMIT 495  Connect the power cable to the power connector on the TACLANE.  Plug the power supply cable into a standard 110 VAC power outlets.  Connect the Ethernet cable to the PT or CT RJ-45 jack on the TACLANE Step 2 Configure KG-175D to separate classified from unclassified network  Configure ASA 5500 firewall in the path between communicating TACLANEs to pass SDD, IKE, and ESP.  Insert CIK  Power on TACLANE  CIK activation will initialize 2.6.11 Configure VLAN security on network devices All unused ports will be shutdown or placed in a black hole VLAN. By shutting down or isolating all unused ports will disable trunking of the unused ports. In addition, Dynamic Trunk Protocol will be turned off to prevent automatic negotiating to trunking mode which only allows manual configuration for trunking a port. The command will be (config-if)# switchport negotiate on the interface. 2.6.12 Configure port security on network devices Enabling port security limits the amount of MAC addresses that can connect and send data on the ports they are connected to. This prevents unauthorized MAC addresses from connect to a port and obtaining access to the network. The command will be (config-if)# switchport port-security on the interface and to have the port shutdown due to unauthorized connections, a protection will be enabled. The command will be (config-if)# switchport port-security violation protect. 2.6.13 Configure DHCP snooping on network devices Enabling DHCP snooping can provide another layer of defense through the router by acting like a secondary firewall between the DHCP server and untrusted systems. The command to set up DHCP snooping is (config)# feature dhcp and is configured on the switch. 2.7 Active Directory Implementation Step # Task 1 Prepare the Forest Root/Parent Domain; WWTC.com 2 Create the Forest Root/Parent Domain; WWTC.com 3 Create a Child Domain; NY.WWTC.com 2.7.1 Prepare the Forest Root/Parent Domain; WWTC.com 1) Deploy the First Forest Domain Controller. Review the AD DS and logical structure design. 2.7.2 Create the Forest Root/Parent Domain; WWTC.com Step 1 Enable Windows Server 2012 R2 AD DS advanced features by raising the forest and domain functional levels. It is recommended that you raise forest and domain functional levels while you run the Active Directory Domain Services Installation Wizard (Dcpromo.exe). Step 2 Creating the Forest Root Domain: WWTC’s Hong Kong Headquarters office had previously established the WWTC.com Forest domain. Reportedly, they installed the Active Directory Domain Name Services (AD DS) role onto their first domain controller by utilizing the Windows Server 2012R2 Server Manager tool. Installing AD DS is performed through “Add roles and features”, a wizard that automatically adds in the needed tool sets and features required for active directory. Once AD DS was installed, Server Manager alerted the administrator that a post-deployment action was needed entitled, “Promote this server to a domain a controller”. Upon selecting the deployment configuration wizard,
Implementation Plan Template Group 5 UMUC CMIT 495 Hong Kong created the Forest named WWTC.com. (Figure 14) Once the prerequisite checks passed, the domain controller promotion completed successfully and WWTC.com established the schema. Figure 14 Add AD Forest 1) Deploy the First New York Domain Controller a) Install Active Directory Domain Services (AD DS) by running the Active Directory Domain Services Installation Wizard on the server selected to be the first domain controller. b) Add new domain to an existing forest (Fig. 15) Figure 15 Child Domain 2.8 Configuration of Routers The following information is provided in order to configure the NY.WWTC routers. This is the first time the routers are accessed and they contain a default configuration from Cisco. The router holds an IOS (Internetwork Operating System). This IOS is considered proprietary software and should not be accessed or modified unless specifically handled by WWTC’s IT team. Figure xxx illustrates NY.WWTC’s Core
Implementation Plan Template Group 5 UMUC CMIT 495 Router 1 (CR1) and will be used as the configuration example. All other NY.WWTC.com routers will follow suit appropriate to the router name and IP addressing Figure 16. Name Interfac e IP CR1 Gi0/0 Gi0/1 Gi0/2 192.168.23.193 192.168.23.205 65.32.1.65 to ISP CR2 Gi0/0 Gi0/1 Gi0/2 192.168.23.201 192.168.23.207 65.32.1.68 to ISP DR1 Gi0/0 Gi0/1 Gi0/2 192.168.23.192 192.168.23.202 192.168.23.209 DR2 Gi0/0 Gi0/1 Gi0/2 192.168.23.206 192.168.23.202 192.168.23.210 CCR1 Classified Gi0/0 Gi0/1 172.16.31.201 172.16.31.202 Figure 16 IP Addressing The following information is used by IT staff members to setup communications between a router and a NY.WWTC.com computer. IMPORTANT: Prior to starting the configuration, it is important for the IT staff to verify that all peripherals devices are connected properly to the routers. Failure to properly connect these devices could result in incomplete or misconfigured device operation. HyperTerminal (HT) into the Router Software Name Cabling Required Procedure HT allows configuration access into Router interface through the HT application. HT settings are considered standard and can be applied on every NY.WWTC.com router. HT> WWTC Windows 8 users can obtain a free copy of HyperTerminal from here. Cable, Console port DB9 to RJ45 Cable, USB to DB9 adapter Connect Console port cable DB-9- RJ45 with USB Adapter to USB jack on computer. Attach other end to RJ-45 jack on back of the router. Open HyperTerminal on the laptop by going to the Start -> All Programs -> Accessories -> Communications and click on HyperTerminal. Configure HyperTerminal by going to the properties menu. Set up the program with the correct serial port, i.e. COM1. Configure the serial port to 9600 bit/s, eight (8) data bits, no parity bit, one (1) stop bit, and flow control set to none. Once the terminal communication program has been properly configured, press <Enter> and the command prompt # will appear.
Implementation Plan Template Group 5 UMUC CMIT 495 The following commands are Global Configurations mode commands used to configure the Router Name and set up security passwords. Display Command 1. Router> Press <Enter> to connect with the router (The terminal should display: con0 is now available 2. Router> Type enable 3. Router# Type configure terminal 4. Router(config)# Type hostname CR1 (sets the device hostname) 5. CR1(config)# Type enable password letmein (sets the enable password) 6. CR1(config)# Type enable secret NY.R0uter (sets an encrypted secret password) 7. CR1(config)# Type line console 0 (enters console line mode) 8. CR1(config-line)# Type password letmein (sets a password on the line console login) 9. CR1(config-line)# Type login (forces the use of the password) Type exit 10. CR1(config)# Type line vty 0 4 (enters the vty mode for all 5 vty lines) 11. CR1(config-line)# Type password letmein (sets the password for the vty lines) 12. CR1(config-line)# Type login (forces the use of the password) Type exit 13. CR1(config)# Type line aux 0 (enters the auxiliary line mode) 14. CR1(config-line)# Type password letmein (sets the password on the aux port) 15. CR1(config-line)# Type login (forces the use of the password) Type exit, Type exit 16. CR1# Type copy run start (saves configuration to NVRAM) The following commands shown below are to assign an IP address to the interfaces and to assign a login banner. Display Command 1. CR1(config)# Type ip domain-name NY.WWTC.com 2. CR1(config)# Type router eigrp 1 3. CR1(config-router)# Type no auto-summary Type exit 4. CR1(config)# Type interface Gi0/0 5. CR1(config-if)# Type ip address 192.168.23.193 255.255.255.0 6. CR1(config-if)# Type no shut 7. CR1(config-if)# Type interface Gi0/1 8. CR1(config-if)# Type ip address 192.168.23.205 255.255.255.0 9. CR1(config-if)# Type no shut 10. CR1(config-if)# Type interface Gi0/2 11. CR1(config-if)# Type ip address 65.32.1.65 255.255.255.0 12. CR1(config-if)# Type no shut -- Type exit 13. CR1(config)# Type banner motd # (Terminal should display: Enter TEXT message. End with the character ‘#’) Enter WARNING …You are accessing a company proprietary information system that is provided for WWTC authorized use only. Unauthorized access is prohibited! Enter your username and password. # 14. CR1(config)# Type exit 15. CR1# Type copy run start (saves configuration to NVRAM) Power the laptop OFF by performing normal computer shutdown procedures and disconnect the console cable from the laptop USB port and from the CR1 router console port. 2.9 Configuration of Switches The following steps are required to configure the NY.WWTC switches. This is the first time the switches are accessed and they contain a default configuration from Cisco. The switch holds an IOS (Internetwork Operating System). This IOS is considered proprietary software and should not be accessed or modified
Implementation Plan Template Group 5 UMUC CMIT 495 unless specifically handled by WWTC’s IT team. Figure xxx illustrates NY.WWTC’s switch (ASW1) and will be used as the configuration example. All other NY.WWTC.com switches will follow suit appropriate to the switch and IP addressing in Figure 17. Name Interface IP ASW1 Fa0/0 Fa0/1 192.168.23.22 3 192.168.23.22 9 ASW2 Fa0/0 Fa0/1 192.168.23.23 2 192.168.23.22 6 CASW 1 Classified Fa0/0 Fa0/1 172.16.31.205 172.16.31.206 Figure 17 Switch IP Addressing The following information is used by IT staff members to setup communications between a switch and a NY.WWTC.com computer. HyperTerminal (HT) into the Router Software Name Cabling Required Procedure HT allows configuration access into switch interface through the HT application. HT settings are considered standard and can be applied on every NY.WWTC.com router. HT> WWTC Windows 8 users can obtain a free copy of HyperTerminal from here. Cable, Console port DB9 to RJ45 Cable, USB to DB9 adapter Connect Console port cable DB-9- RJ45 with USB Adapter to USB jack on computer. Attach other end to RJ-45 jack on back of the router. Open HyperTerminal on the laptop by going to the Start -> All Programs -> Accessories -> Communications and click on HyperTerminal. Configure HyperTerminal by going to the properties menu. Set up the program with the correct serial port, i.e. COM1. Configure the serial port to 9600 bit/s, eight (8) data bits, no parity bit, one (1) stop bit, and flow control set to none. Once the terminal communication program has been properly configured, press <Enter> and the command prompt # will appear. The following commands are Switch Configuration commands used to configure the switch name and set up security passwords. Display Command 1. Switch> Press <Enter> to connect with the switch (The terminal should display: con0 is now available 2. Switch> Type enable
Implementation Plan Template Group 5 UMUC CMIT 495 3. Switch# Type configure terminal 4. Switch(config)# Type hostname ASW1 (sets the device hostname) 5. ASW1(config)# Type ip domain-name NY.WWTC.com 6. ASW1(config)# Type no ip domain-lookup (This disables the switch from translating unfamiliar words) 7. ASW1(config)# Type enable password letmein (sets the enable password) 8. ASW1(config)# Type enable secret NY.Switch (sets an encrypted secret password) 9. ASW1(config)# Type crypto key generate rsa How many bits in the modulus [512]: 2048 10. ASW1(config)# Type line console 0 (enters console line mode) 11. ASW1(config-line)# Type password letmein (sets a password on the line console login) 12. ASW1(config-line)# Type login local (forces the use of the password) 13. ASW1(config-line)# Type transport input ssh 14. ASW1(config-line)# Type exec-timeout 1 00 Type exit 15. ASW1(config)# Type line vty 0 4 (enters the vty mode for all 5 vty lines) 16. ASW1(config-line)# Type password letmein (sets the password for the vty lines) 17. ASW1(config-line)# Type login local (forces the use of the password) 18. ASW1(config-line)# Type transport input ssh 19. ASW1(config-line)# Type exec-timeout 5 Type exit 20. ASW1(config)# Type line vty 5 15 (enters the vty mode for vty lines 5 through 15) 21. ASW1(config-line)# Type password reallykeepout (sets the password for the vty lines) 22. ASW1(config-line)# Type login (forces the use of the password) Type exit 23. ASW1(config)# Type line aux 0 (enters the auxiliary line mode) 24. ASW1(config-line)# Type password letmein (sets the password on the aux port) 25. ASW1(config-line)# Type login (forces the use of the password) Type exit, Type exit 26. ASW1(config)# Type no logging console Type exit 28. ASW1# Type copy run start (saves configuration to NVRAM) 2.10 VLAN configurations The following information is used by IT staff members to setup the individual VLANs on ASW1 and ASW2. VLAN 20 “Staff” will be used as the example. The following commands will assign the appropriate VLAN to the appropriate switch. (Refer below above for name and IP assignments). Display Command 1. ASW1# Press <Enter> to connect with the switch (The terminal should display: con0 is now available 2. ASW1# Type enable 3. ASW1# Type configure terminal 4. ASW1(config)# Type interface f0/1 5. ASW1(config)# Type vlan 20 6. ASW1(config-vlan)# Type name staff 7. ASW1(config-vlan)# Type switchport mode access 8. ASW1(config-vlan)# Type switchport access vlan 20
Implementation Plan Template Group 5 UMUC CMIT 495 9. ASW1(config-vlan)# Type switchport port-security mac-address sticky 10. ASW1(config-vlan)# Type switchport port-security maximum 1 11. ASW1(config-vlan)# Type switchport port-security violation shutdown 12. ASW1(config-vlan)# Type ip address 192.168.20.254 255.255.255.0 13. ASW1(config-vlan)# Type no shutdown Type exit 14. ASW1(config)# Type ip default-gateway 192.168.23.193 15. ASW1(config)# Type no shutdown 16. ASW1(config)# Type password letmein (sets the password for the vty lines) 17. ASW1# Type copy run start (saves configuration to NVRAM) Power the laptop OFF by performing normal computer shutdown procedures and disconnect the console cable from the laptop USB port and from the ASW1 switch console port 2.11 Voice VLAN and wireless NY.WWTC site requires network access for users and guest users in limited areas of the three lobbies and two conference rooms throughout Suite A-C. Since NY.WWTC is providing a private network, WWTC wireless users will be designated to VLAN 27 to keep wireless users from accessing the WWTC intranet. Creating a VLAN for the wireless users provides enhanced security to keep unauthorized users from accessing WWTC’s sensitive data. WWTC requires a state of the art VOIP network. The voice and data must be integrated to reduce cost and maintain 100% connectivity. Voice over IP provides a latest platform for internal and external communication. The technology is cheap, simple, and scalable and has high degree of fault tolerance. To prevent network congestion, NY.WWTC isolates the VoIP traffic from the data traffic because VoIP traffic is extremely sensitive to network delays that occur from unavailable bandwidth and bottlenecks. The isolation of the VoIP traffic is accomplished by the creation of separate VLANs. The VoIP traffic will be designated to VLAN 24 to keep VoIP separated from the data traffic on NY.WWTC’s network. By dedicating VoIP to a VLAN, IT managers allow the VoIP services to be easily managed. Table 18 and 19 outline the VoIP assignment and topology. Figure 18 VoIP Assignment
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 19 VoIP Topology 2.12 Security technologies The security goals of NY.WWTC.com are to protect key assets which in today’s industry are vulnerable to four common threats. Those are: reconnaissance attacks, intruder threat, denial of service attack and malware infiltration. In addition to those security threats, WWTC is focused on eliminating the lack of security training for WWTC employees. Quarterly, WWTC conducts an all-hands training session that reviews the latest security threats for business. The WWTC’s IT team is also aware that weak security devices (or those lacking functionality), could cost WWTC time and money if/when not properly positioned. The fix: implement a collection of security devices and properly configure and position those devices within the network. Key Assets The NY.WWTC site presents a High Level security plan where key applications, servers and network resources (data) will be kept secure. NY.WWTC presents these security technologies based on current industry standards with multilayered security and a defense-in-depth models. The following areas have been identified as NY.WWTC key assets and will be protected.  Market Tracking Application Servers  Stock and Bond Analytical Application Servers  On Line Trading Sites and Methods  Finance data  Human Resources data  All NY.WWTC Internal Servers The following table lists and describes the security device roles that will be used to protect NY.WWTC key assets. Each icon is represented in Figure 21. The illustration aims at presenting a high level representation and the placement of these devices.
Implementation Plan Template Group 5 UMUC CMIT 495 Icon Item Name Description Role Cisco ASR 1001 Edge Router These routers sit at the edge of the WWTC network connecting the company to the WANs Internet Service Provider links 1. Managed services, including VPN and firewall 2. Provides WAN aggregation and secure, encrypted WAN connectivity 3. Provides WWTC with Deep packet Inspection (DPI) Cisco IPS 4270 These Intrusion Prevention Systems monitor IP traffic within WWTC's network 1. An inline network security appliance 2. Detect threats to intellectual property and WWTC customer data 3. Stops sophisticated attackers by detecting behavioral anomalies, evasion, and attacks against WWTC vulnerabilities 4. Reduce the time and effort required to implement and update security measures KG175D High Assurance IP Encryption 1. Encrypts WWTC traffic from NY to Tokyo. 2. Remote HAIPE-to-HAIPE keying 3. Ethernet, IPv4/IPv6 Dual Stack compatible Cisco Access Control System 5.4 WWTC's centralized identity and access policy solution with network access policy and identity strategy 1. WWTC managed access policy device that defines policy rules in both IPv4 and IPv6 networks 2. Integrates with external identity and policy databases, including WWTC's Windows Active Directory to control network access 3. Provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to the WWTC network for VPN and wireless users McAfee EPO Server Provides host base security to prevent malware, exploitations, reconnaissance, denial of service, loss of data, intrusions and is managed from one server. Provides Virus Scanning Enterprise. Integrates Host Intrusion Prevention (HIPS) Prevents data loss with Data Loss Prevention (DLP) Figure 20 Security Technology Figure 21 illustrates the positioning of key asset protection devices. IPsec technology will be deployed on.
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 21 IPsec Deployment 2.13 DHCP and DNS The NY.WWTC site has two types of DNS zones; Forward and Reverse. A forward lookup zone resolves a name to an IP address while a reverse lookup zone does the opposite and resolves an IP address to a name. The global catalog domain controller (NYDC01.NY.WWTC.com) has an assigned static IP address of 192.168.20.189 and is considered the zone’s SOA (Start of Authority) record. This server hosts many types of records. A host name record (called an A record, IPv4) translates a name into an IP address. Related to the reverse zone, pointer (PRT) records are always written backwards ( ). NY.WWTC.com uses an Active Directory Integrated zone meaning that all DNS records are stored within Active Directory. Located on the NYDC01.WWTC.com domain controller (assigned as the domain global catalog server), the DNS zone is a Primary zone. All AD domain controllers hold a DNS role. AD is known as a multi-master loosely defined database. This means that all other AD domain controllers replicate and exchange (propagate) information between each other. The benefit of using primary DNS lookup zones is that this propagation is done in a secured manner. For example, when NYDC01 and NYDC02 exchange zone records, the exchange is always done through a technique known as secure dynamic updates. It is true then, that within the entire WWTC.com’ DNS structure (the Forest), all DNS zones are considered primary and replication (known as Zone Transfers) are performed securely. Hong Kong domain controllers replicate to NY.WWTC.com, and vice versa. Below are images of NYDC01.NY.WWTC.com domain controller DNS configuration. Figure 22 illustrates DNS secured configuration, Figure 23 illustrates DNS records and Figure 24 illustrates DNS zone transfer.
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 22 DNS Secured Configuration Figure 23 DNS Records Figure 24 DNS Zone Transfer Dynamic Host Configuration Protocol (DHCP) is a method that dynamically and automatically assigns IP addressing (IP Addresses) to client computers located on the NY.WWTC.com domain. NYDC01.NY.WWTC.com is the server that will hold the DHCP role for NY.WWTC.com. NYDC01 not only issues the client IP address, but will also deliver the network subnet mask, the default gateway of the network, and both a primary and secondary DNS server IP addresses to domain client computers. NYDC01.NY.WWTC.com will have 6 scopes illustrated in Figure 25: Scope Name # of Addresses Subnet Mask Default Gateway DNS1 Brokers 126 255.255.255.128 192.168.20.1 192.168.20.189
Implementation Plan Template Group 5 UMUC CMIT 495 Managers 62 255.255.255.192 192.168.20.1 192.168.20.189 Executives 30 255.255.255.224 192.168.20.1 192.168.20.189 Staff Scope 30 255.255.255.224 192.168.20.1 192.168.20.189 Phones 254 255.255.255.0 192.168.20.1 192.168.20.189 IT Management 30 255.255.255.224 12.168.20.1 192.168.20.189 Figure 25 NY.WWTC Scopes 2.14 Active Directory Policies Windows BitLocker Drive Encryption is a security feature that provides enhanced data protection for computers by encrypting all data stored on the Windows Operating System volume (Microsoft, 2014). A Trusted Platform Module (TPM) is a microchip that is built into computers to store cryptographic information such as encryption keys. BitLocker uses TPM to help protect the Windows Operating System and user data, and helps to ensure a computer is not tampered with in the invent it is lost or stolen (Microsoft, 2014). To encrypt the workstations and servers in NY.WWTC, the IT team will deploy the BitLocker encryption technology onto these devices. BitLocker drive encryption is a technique that is used to secure data at rest behind unique, hard to crack passwords. BitLocker Drive Encryption encrypts computer data using a strong encryption algorithm offering maximum security for the WWTC business user. As an extreme example, imagine a computer being stolen from WWTC. The thief, after starting the computer, or even removing the hard drive and placing it into a different computer, would be restricted from accessing any information due to the encryption technology. To the thief, the information is jumbled and unreadable. Implementing BitLocker Encryption technology onto WWTC devices requires each employee to have: 1. A separate UBS flash Drive used to store a PIN or key. Or, 2. A computer with a Trusted Platform Module (TPM). A TPM is a special microchip located in the computer that supports advanced security encryption features. TPM version 1.2 or higher stores its key in the TPM itself Enforcing BitLocker encryption on a USB WWTC employees are known to occasionally take data off site. To enforce that BitLocker encrypts only the used space of a removable storage media device (e.g. USB drive), WWTC enforces a group policy that sets BitLocker drive encryption on removable media. WWTC’s IT team sets a GPO under Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption. Figure 26 provides a visual sample of where this setting(s) can be found.
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 26 Bitlocker Encryption BranchCache To provide increased manageability, scalability, and data availability, the WWTC IT team enables a technology known as BranchCache across the network. BranchCache is a technology that copies content from WWTC’s Hong Kong file servers and caches (saves in memory) the content on to WWTC’s New York regional office file servers allowing client computers at the regional offices to access the content locally rather than over the WAN. (Microsoft, 2015). A benefit of deploying BranchCache results in efficient optimization and use of bandwidth. For example, when a client accesses remote content in Japan, BranchCache is used to store (cache) the desired content locally on the NY site. If a client wants to access the same content later, that data does not need to be downloaded a second time as it already resides within the BranchCache in NY. By default, BranchCache allocates 5% of the disk space for the cache, but this value can easily be changed by creating and assigning a GPO. One of the concerns is bandwidth. Bandwidth can become quickly saturated if wireless networking (WLAN) is utilized alongside wired methods. Shown in Figure 27 enabling BranchCache on WWTC client computers is done through a group policy. WWTC’s IT team sets a GPO under Computer Configuration | Policies | Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine | Network | BranchCache shown in Figure 4. (Technet, 2015). Figure 27 Branch Cache 2.14.1 Configure Global Catalog Servers and FSMO roles The Schema Master and Domain Naming Master will be located at the Forest root (WWTC.com).
Implementation Plan Template Group 5 UMUC CMIT 495 The RID Master, Infrastructure Master, PDC Emulator roles are located in each child domain (NY.WWTC.com), yet there will be only one domain controller performing these jobs per domain. (Testout.com, 2015). On the opened Active Directory Sites and Services snap-in, from the left pane, expand Active Directory Sites and Services (DC-01.NY.WWTC.com) > Sites > Default-First-Site-Name > Servers > DC-01. DC- 01.NY.WWTC.com and DC-01 are the Fully Qualified Domain Name and the hostname of the target Active Directory domain controller that you want to be promoted as a Global Catalog server in this demonstration respectively which is illustrated in example below. On the displayed NTDS Settings Properties box, make sure that the General tab is selected. On the displayed interface, check the Global Catalog checkbox to promote the target Active Directory domain controller to a Global Catalog server. Shown below is a screenshot of where to select a server for Global Catalog. 2.15 Active Directory Forest Domain OU formation WWTC is headquartered in Hong Kong Japan, yet operates regional offices around the world. WWTC’s newest office is being established on Wall Street in New York City. The New York office is largely autonomous and only has a few IT personnel to take care of day-to-day IT support activities such as password resets and troubleshooting virus problems. As well, the IT team is concerned about sensitive data stored in this location. As a result, WWTC is deploying a highly developed OU structure in order to implement security policies uniformly through the use of Group Policy Objects (GPO). This will be performed on the company’s domains, OU’s, and workstations. As a top level diagram, Figure 28 is the structure of WWTC’s forest layout.
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 28 Forest Layout The WWTC forest design is: 1. One forest for WWTC.com (Hong Kong based) – this is called the forest root or Parent domain -- WWTC.com is a Tree domain that establishes the company’s name space 2. Within this forest, the IT team has created a second domain called NY.WWTC.com -- NY.WWTC.com is known as a Child domain that shares the common name space 3. WWTC.com and NY.WWTC.com domains trust each other 4. NY.WWTC.com can share resources with WWTC.com and vice versa 5. WWTC.com uses a common schema where all objects within the Forest take advantage of common applications (e.g. mail services (Microsoft Exchange), Intranet web sites, Market Tracking and Stock and Bond Analytical applications) 6. The WWTC Forest can easily accommodate growth (such as additional domains) In general, all WWTC.com computers belong to a domain. These domains have been established based on the physical location of where the local resources reside. The users in Hong Kong belong to WWTC.com and the users in New York are members of NY.WWTC.com. A standardized, shared naming convention (a common space (WWTC.com)) is in place and both domains “trust” each other. Like that of Hong Kong, the New York office has established OUs that mirror the logical structure of the company’s NY office mission. Shown in Figure 29 is the NY.WWTC.com infrastructure of ten OU’s.
Implementation Plan Template Group 5 UMUC CMIT 495 _New York Organizational Units Brokers  Users  Workstations Execs (Executives)  Users  Workstations Finance  Users  Workstations HR (Human Resources)  Users  Workstations IT  Users  Workstations Managers  Users  Workstations Printers Servers Clustered Servers Security Groups Figure 29 OU Structure OU’s for each department within the NY.WWTC.com domain have been proposed. Inside each department OU are two other OU’s; Users and Workstations. All employees (users) and their computers (workstations) will be properly placed inside of these nested containers according to their department. 2.16 Active Directory Group Formation Universal groups can be assigned permissions to resources anywhere in the forest. Universal groups can contain members from any domain in the forest. These include Universal groups within the forest, Global groups within the forest and/or Users and computers within the forest (Labsim, 2015). The Universal Groups, who require access within WWTC.com and NY.WWTC.com, are: 1. Execs (Executives) 2. Finance 3. HR (Human Resources) Domain Local groups have permission within the current Domain. The following groups will be created for personnel who need access to only the NY.WWTC.com domain. Below are the Domain Local Groups: 1. Brokers 2. IT (Information Technology) 3. Managers
Implementation Plan Template Group 5 UMUC CMIT 495 Global groups can be assigned permissions to resources anywhere in the forest. Global groups can contain members within the same domain. The Global Group is created for users with VPN access when traveling between sites. The following Global Group is: 1. VPN Remote Figure 30 shows the role and the group scope of each type of group: Figure 30 Group Scope PowerShell Scripting Powershell is a command-line tool that offers administrators an alternative over the standard graphical user interface (GUI) environment. Servers are less burdened without memory intensive GUI applications and video rendering software. Related to Active directory, groups can be built by using Powershell scripting. To do a bulk build of groups through a Powershell script, WWTC IT staff recommends importing .csv file that holds data identifying the group information. An example of the NY.WWTC group structure, the below is a representation of information found within a .csv file. GroupName GroupType GroupLocation Brokers DomainLocal OU=_New York,OU=Security Groups Execs Universal OU=_New York,OU=Security Groups Finance Universal OU=_New York,OU=Security Groups HR Universal OU=_New York,OU=Security Groups IT Admins DomainLocal OU=_New York,OU=Security Groups Managers DomainLocal OU=_New York,OU=Security Groups VPN Remote Global OU=_New York,OU=Security Groups
Implementation Plan Template Group 5 UMUC CMIT 495 In order to execute the group Powershell command, specific syntax is needed. The following example represents the script syntax required to automatically create NY.WWTC groups. $csv = @() $csv = Import-Csv -Path "C:Desktopbulk_input.csv" #Get Domain Base $searchbase = Get-ADDomain | ForEach { $_.DistinguishedName } ForEach ($item In $csv) { $check = [ADSI]::Exists("LDAP://$($item.GroupLocation),$($searchbase)") If ($check -eq $True) { Try { $exists = Get-ADGroup $item.GroupName Write-Host "Group $($item.GroupName) alread exists! Group creation skipped!" } Catch { $create = New-ADGroup -Name $item.GroupName -GroupScope $item.GroupType -Path ($($item.GroupLocation)+","+$($searchbase)) Write-Host "Group $($item.GroupName) created!" } } Else { Write-Host "Target OU can't be found! Group creation skipped!" } } 2.17 Active Directory GPO Implementation An important management process for NY.WWTC.com is having the ability to define unique yet managed configurations for all users and computers across the WWTC.com forest. The deployment strategy and designed use of group policies is for security configurations, updating and installing software and protecting the confidentially, integrity and availability of WWTC.com computing information systems. For security purposes, the following Group Policies will be applied to the NY.WWTC.com Default Domain Policy shown in the Figure 31 below: 1. Rename the local Administrator Account Policy 2. Disable the Guest Account Policy 3. User Access Control (UAC) Policy
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 31 Default Domain Policy Renaming the local Administrator Account on hundreds of systems can be very time consuming which is why enforcing GPOs allows for easier management. This GPO offers security to all systems in the NY.WWTC.com domain by renaming the local Administrator account which could be exploited. The settings for creating this GPO are found in Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options, which can be seen in the flowing Figure 32. Figure 32 Renaming Local Administrator Account Disabling the Guest Account can also be a time consuming task when required on hundreds of systems. The benefit of Active Directory is it can be enforced in the domain. Disabling the Guest Account prevents unauthorized access from a threat. The settings for creating this GPO are found in Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options, which can be seen in Figure 33.
Implementation Plan Template Group 5 UMUC CMIT 495 Figure 33 Disabling Guest Account User Account Control provides security which enforces standard user level access and administration authentication for any changes or modifications to a system (Technet, 2015). It prompts a user for Administrative rights when accessing applications, registry or file systems. This enables Administrators to use their user account without having to log on and off systems to enforce Administrator actions. The settings for creating a UAC GPO are found in Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options, which can all be seen in Figure 34. Figure 34 UAC
Implementation Plan Template Group 5 UMUC CMIT 495 2.18 Project Time Line Date Completed Project Milestone January 25 Business and design requirements identified for the LAN, Wireless, VoIP, security, and Active Directory implementation. Please refer to Group 5 DR Assignment document. February 4 Preliminary design for the LAN, Wireless, and VoIP has been submitted for client review. Please refer to LAN_VOIP_Wireless Assignment document. February 11 Design modification requests for the LAN, Wireless, and VoIP received from the client. February 15 Preliminary security design submitted for client review. Please refer to Security Polices and Network Security document. February 21 Security design modification requests received from the client. February 22 Preliminary Active Directory Design submitted for client review. Please refer to Active Directory Final document. February 29 Active Directory design modification requests received from the client. March 7 Final Design for LAN, Wireless, VoIP, Security, and Active Directory submitted to client for review.
Implementation Plan Template Group 5 UMUC CMIT 495 References Be’ery, Tal. (2014). Smart Card Logon: The Good, the Bad and the Ugly. Retrieved on February 18, 2015 from http://www.aorato.com/blog/windows-smart-card-logon-good-bad-ugly/ BitLocker Group Policy Settings. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_detypefdd BitLocker: How to enable Network Unlock. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en-us/library/jj574173.aspx#BKMK_NUnlockCoreReqs Bond, P., & Bement, A. (2002, December 3). SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES. Retrieved February 10, 2015, from http://csrc.nist.gov/publications/fips/fips140- 2/fips1402.pdf (Bond & Bement, 2002) Cisco Router and Security Device Manager 2.5 User Guide - Site-to-Site VPN [Cisco Router and Security Device Manager]. (2009, July 13). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/ 25/software/user/guide/SDM25UGD/VPNS2S.html#wp1015553 Cisco ASA 5500-X Series Next-Generation Firewalls - Products & Services. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation- firewalls/index.html?referring_site=bodynav Cisco ASR 1001 Router. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/routers/asr-1001-router/index.html Cisco Aironet 1250 Series Access Point Data Sheet. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1250- series/product_data_sheet0900aecd806b7c5c.html Cisco Catalyst 3560 Series Switches - Products & Services. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/switches/catalyst-3560-series-switches/index.html Cisco IPS 4270-20 Sensor. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/support/security/ips-4270-20-sensor/model.html Cisco Router and Security Device Manager 2.5 User Guide - Site-to-Site VPN [Cisco Router and Security Device Manager]. (2009, July 13). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager /25/software/user/guide/SDM25UGD/VPNS2S.html#wp1015553 Cisco Secure Access Control System - Products & Services. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/security/secure-access-control- system/index.htmlhttp://www.cisco.com/c/en/us/products/collateral/unified- communications/unity-express/reference_guide_c07-566560.html Cisco Unified IP Phone 7912G Data Sheet. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone- 7912g/product_data_sheet09186a00801739c0.html
Implementation Plan Template Group 5 UMUC CMIT 495 Cisco Wireless LAN Controllers. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/collateral/wireless/4100-series-wireless-lan- controllers/product_data_sheet0900aecd802570b0.html Cisco Unified Communications 500 Series Model 560 for Small Business: Platform Reference Guide. (n.d.). Retrieved January 25, 2015, from Technet. (2015). Windows Deployment Services Overview. Microsoft. Retrieved on February 20, 2015 from https://technet.microsoft.com/en- us/library/hh831764.aspx Dell Precision T1700 Workstation. (n.d.). Retrieved January 25, 2015, from http://www.dell.com/us/business/p/precision-t1700-workstation/pd Enhanced Interior Gateway Routing Protocol. (2015, January 5). Retrieved February 27, 2015, from http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol- eigrp/16406-eigrp-toc.html Failover Clustering Hardware Requirements and Storage Options. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en-us/library/jj612869.aspx HP 5900 Switch Series. (n.d.). Retrieved January 25, 2015, from http://h17007.www1.hp.com/us/en/networking/products/switches/HP_5900_Switch_Series/#.V MQBUivF-Cl HP Color LaserJet Pro MFP M176n. (n.d.). Retrieved January 25, 2015, from http://store.hp.com/webapp/wcs/stores/servlet/us/en/pdp/printers/hp-color-laserjet-pro-mfp- m176n HP NC365T 4-port Ethernet Server Adapter. (n.d.). Retrieved January 25, 2015, from http://h18004.www1.hp.com/products/servers/networking/nc365t/index.html Hardware requirements for BitLocker Drive Encryption. (n.d.). Retrieved January 25, 2015, from http://windows.microsoft.com/en-us/windows-vista/hardware-requirements-for-bitlocker-drive- encryption HYPERTERMINAL Trial. (2015). Retrieved February 22, 2015, from https://www.hilgraeve.com/hyperterminal-trial/ IPAM Deployment Planning. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en- us/library/jj878312.aspx#hard_soft Information Security Policy Templates. (n.d.). Retrieved February 8, 2015, from http://www.sans.org/security-resources/policies/ Internet Connectivity Options [MPLS]. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00801281f1.sht ml Labsim. (2015). Group Facts. Retrieved on February 20, 2015 from http://content.testout.com/client/labsimanywhere.html?mincachedate=01-08-2015-23-50
Implementation Plan Template Group 5 UMUC CMIT 495 MacMall | TrippLite 42U Rack Enclosure Server Cabinet 47.25" Deep 29.5" Wide SR42UBDPWD. (n.d.). Retrieved January 25, 2015, from http://www.macmall.com/p/TrippLite-Racks- Enclosures-And-Arrays/product~dpno~8146725~pdp.gbhdhhb Microsoft. (2014). BitLocker Drive Encryption Overview. Retrieved on February 18, 215 from http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview Microsoft. (2013). Failover Clustering Overview. Retrieved on February 19, 2015 from https://technet.microsoft.com/en-us/library/hh831579.aspx Microsoft. (2012). Plan for Automatic File Classification. Retrieved on February 19, 2015 from https://technet.microsoft.com/en-us/library/jj574209.aspx Microsoft. (2014). IP Address Management (IPAM) Overview. Retrieved on February 19, 2015 from https://technet.microsoft.com/en-us/library/hh831353.aspx Springston, Tim. (2006). Smartcard Logon Considerations, or How I Learned to Love Authentication with Smartcards. Retrieved on February 18, 2015 from http://blogs.technet.com/b/ad/archive/2006/11/13/smartcard-logon-considerations-or-how-i- learned-to-love-authentication-with-smartcards.aspx S813 Biometric Smart Card Reader. (n.d.). Retrieved January 25, 2015, from http://www.amag.com/Products/Card-Readers/S813.aspx SIP Trunking With AT&T IP Flexible Reach. (n.d.). Retrieved January 25, 2015, from http://www.business.att.com/enterprise/Service/voice-services/null/sip-trunking/ Sales and Service. (n.d.). Retrieved January 25, 2015, from http://www.ricoh- usa.com/about/sales_and_service/sales_and_services.aspx?alnv=sas Security with Smart Cards. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en- us/library/cc962052.aspx Security with Smart Cards. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en us/library/cc962052.aspx Small & Medium Business. (n.d.). Retrieved January 25, 2015, from http://shopping1.hp.com/is- bin/INTERSHOP.enfinity/WFS/WW-USSMBPublicStore-Site/en_US/- /USD/ViewProductDetail- Start;pgid=jDJwlVlq2W9SR0Yk2kO1Yuen0000gcHWdeHl;sid=F8tNwyQ7coxTw3D44yCBV_ 00xcV1sqwevBU=?ProductUUID=sLAQ7EN56zsAAAEuiwpzzsjt&CatalogCategoryID=4e Symmetry Network Cameras. (n.d.). Retrieved January 25, 2015, from http://www.amag.com/Products/Video-Management/Network-Cameras.aspx Technet. (2015). BranchCache. Microsoft. Retrieved on February 18, 2015 from https://technet.microsoft.com/en-us/network/dd425028.aspx Technet. (2015). Client configuration using Group Policy. Microsoft. Retrieved on February 19, 2015 from https://technet.microsoft.com/en-us/library/dd637820%28v=ws.10%29.aspx
Implementation Plan Template Group 5 UMUC CMIT 495 Technet. (2015). BitLocker Group Policy Settings. Microsoft. Retrieved on February 18, 2015 from https://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_netunlock Technet. (2015). Try it out: encrypt used space only. Microsoft. Retrieved on February 18, 2015 from https://technet.microsoft.com/en-us/windows/jj983729.aspx TestOut, Online IT Certification Training. (n.d.). Retrieved January 25, 2015, from http://www.testout.com/ Using the Common Access Card for Remote Access VPN with the ASA 5500. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next- generation-firewalls/product_implementation_design_guide0900aecd805fc1d0.html Very Early Smoke Detection Apparatus - Dallas Fire Protection Contractor. (n.d.). Retrieved January 25, 2015, from http://www.baconfire.com/Advanced-Smoke-Detection.html What is Mbps? (n.d.). Retrieved January 25, 2015, from http://www.verizon.com/home/fios-fastest- internet/?AID=10416649&PID=1785757&SID=ti38854877#plans?promotion_code=JUNCT/W 04&CMP=AFC-CJCON_002PZ2_005_014

Empfohlen

Implementation-Plan_X_Corp
Implementation-Plan_X_CorpImplementation-Plan_X_Corp
Implementation-Plan_X_Corp
Jared Bourne
 
Comprehensive AAP
Comprehensive AAPComprehensive AAP
Comprehensive AAP
Melvin Dickerson
 
Banking and ATM networking reports
Banking and ATM networking reportsBanking and ATM networking reports
Banking and ATM networking reports
Shakib Ansaar
 
Mris network architecture proposal r1
Mris network architecture proposal r1Mris network architecture proposal r1
Mris network architecture proposal r1
Craig Burma
 
Network upgrade
Network upgradeNetwork upgrade
Network upgrade
Debanjan Paul
 
WAN Design Project
WAN Design ProjectWAN Design Project
WAN Design Project
D Ther Htun
 
Lis 4482 final report
Lis 4482 final reportLis 4482 final report
Lis 4482 final report
PeterCummingsIII
 
Projects controls on a 900 project substation network upgrade ppt
Projects controls on a 900 project substation network upgrade pptProjects controls on a 900 project substation network upgrade ppt
Projects controls on a 900 project substation network upgrade ppt
p6academy
 

Empfohlen

Implementation-Plan_X_Corp
Implementation-Plan_X_CorpImplementation-Plan_X_Corp
Implementation-Plan_X_Corp
Jared Bourne
 
Comprehensive AAP
Comprehensive AAPComprehensive AAP
Comprehensive AAP
Melvin Dickerson
 
Banking and ATM networking reports
Banking and ATM networking reportsBanking and ATM networking reports
Banking and ATM networking reports
Shakib Ansaar
 
Mris network architecture proposal r1
Mris network architecture proposal r1Mris network architecture proposal r1
Mris network architecture proposal r1
Craig Burma
 
Network upgrade
Network upgradeNetwork upgrade
Network upgrade
Debanjan Paul
 
WAN Design Project
WAN Design ProjectWAN Design Project
WAN Design Project
D Ther Htun
 
Lis 4482 final report
Lis 4482 final reportLis 4482 final report
Lis 4482 final report
PeterCummingsIII
 
Projects controls on a 900 project substation network upgrade ppt
Projects controls on a 900 project substation network upgrade pptProjects controls on a 900 project substation network upgrade ppt
Projects controls on a 900 project substation network upgrade ppt
p6academy
 
NT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCXNT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCX
Fred Abram III
 
Network Infrastructure Upgrade - Nextrio
Network Infrastructure Upgrade - NextrioNetwork Infrastructure Upgrade - Nextrio
Network Infrastructure Upgrade - Nextrio
Aadil Hussaini
 
Network Troubleshooting - Part 1
Network Troubleshooting - Part 1Network Troubleshooting - Part 1
Network Troubleshooting - Part 1
SolarWinds
 
Cyberdyne systems (2)
Cyberdyne systems (2)Cyberdyne systems (2)
Cyberdyne systems (2)
Bryan Moss
 
En35793797
En35793797En35793797
En35793797
IJERA Editor
 
Network proposal ppt
Network proposal pptNetwork proposal ppt
Network proposal ppt
FrankNitty II
 
Aruba Rightsizing Your Network
Aruba Rightsizing Your NetworkAruba Rightsizing Your Network
Aruba Rightsizing Your Network
hypknight
 
Building an Enterprise Fiber Network for a Local Government, An Architectural...
Building an Enterprise Fiber Network for a Local Government, An Architectural...Building an Enterprise Fiber Network for a Local Government, An Architectural...
Building an Enterprise Fiber Network for a Local Government, An Architectural...
The University of Texas (UTRGV)
 
White Paper on SNMPv3
White Paper on SNMPv3White Paper on SNMPv3
White Paper on SNMPv3
mayukh rastogi
 
Troubleshooting and debugging Citrix Receiver for iOS and Android
Troubleshooting and debugging Citrix Receiver for iOS and AndroidTroubleshooting and debugging Citrix Receiver for iOS and Android
Troubleshooting and debugging Citrix Receiver for iOS and Android
Citrix
 
E magic case study
E magic case studyE magic case study
E magic case study
Allyssa1Davis
 
SHRUTHI SHARMA MS
SHRUTHI SHARMA MSSHRUTHI SHARMA MS
SHRUTHI SHARMA MS
shruthi sharma
 
White Paper Leveraging Automation for Advanced Network Troubleshooting
White Paper Leveraging Automation for Advanced Network TroubleshootingWhite Paper Leveraging Automation for Advanced Network Troubleshooting
White Paper Leveraging Automation for Advanced Network Troubleshooting
E.S.G. JR. Consulting, Inc.
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds
5nine
 
Enterprise network management
Enterprise network managementEnterprise network management
Enterprise network management
ManageEngine, Zoho Corporation
 
The Importance of an Integrated Network Management System
The Importance of an Integrated Network Management SystemThe Importance of an Integrated Network Management System
The Importance of an Integrated Network Management System
IRIS Network Systems
 
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Tal Lavian Ph.D.
 
Ccna 4 Chapter 9 V4.0 Answers
Ccna 4 Chapter 9 V4.0 AnswersCcna 4 Chapter 9 V4.0 Answers
Ccna 4 Chapter 9 V4.0 Answers
ccna4discovery
 
how-to-get-ready-ebook-en
how-to-get-ready-ebook-enhow-to-get-ready-ebook-en
how-to-get-ready-ebook-en
Garrett M. Graston
 
Network Design and Management
Network Design and ManagementNetwork Design and Management
Network Design and Management
tlerell
 
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of EnergySteps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Muhammad FAHAD
 
Dr Dev Kambhampati | DOE- Steps to Improve Cybersecurity of SCADA Networks
Dr Dev Kambhampati | DOE- Steps to Improve Cybersecurity of SCADA NetworksDr Dev Kambhampati | DOE- Steps to Improve Cybersecurity of SCADA Networks
Dr Dev Kambhampati | DOE- Steps to Improve Cybersecurity of SCADA Networks
Dr Dev Kambhampati
 

Weitere ähnliche Inhalte

Was ist angesagt?

NT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCXNT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCX
Fred Abram III
 
Network Infrastructure Upgrade - Nextrio
Network Infrastructure Upgrade - NextrioNetwork Infrastructure Upgrade - Nextrio
Network Infrastructure Upgrade - Nextrio
Aadil Hussaini
 
Aruba Rightsizing Your Network
Aruba Rightsizing Your NetworkAruba Rightsizing Your Network
Aruba Rightsizing Your Network
hypknight
 
White Paper on SNMPv3
White Paper on SNMPv3White Paper on SNMPv3
White Paper on SNMPv3
mayukh rastogi
 
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Tal Lavian Ph.D.
 

Was ist angesagt? (20)

NT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCXNT2799 FINAL CAPSTONE PROJECT.DOCX
NT2799 FINAL CAPSTONE PROJECT.DOCX
 
Network Infrastructure Upgrade - Nextrio
Network Infrastructure Upgrade - NextrioNetwork Infrastructure Upgrade - Nextrio
Network Infrastructure Upgrade - Nextrio
 
Network Troubleshooting - Part 1
Network Troubleshooting - Part 1Network Troubleshooting - Part 1
Network Troubleshooting - Part 1
 
Cyberdyne systems (2)
Cyberdyne systems (2)Cyberdyne systems (2)
Cyberdyne systems (2)
 
En35793797
En35793797En35793797
En35793797
 
Network proposal ppt
Network proposal pptNetwork proposal ppt
Network proposal ppt
 
Aruba Rightsizing Your Network
Aruba Rightsizing Your NetworkAruba Rightsizing Your Network
Aruba Rightsizing Your Network
 
Building an Enterprise Fiber Network for a Local Government, An Architectural...
Building an Enterprise Fiber Network for a Local Government, An Architectural...Building an Enterprise Fiber Network for a Local Government, An Architectural...
Building an Enterprise Fiber Network for a Local Government, An Architectural...
 
White Paper on SNMPv3
White Paper on SNMPv3White Paper on SNMPv3
White Paper on SNMPv3
 
Troubleshooting and debugging Citrix Receiver for iOS and Android
Troubleshooting and debugging Citrix Receiver for iOS and AndroidTroubleshooting and debugging Citrix Receiver for iOS and Android
Troubleshooting and debugging Citrix Receiver for iOS and Android
 
E magic case study
E magic case studyE magic case study
E magic case study
 
SHRUTHI SHARMA MS
SHRUTHI SHARMA MSSHRUTHI SHARMA MS
SHRUTHI SHARMA MS
 
White Paper Leveraging Automation for Advanced Network Troubleshooting
White Paper Leveraging Automation for Advanced Network TroubleshootingWhite Paper Leveraging Automation for Advanced Network Troubleshooting
White Paper Leveraging Automation for Advanced Network Troubleshooting
 
Simplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public CloudsSimplifying SDN Networking Across Private and Public Clouds
Simplifying SDN Networking Across Private and Public Clouds
 
Enterprise network management
Enterprise network managementEnterprise network management
Enterprise network management
 
The Importance of an Integrated Network Management System
The Importance of an Integrated Network Management SystemThe Importance of an Integrated Network Management System
The Importance of an Integrated Network Management System
 
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
Popeye - Using Fine-grained Network Access Control to Support Mobile Users an...
 
Ccna 4 Chapter 9 V4.0 Answers
Ccna 4 Chapter 9 V4.0 AnswersCcna 4 Chapter 9 V4.0 Answers
Ccna 4 Chapter 9 V4.0 Answers
 
how-to-get-ready-ebook-en
how-to-get-ready-ebook-enhow-to-get-ready-ebook-en
how-to-get-ready-ebook-en
 
Network Design and Management
Network Design and ManagementNetwork Design and Management
Network Design and Management
 

Ähnlich wie WWTC_implementation_plan_Group5_FINAL

Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of EnergySteps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Muhammad FAHAD
 
D link-dir-615-manual
D link-dir-615-manualD link-dir-615-manual
D link-dir-615-manual
40044
 
Motorola ws2000 wireless switch system reference guide
Motorola ws2000 wireless switch system reference guideMotorola ws2000 wireless switch system reference guide
Motorola ws2000 wireless switch system reference guide
Advantec Distribution
 
Motorola ws2000 wireless switch system reference guide
Motorola ws2000 wireless switch system reference guideMotorola ws2000 wireless switch system reference guide
Motorola ws2000 wireless switch system reference guide
Advantec Distribution
 
Computer Network Monitoring & Performance
Computer Network Monitoring & PerformanceComputer Network Monitoring & Performance
Computer Network Monitoring & Performance
Dmitry Ponomarenko
 
iPDC Report Kedar
iPDC Report KedariPDC Report Kedar
iPDC Report Kedar
Nitesh Pandit
 

Ähnlich wie WWTC_implementation_plan_Group5_FINAL (20)

Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of EnergySteps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
Steps to Improve Cyber Security of SCADA Networks by U.S. Department of Energy
 
Dr Dev Kambhampati | DOE- Steps to Improve Cybersecurity of SCADA Networks
Dr Dev Kambhampati | DOE- Steps to Improve Cybersecurity of SCADA NetworksDr Dev Kambhampati | DOE- Steps to Improve Cybersecurity of SCADA Networks
Dr Dev Kambhampati | DOE- Steps to Improve Cybersecurity of SCADA Networks
 
Evaluation of Real-Time Communication in IoT Services by WebRTC
Evaluation of Real-Time Communication in IoT Services by WebRTCEvaluation of Real-Time Communication in IoT Services by WebRTC
Evaluation of Real-Time Communication in IoT Services by WebRTC
 
thesis_SaurabhPanda
thesis_SaurabhPandathesis_SaurabhPanda
thesis_SaurabhPanda
 
D link-dir-615-manual
D link-dir-615-manualD link-dir-615-manual
D link-dir-615-manual
 
Fulltext02
Fulltext02Fulltext02
Fulltext02
 
Juniper Networks: Security for cloud
Juniper Networks: Security for cloudJuniper Networks: Security for cloud
Juniper Networks: Security for cloud
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
 
US NORTHCOM Study: Commercial Wireless
US NORTHCOM Study: Commercial Wireless US NORTHCOM Study: Commercial Wireless
US NORTHCOM Study: Commercial Wireless
 
Kwfsbs67 en-v1
Kwfsbs67 en-v1Kwfsbs67 en-v1
Kwfsbs67 en-v1
 
Motorola ws2000 wireless switch system reference guide
Motorola ws2000 wireless switch system reference guideMotorola ws2000 wireless switch system reference guide
Motorola ws2000 wireless switch system reference guide
 
Motorola ws2000 wireless switch system reference guide
Motorola ws2000 wireless switch system reference guideMotorola ws2000 wireless switch system reference guide
Motorola ws2000 wireless switch system reference guide
 
Ensuring Distributed Accountability in the Cloud
Ensuring Distributed Accountability in the CloudEnsuring Distributed Accountability in the Cloud
Ensuring Distributed Accountability in the Cloud
 
CYB 360 Education Specialist |tutorialrank.com
CYB 360 Education Specialist |tutorialrank.comCYB 360 Education Specialist |tutorialrank.com
CYB 360 Education Specialist |tutorialrank.com
 
Cyb 360 academic adviser ....tutorialrank.com
Cyb 360 academic adviser ....tutorialrank.comCyb 360 academic adviser ....tutorialrank.com
Cyb 360 academic adviser ....tutorialrank.com
 
Computer Network Monitoring & Performance
Computer Network Monitoring & PerformanceComputer Network Monitoring & Performance
Computer Network Monitoring & Performance
 
be_report - report
be_report - reportbe_report - report
be_report - report
 
iPDC Report Kedar
iPDC Report KedariPDC Report Kedar
iPDC Report Kedar
 
Cvd campus wiredlan-designguide
Cvd campus wiredlan-designguideCvd campus wiredlan-designguide
Cvd campus wiredlan-designguide
 
Modeling, Specification and Verification Tools
Modeling, Specification and Verification ToolsModeling, Specification and Verification Tools
Modeling, Specification and Verification Tools
 

WWTC_implementation_plan_Group5_FINAL

  • 1. New York, WWTC Network IMPLEMENTATION PLAN Group 5 CMIT 495 03/01/2015
  • 2. Implementation Plan Template Group 5 UMUC CMIT 495 Table of Contents 1 INTRODUCTION ..............................................................ERROR! BOOKMARK NOT DEFINED. 1.1 PURPOSE ...................................................................................................................... 3 1.2 SYSTEM OVERVIEW....................................................................................................... 3 1.2.2 Assumptions and Constraints......................................................................................... 3 2 Implementation Requirements ................................................................................................. 3 2.1 DESCRIPTION OF IMPLEMENTATION ................................................................................. 3 2.2 POINTS-OF-CONTACT..................................................................................................... 3 2.3 MAJOR TASKS .............................................................................................................. 3 2.4 TOOLS REQUIREMENT.................................................................................................... 4 2.5 LAN IMPLEMENTATION ................................................................................................. 4 2.5.1 LAN High Level Diagram, IP scheme and Equipment List .......................................... 5 2.5.2 Switch Interconnections and Redundancy..................................................................... 6 2.5.3 IP Hierarchical Scheme.................................................................................................. 6 2.5.4 LAN, VoIP and Wireless Equipment List ..................................................................... 7 2.6 SECURITY IMPLEMENTATION TASKS ................................................................................ 9 2.6.1 Physically install Cisco ASA 5500 firewall................................................................... 9 2.6.2 Configure ASA 5500 firewall...................................................................................... 10 2.6.3 Setup access to the public server farm in DMZ in ASA 5500..................................... 11 2.6.4 Configure VPN for IPSEC in ASA 5500..................................................................... 11 2.6.5 Configure firewall rules in ASA 5500......................................................................... 12 2.6.6 Physically install Cisco IPS 4270 ................................................................................ 12 2.6.7 Configure IPS 4270 for “inline mode” between ASA 5500 and WWTC network ..... 12 2.6.8 Install McAfee E-Policy Orchestrator (EPO) .............................................................. 13 2.6.9 Install and configure Cisco Access Control Server (ACS) 5.4.................................... 14 2.6.10 Install and configure KG-175D ................................................................................. 14 2.6.11 Configure VLAN security on network devices ......................................................... 15 2.6.12 Configure port security on network devices .............................................................. 15 2.6.13 Configure DHCP snooping on network devices........................................................ 15 2.7 ACTIVE DIRECTORY IMPLEMENTATION .......................................................................... 15 2.7.1 Prepare the Forest Root/Parent Domain; WWTC.com................................................ 15 2.7.2 Create the Forest Root/Parent Domain; WWTC.com.................................................. 15 2.8 CONFIGURATION OF ROUTERS....................................................................................... 16 2.9 CONFIGURATION OF SWITCHES...................................................................................... 18 2.10 VLAN CONFIGURATIONS............................................................................................ 20 2.11 VOICE VLAN AND WIRELESS ...................................................................................... 21 2.12 SECURITY TECHNOLOGIES........................................................................................... 22 2.13 DHCP AND DNS....................................................................................................... 24 2.14 ACTIVE DIRECTORY POLICIES ..................................................................................... 26 2.14.1 Configure Global Catalog Servers and FSMO roles ................................................. 27 2.15 ACTIVE DIRECTORY FOREST DOMAIN OU FORMATION................................................... 28 2.16 ACTIVE DIRECTORY GROUP FORMATION ...................................................................... 30 2.17 ACTIVE DIRECTORY GPO IMPLEMENTATION................................................................. 32 2.18 PROJECT TIME LINE ................................................................................................... 35
  • 3. Implementation Plan Template Group 5 UMUC CMIT 495 1 Introduction 1.1 Purpose Purpose of this plan is to implement LAN, Security, Active Directory and Wireless devices, configurations and policies into a state of the art network for WWTCs New York City office. 1.2 System Overview WWTC has a regional office located in New York City and as the Director of the IT Department, I and the IT team have been tasked to set up a state of the art network that can help increase company revenue and reduce company costs. 1.2.2 Assumptions and Constraints The network infrastructure is solid and a gigabit network is in place. All existing wiring has been tested and the connections are true. The existing power supply is sufficed to meet the current and future demand. 2 Implementation Requirements 2.1 Description of Implementation The IT team has proposed an implementation timeline. The network installation will be accomplished in separate phases. Our WWTC customer has received each phase proposal, and has decided to move forward with this project. 2.2 Points-of-Contact Consultant Project Team Customer Project Team  Project Manager: Steve Ricker  Telephone: 555-555-0001  Email: SteveRicker@consultant.com  Project Manager: Bill Gates  Telephone: 555-555-7889  Email: BillGates@WWTC.com  Configuration Engineer: Chanel Bernal  Telephone: 555-555-1000  Email: ChanelBernal@consultant.com  Configuration Engineer: Yin Chung  Telephone: 555-555-5555  Email: YinChung@WWTC.com  Project Coordinator: Mohamed Haidara  Telephone: 555-555-0023  Email: MohamedHaidara@consultant.com  Project Coordinator: Bhagwati Bansal  Telephone: 555-555-1234  Email: BhagwatiBansal@WWTC.com 2.3 Major Tasks  LAN Implementation  Security Implementation  Active Directory Implementation  Configuration of Routers  Configuration of Switches  VLAN configurations  Voice VLAN and wireless  Security technologies  DHCP and DNS  Active Directory Policies  Active Directory Forest Domain OU formation  Active Directory Group Formation  Active Directory GPO Implementation
  • 4. Implementation Plan Template Group 5 UMUC CMIT 495  Project Time Line 2.4 Tools Requirement The NY.WWTC LAN will require several tools for different installation tasks. The tools in the following table are needed to complete the WWTC network installation. Tool # Tools Required 1 PC with VT100 emulator, SCP Server, TFTP Server, FTP Server, Text Editor 2 Console port cable DB-9-RJ45/ DB25 with USB Adapter 3 Standard Tools such as: screwdrivers, pliers, inspection mirror, ratchet drivers and socket bit set, electrical tape, multi-meter, tape measure and anti-static mat. 4 Fiber Optic installation kit 5 Ethernet installer kit which includes: Ethernet crimpers, UTP wire strippers, wire and Kevlar scissors, cable tester with remotes, and label maker. 6 Operating system software and drivers 7 USB optical drive 8 USB thumb drive 9 HyperTerminal.exe 10 Laptop (aka console terminal) 2.5 LAN Implementation Effective deployment of the NY.WWTC.com network infrastructure, with all of its collective services requires careful thought, rigorous planning, documentation and well-coordinated execution between all members involved with this deployment. NY.WWTC’s Local Area Network (LAN) implementation plan describes how the accumulation of materials relating to these objectives will be configured and transitioned into a leading edge operational networked IT system. Company leadership, management and implementation teams are focused and committed to excellence. WWTC’s executives have described the business goals of increasing revenue while reducing operating costs to the team with clarity and these have been at the forefront during this process. Under the leadership of WWTC’s president, schedules has been documented and the team is ready. To ensure a smooth and well-coordinated deployment, the following list outlines the sequence of details that will accomplish the specific hardware and software implementation for WWTC’s New York regional office. NY.WWTC planning consists of the following LAN Implementation Tasks:  Providing a high level diagram of the network  Providing the IP scheme of the intended network addresses  Identifying the equipment needed for this roll-out  Identifying the topology of how equipment will be connected  Descriptions of redundant connections to achieve 100% connectivity  Security technologies with solutions  Active Directory implementation tasks  Router, Switch and VLAN configurations (to include Voice and Wireless)
  • 5. Implementation Plan Template Group 5 UMUC CMIT 495  VPN Configurations  Ant-virus Deployment and Management  DHCP and DNS Implementation Planning  AD and Group Policy Deployment and Configurations  Active Directory Organizational Unit Formations  Active Directory Group Formations  Project schedule release with time-line 2.5.1 LAN High Level Diagram, IP scheme and Equipment List The WWTC LAN design consists of network switching devices in the core, distribution and access layers of the network coupled with the in-place network cabling that connects all these devices together. WWTC’s network infrastructure is a model of a star topology. Focused and trained, WWTC’s IT staff present a switching configuration that offers fast network performance, efficient device management and plans for future company growth. This approach greatly enhances network performance that eliminates unnecessary interconnections, while offering scalability. At a high level, WWTC’s topology has a number of edge routers used for Internet Service Provider (ISP) connectivity, Firewalls and Intrusion Prevention Systems aimed to block intruders, routers and access switches that offer redundancy and end device connectivity. A Full-Mesh Topology WWTC operates a full-mesh topology. Within the New York regional office, WWTC communicates with its Hong Kong headquarters and several other WWTC offices located within the United States through redundant ISP links. NY.WWTC.com uses EIGRP as its routing protocol. “EIGRP is an enhanced distance vector protocol, relying on the Diffused Update Algorithm (DUAL) to calculate the shortest path to a destination within a network.” (Cisco.com, 2015). The NY.WWTC.com full-mesh architecture allows for continued connection between WWTC locations around the globe shown in Figure 1. Figure 1 High Level Design
  • 6. Implementation Plan Template Group 5 UMUC CMIT 495 2.5.2 Switch Interconnections and Redundancy WWTC’s LAN design model consists of dual switching at each layer in order to achieve network device redundancy. Along with this two device design, WWTC ensures redundant cable connections are established beginning with each computer on the network. All computers are equipped with dual network cards and have been connected to two different switches. Redundancy is also built into the access layer and the distribution layer of its network. The distribution layer offers redundancy to core switches through similar cross-connected links. This means that each switch is connected to at least two other switches by two independent physical cable connections. Figure 1 above is a high level illustration that shows the implementation of the network architect supporting redundancy and all levels. Figure 2 below is a physical connection model planned for the NY.WWTC client computer roll-out. Figure 2 Redundant PC links 2.5.3 IP Hierarchical Scheme The following diagram and table (Fig. 3) provide a high level view of the IPv4 addressing scheme planned for NY.WWTC.com. The legend represents different color coded VLANs appropriate to Figure 1 (above), the topology diagram. The switches provide VLAN summarization points and NY.WWTC has provisioned two Internet Service Providers (ISP’s). The EIGRP protocol will be configured on the network and TCP/IP is used as the routing protocol. Figure 3 IP Hierarchical Scheme
  • 7. Implementation Plan Template Group 5 UMUC CMIT 495 2.5.4 LAN, VoIP and Wireless Equipment List The IT team has evaluated the networking equipment requirements for WWTC’s New York based office. As a whole, WWTC recognizes Cisco equipment as being the industry leader regarding internetworking equipment. By utilizing Cisco as the standard manufacturer, WWTC’s qualified Cisco Certified Network Administrators (CCNA) can work within a common body of knowledge. This eliminates any possible learning curve and subsequent delay. Focused on efficient management, similar design and standardized configurations, the IT team presents the following equipment list. LAN EQUIPMENT SECTION WWTC Equipment QTY Description Cost Total Cost Unclassified Network Brokers laptops w/OS 20 Dell Laptops (Provided for Broker mobility) Windows 7 Ultimate $899.99 $17,999.80 Brokers Docking stations 20 Dell E-Port Plus port replicators USB 3.0 w/dual monitor capabilities $299.99 $5,999.80 Monitors 87 Dell 22" Monitors $149.99 $13,049.13 Computer Workstations w/OS 67 Dell Precision T1700 Workstations - Windows 7 Ultimate w/TPM $689.95 each $42,226.65 Total Unclassified Computers 87 Company printers 20 HP Color LaserJet Pro (MFP M176n) $249.99 each $4,999.80 Storage Area Network (SAN) 1 HP - HP Storage Works EVA4400 AG637BR Hard Drive Array $37,500 $3,750 Servers 7 HP ProLiant DL580 Servers $4,758 each $33,306 - Configured with Hyper-V - Dual processors and dual power supplies - Will Create 42 virtual servers to include (6 VM per server): Application, File, SQL, Web, Email, RADIUS, library card-catalog - Will Create 2 Domain controllers that include DNS & DHCP Access Layer Switches 2 Catalyst 4510R+E Switch $7,890 Names: ASW1, ASW2 10 slot Chassis with (2) Supervisor 8-E, and (6) line cards 288 PoE, Gb ports $3,945 each Distribution Layer Switch 2 Cisco Catalyst 6503-E $83,990 Names: DR1, DR2 34-Port GBIC-Based GB Ethernet Module Model: 6503-E $41,995 each Core Layer Routers 2 Cisco ASR 1001 Routers $23,610 Names: CR1, CR2 Dual power supply $11,805 each Core Layer Firewall 2 Cisco ASA 5500 $9,936 Names: CFW1, CFW2 6 Port Model: Cisco ASA 5500 $4,968 each Cisco Intrusion Prevention Sensor 3 Cisco IPS 4270 Sensor $4,995 each $14,985 Cisco Access Control System 5.4 1 Centralized identity and access policy solution $200 $200 Polycom Video Conferencing 2 RealPresence Group 500 Media Center System - Includes EagleEye Cameras - 65" Wall Mount LCD for video conferencing Conf. Rm
  • 8. Implementation Plan Template Group 5 UMUC CMIT 495 Polycom speaker phones 2 Polycom SoundStation IP 6000 $379.95 $759.90 Suite Entry Security System 3 Biometric smart card reader for entry doors $99 $297 User ID Badge system 150 USB CAC Card readers (1 per pc) $20 $3,000 Model: SCR331 Server Room raised floors 2 Server Room raised floor systems Server rooms Server room cooling systems 2 Ceiling-Mounted with Direct Free-Cooling Server rooms Server room fire suppression 2 Server room fire suppression Server rooms Facility video monitoring system 10 Network Camera $99 each $990 Model: EN-7531HD Facility smoke detection system 4 Facility smoke detection system $79 each $316 - Very Early Smoke Detection Apparatus Server backup battery power 2 APC Smart-UPS SRT 5000VA 208V $4,150 each $8,300 Server cabinets 3 TrippLite 42U Rack Enclosure Server Cabinet $985 each $2,955 ISP 1 1 Verizon FiOS ISP 150x150 Mbps Internet Provider ISP 2 1 AT&T Metro Ethernet Internet Provider Microsoft Office 2012 87 Client Access Licenses $149 each $12,963 Microsoft Exchange 2013 1 Email application All Microsoft Exchange CALs 87 Email application licenses $149 each $12,963 Market Tracking Application 1 Provides real-time status of stock and bond market to brokers and their clients All Stock & Bond Analytical Application 1 Provides analysis of stock and Bond to WWTC Brokers All On Line Trading Training 1 Application for training new clients in online trading All McAfee Anti-virus 133 89 computers, 44 Servers $199 each Total Cost Total Cost $232,536.28 Classified Network Computer Workstations 2 Dell Precision T1700 Workstations (Classified side) $689.95 each $13,799 Monitors 2 Dell 22" Monitors $149.99 each $299.98 Total Class. Computers 2 Company Servers 2 HP ProLiant DL380 Servers $9,516 - Will Create 2 Domain controllers that include DNS & DHCP - Dual processors and dual power supplies $4,758 each Access Layer Switches 1 Cisco Catalyst 3560 $3,499 Name: CASW1 12 Port PoE Model: WS-C3560V2-12PS-S $3,499 each Distribution Layer Switch 1 Cisco Catalyst 6503-E $41,995 Name: CDR1 34-Port GBIC-Based GB Ethernet Module Model: 6503-E $41,995 Core Layer Routers 1 Cisco ASR 1001 Routers $11,805 Name: CCR1 Dual power supply $11,805 each Cisco Intrucion Prevention Sensor 1 Cisco IPS 4270 Sensor $4,995
  • 9. Implementation Plan Template Group 5 UMUC CMIT 495 Taclane High Assurance IP Encryptor 1 Network Encryptor KG-175d $1,999 $1,999 Cisco Intrucion Prevention Sensor 1 Cisco IPS 4270 Sensor $4,995 $4,995 Suite Entry Security System 1 Biometric smart card reader for entry doors $99 $99 Total Cost Total Cost $88,006.98 Wireless Equipment Cisco Aironet 1250 Series 5 Wireless Access Point $200 $1,000 Cisco 4404 Series WLAN Controller 1 Wireless LAN Controller $7,899 $7,899 Total Total $8,899 VoIP Equipment Cisco 7912 IP Phone 94 Cisco VoIP Phones $55 $5,170 Cisco Unified Communications 560 1 Call Manager System $1,895 $1,895 Cisco VG350 144 FXS Bundle 1 Voice Gateway $24,500 $24,500 Total Total $31,565 2.6 Security Implementation Tasks Step # Task 1 Physically install Cisco ASA 5500 firewall 2 Configure ASA 5500 firewall 3 Setup access to the public server farm in DMZ in ASA 5500 4 Configure VPN for IPSEC in ASA 5500 5 Configure firewall rules in ASA 5500 6 Physically install Cisco IPS 4270 7 Configure IPS 4270 for “inline mode” between ASA 5500 and WWTC network 8 Install and configure McAfee E-Policy Orchestrator (EPO) 9 Install and configure Cisco Access Control Server (CACS) 5.4 10 Install and configure KG-175D 11 Configure VLAN security on network devices 12 Configure port security on network devices 13 Configure DHCP snooping on network devices 2.6.1 Physically install Cisco ASA 5500 firewall The device is a Cisco firewall and will be located in the unclassified IT closet, room 3 in Suite A. First step is to confirm all the equipment shown in Figure 4 is in package. Figure 4 Equipment Next step would be to connect a notebook directly with an Ethernet cable and configure the notebook with DHCP while connecting it to appropriate ports shown in Figure 5.
  • 10. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 5 Configuration Ports 2.6.2 Configure ASA 5500 firewall Use the setup wizard to configure basic and advanced features thru the graphical user interface that allows you to manage the ASA from any location by using a web browser. Step 1 On the PC connected to the ASA, launch a web browser. Step 2 In the Address field, enter the following URL: https://192.168.1.1/admin. The Cisco ASDM web page appears shown in Figure 6. Figure 6 Cisco ASDM web Step 3 Click Run Startup Wizard. The main ASDM window appears and the Startup Wizard opens shown Figure 7 and enter the following configurations. Hostname: WWTC_NYFW_01 Domain name: NY.WWTC.com Administrative passwords: letmein IP addresses: 192.168.23.191/195 Static routes: 192.168.20.0, 192.168.21.0, 192.168.22.0 DHCP server: 192.168.20.189
  • 11. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 7 Startup Wizard 2.6.3 Setup access to the public server farm in DMZ in ASA 5500 NY.WWTC.com has a DMZ that contains Public Server for the internal network, such as a web, email, which need to be available to an outside user. By placing the public servers on the DMZ, any attacks launched against the public servers do not affect inside NY.WWTC.com network. The figure below shows the setup process for each public server. For example Figure 8 is setup for the web server. Figure 8 Add Public Server 2.6.4 Configure VPN for IPSEC in ASA 5500 Step 1 Site-to-Site VPN Wizard—Create an IPsec site-to-site tunnel between two ASAs or the client can run either the SSL or IPsec IKEv2 VPN protocol. Step 2 After authentication, users access a portal page and can access specific, supported internal resources. The IT Team will provide access to resources by users on a group basis by department such as Execs/HR/Brokers/Management/Finance and IT. ACLs will be applied to restrict or allow access to WWTC resources. Step 3 IPsec (IKEv1) Remote Access VPN Wizard—Configures IPsec VPN remote access for the Cisco IPsec client shown in Figure 9. 192.168.10.10
  • 12. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 9 VPN Wizard 2.6.5 Configure firewall rules in ASA 5500 Name Action Direction Protocol Port Allow Net Time Protocol Allow In/Out UDP/IP 123 Allow DNS Allow Out UDP/IP 53 Allow bootp Allow In/Out UDP/IP 68 Allow incoming bootp Allow In UDP/IP 68 Allow NetBIOS Allow In/Out TCP/IP Allow NetBIOS Allow In/Out UDP/IP Allow Ipsec ESP Allow In/Out IPSEC N/A Allow IKE Allow In UDP ike (500) All IKE Outbound Allow Out TCP Any Allow Client to Server Communication Allow In TCP http (80) Block incoming pings Not Allow In ICMP Echo Request Block ICMP Timestamp Not Allow In ICMP N/A Block ICMP Router Solicit Not Allow In ICMP N/A Block ICMP Redirect Not Allow In ICMP 5 Allow all ICMP Allow In/Out ICMP Any 2.6.6 Physically install Cisco IPS 4270 The Cisco IPS 4270 is a Intrusion Prevention System that will be located in the unclassified IT closet, room 4, Suite A and classified IT closet, room 4, Suite D. Traffic will go through the IP then forwarded to the firewall checks. The IPS is “inline mode” with the firewall. Order of traffic will be:  Traffic enters IPS  IPs applies security policies to traffic and takes action  Valid traffic is sent to ASA firewall  Traffic enters the ASA.  Firewall policies are applied.  Incoming traffic is decrypted  Outgoing VPN traffic is encrypted 2.6.7 Configure IPS 4270 for “inline mode” between ASA 5500 and WWTC network Figure 10 is an example of how the inline mode IPs works except the firewall is behind the IPS before the inside network:
  • 13. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 10 IPS inline mode Connecting device:  Use CAT 5e/6-certified cabling for all connections.  The interfaces will be configured to match the interfaces of the appliance for speed/duplex negotiation (auto/auto).  Portfast will be enabled on connected switchports to reduce spanning-tree forwarding delays. 2.6.8 Install McAfee E-Policy Orchestrator (EPO) The McAfee EPO server provides Antivirus and Host Intrusion Prevention (HIP) to all host systems in NY.WWTC.com domain. The server will be located in the unclassified IT closet, room 4, Suite A and classified IT closet, room 4, Suite D. Step 1 McAfee EPO software will be installed on 2008R2 Server/64bit. Configure IP of Server for 192.168.22.10 for unclassified and classified server. Once software fully installs by default configurations, the following logon will appear and username is defaulted admin with password: admin. The following logon is shown in Figure 11. Figure 11 McAfee EPO installation Step 2 Deploy the McAfee agent to all client systems in the NY.WWTC.com domain which will install Virus Scan Enterprise (VSE) and Host Intrusion Prevention (HIP) on all systems. Below is the setup process to install the agent on all systems from the EPO Server. After the agent deploys to all systems, ensure the clients are pulling VSE and HIPs which is shown Figure 12 and 13.
  • 14. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 12 Virus Scan Enterprise Figure 13 Host Intrusion Prevention 2.6.9 Install and configure Cisco Access Control Server (ACS) 5.4 The ACS will be located in the unclassified IT closet, room 4, Suite A and classified IT closet, room 4, Suite D. Authentication verifies user information to confirm the user's identity. Traditional authentication uses a name and a fixed password. More secure methods use cryptographic techniques, such as those used inside the Challenge Authentication Handshake Protocol (CHAP), OTP, and advanced EAP-based protocols (User Guide for Cisco Secure Access Control System 5.4, 2015). ACS supports a variety of these authentication methods (User Guide for Cisco Secure Access Control System 5.4, 2015). A fundamental implicit relationship will exist between authentication and authorization. The more authorization privileges granted to a user, the stronger the authentication should be. ACS supports this relationship by providing various methods of authentication (User Guide for Cisco Secure Access Control System 5.4, 2015) Step 1 Add network devices, users and create authorization rules to allow or deny access through RADIUS authentication. RADIUS authentication port number is 1812. Step 2 Install ACS license, system certificates and configure password policy rules for administrators and users. 2.6.10 Install and configure KG-175D The KG-175D is a TACLANE that separates the classified data from the unclassified data through communication security. Step 1 Physically install KG-175D  Attach a ground wire to an earth ground  Loosen or remove the nut from the “GND” ground binding post on the TACLANE as needed.  Attach the ground wire to the “GND” ground binding post on the TACLANE and tighten the nut.  Make sure that the TACLANE is powered off.
  • 15. Implementation Plan Template Group 5 UMUC CMIT 495  Connect the power cable to the power connector on the TACLANE.  Plug the power supply cable into a standard 110 VAC power outlets.  Connect the Ethernet cable to the PT or CT RJ-45 jack on the TACLANE Step 2 Configure KG-175D to separate classified from unclassified network  Configure ASA 5500 firewall in the path between communicating TACLANEs to pass SDD, IKE, and ESP.  Insert CIK  Power on TACLANE  CIK activation will initialize 2.6.11 Configure VLAN security on network devices All unused ports will be shutdown or placed in a black hole VLAN. By shutting down or isolating all unused ports will disable trunking of the unused ports. In addition, Dynamic Trunk Protocol will be turned off to prevent automatic negotiating to trunking mode which only allows manual configuration for trunking a port. The command will be (config-if)# switchport negotiate on the interface. 2.6.12 Configure port security on network devices Enabling port security limits the amount of MAC addresses that can connect and send data on the ports they are connected to. This prevents unauthorized MAC addresses from connect to a port and obtaining access to the network. The command will be (config-if)# switchport port-security on the interface and to have the port shutdown due to unauthorized connections, a protection will be enabled. The command will be (config-if)# switchport port-security violation protect. 2.6.13 Configure DHCP snooping on network devices Enabling DHCP snooping can provide another layer of defense through the router by acting like a secondary firewall between the DHCP server and untrusted systems. The command to set up DHCP snooping is (config)# feature dhcp and is configured on the switch. 2.7 Active Directory Implementation Step # Task 1 Prepare the Forest Root/Parent Domain; WWTC.com 2 Create the Forest Root/Parent Domain; WWTC.com 3 Create a Child Domain; NY.WWTC.com 2.7.1 Prepare the Forest Root/Parent Domain; WWTC.com 1) Deploy the First Forest Domain Controller. Review the AD DS and logical structure design. 2.7.2 Create the Forest Root/Parent Domain; WWTC.com Step 1 Enable Windows Server 2012 R2 AD DS advanced features by raising the forest and domain functional levels. It is recommended that you raise forest and domain functional levels while you run the Active Directory Domain Services Installation Wizard (Dcpromo.exe). Step 2 Creating the Forest Root Domain: WWTC’s Hong Kong Headquarters office had previously established the WWTC.com Forest domain. Reportedly, they installed the Active Directory Domain Name Services (AD DS) role onto their first domain controller by utilizing the Windows Server 2012R2 Server Manager tool. Installing AD DS is performed through “Add roles and features”, a wizard that automatically adds in the needed tool sets and features required for active directory. Once AD DS was installed, Server Manager alerted the administrator that a post-deployment action was needed entitled, “Promote this server to a domain a controller”. Upon selecting the deployment configuration wizard,
  • 16. Implementation Plan Template Group 5 UMUC CMIT 495 Hong Kong created the Forest named WWTC.com. (Figure 14) Once the prerequisite checks passed, the domain controller promotion completed successfully and WWTC.com established the schema. Figure 14 Add AD Forest 1) Deploy the First New York Domain Controller a) Install Active Directory Domain Services (AD DS) by running the Active Directory Domain Services Installation Wizard on the server selected to be the first domain controller. b) Add new domain to an existing forest (Fig. 15) Figure 15 Child Domain 2.8 Configuration of Routers The following information is provided in order to configure the NY.WWTC routers. This is the first time the routers are accessed and they contain a default configuration from Cisco. The router holds an IOS (Internetwork Operating System). This IOS is considered proprietary software and should not be accessed or modified unless specifically handled by WWTC’s IT team. Figure xxx illustrates NY.WWTC’s Core
  • 17. Implementation Plan Template Group 5 UMUC CMIT 495 Router 1 (CR1) and will be used as the configuration example. All other NY.WWTC.com routers will follow suit appropriate to the router name and IP addressing Figure 16. Name Interfac e IP CR1 Gi0/0 Gi0/1 Gi0/2 192.168.23.193 192.168.23.205 65.32.1.65 to ISP CR2 Gi0/0 Gi0/1 Gi0/2 192.168.23.201 192.168.23.207 65.32.1.68 to ISP DR1 Gi0/0 Gi0/1 Gi0/2 192.168.23.192 192.168.23.202 192.168.23.209 DR2 Gi0/0 Gi0/1 Gi0/2 192.168.23.206 192.168.23.202 192.168.23.210 CCR1 Classified Gi0/0 Gi0/1 172.16.31.201 172.16.31.202 Figure 16 IP Addressing The following information is used by IT staff members to setup communications between a router and a NY.WWTC.com computer. IMPORTANT: Prior to starting the configuration, it is important for the IT staff to verify that all peripherals devices are connected properly to the routers. Failure to properly connect these devices could result in incomplete or misconfigured device operation. HyperTerminal (HT) into the Router Software Name Cabling Required Procedure HT allows configuration access into Router interface through the HT application. HT settings are considered standard and can be applied on every NY.WWTC.com router. HT> WWTC Windows 8 users can obtain a free copy of HyperTerminal from here. Cable, Console port DB9 to RJ45 Cable, USB to DB9 adapter Connect Console port cable DB-9- RJ45 with USB Adapter to USB jack on computer. Attach other end to RJ-45 jack on back of the router. Open HyperTerminal on the laptop by going to the Start -> All Programs -> Accessories -> Communications and click on HyperTerminal. Configure HyperTerminal by going to the properties menu. Set up the program with the correct serial port, i.e. COM1. Configure the serial port to 9600 bit/s, eight (8) data bits, no parity bit, one (1) stop bit, and flow control set to none. Once the terminal communication program has been properly configured, press <Enter> and the command prompt # will appear.
  • 18. Implementation Plan Template Group 5 UMUC CMIT 495 The following commands are Global Configurations mode commands used to configure the Router Name and set up security passwords. Display Command 1. Router> Press <Enter> to connect with the router (The terminal should display: con0 is now available 2. Router> Type enable 3. Router# Type configure terminal 4. Router(config)# Type hostname CR1 (sets the device hostname) 5. CR1(config)# Type enable password letmein (sets the enable password) 6. CR1(config)# Type enable secret NY.R0uter (sets an encrypted secret password) 7. CR1(config)# Type line console 0 (enters console line mode) 8. CR1(config-line)# Type password letmein (sets a password on the line console login) 9. CR1(config-line)# Type login (forces the use of the password) Type exit 10. CR1(config)# Type line vty 0 4 (enters the vty mode for all 5 vty lines) 11. CR1(config-line)# Type password letmein (sets the password for the vty lines) 12. CR1(config-line)# Type login (forces the use of the password) Type exit 13. CR1(config)# Type line aux 0 (enters the auxiliary line mode) 14. CR1(config-line)# Type password letmein (sets the password on the aux port) 15. CR1(config-line)# Type login (forces the use of the password) Type exit, Type exit 16. CR1# Type copy run start (saves configuration to NVRAM) The following commands shown below are to assign an IP address to the interfaces and to assign a login banner. Display Command 1. CR1(config)# Type ip domain-name NY.WWTC.com 2. CR1(config)# Type router eigrp 1 3. CR1(config-router)# Type no auto-summary Type exit 4. CR1(config)# Type interface Gi0/0 5. CR1(config-if)# Type ip address 192.168.23.193 255.255.255.0 6. CR1(config-if)# Type no shut 7. CR1(config-if)# Type interface Gi0/1 8. CR1(config-if)# Type ip address 192.168.23.205 255.255.255.0 9. CR1(config-if)# Type no shut 10. CR1(config-if)# Type interface Gi0/2 11. CR1(config-if)# Type ip address 65.32.1.65 255.255.255.0 12. CR1(config-if)# Type no shut -- Type exit 13. CR1(config)# Type banner motd # (Terminal should display: Enter TEXT message. End with the character ‘#’) Enter WARNING …You are accessing a company proprietary information system that is provided for WWTC authorized use only. Unauthorized access is prohibited! Enter your username and password. # 14. CR1(config)# Type exit 15. CR1# Type copy run start (saves configuration to NVRAM) Power the laptop OFF by performing normal computer shutdown procedures and disconnect the console cable from the laptop USB port and from the CR1 router console port. 2.9 Configuration of Switches The following steps are required to configure the NY.WWTC switches. This is the first time the switches are accessed and they contain a default configuration from Cisco. The switch holds an IOS (Internetwork Operating System). This IOS is considered proprietary software and should not be accessed or modified
  • 19. Implementation Plan Template Group 5 UMUC CMIT 495 unless specifically handled by WWTC’s IT team. Figure xxx illustrates NY.WWTC’s switch (ASW1) and will be used as the configuration example. All other NY.WWTC.com switches will follow suit appropriate to the switch and IP addressing in Figure 17. Name Interface IP ASW1 Fa0/0 Fa0/1 192.168.23.22 3 192.168.23.22 9 ASW2 Fa0/0 Fa0/1 192.168.23.23 2 192.168.23.22 6 CASW 1 Classified Fa0/0 Fa0/1 172.16.31.205 172.16.31.206 Figure 17 Switch IP Addressing The following information is used by IT staff members to setup communications between a switch and a NY.WWTC.com computer. HyperTerminal (HT) into the Router Software Name Cabling Required Procedure HT allows configuration access into switch interface through the HT application. HT settings are considered standard and can be applied on every NY.WWTC.com router. HT> WWTC Windows 8 users can obtain a free copy of HyperTerminal from here. Cable, Console port DB9 to RJ45 Cable, USB to DB9 adapter Connect Console port cable DB-9- RJ45 with USB Adapter to USB jack on computer. Attach other end to RJ-45 jack on back of the router. Open HyperTerminal on the laptop by going to the Start -> All Programs -> Accessories -> Communications and click on HyperTerminal. Configure HyperTerminal by going to the properties menu. Set up the program with the correct serial port, i.e. COM1. Configure the serial port to 9600 bit/s, eight (8) data bits, no parity bit, one (1) stop bit, and flow control set to none. Once the terminal communication program has been properly configured, press <Enter> and the command prompt # will appear. The following commands are Switch Configuration commands used to configure the switch name and set up security passwords. Display Command 1. Switch> Press <Enter> to connect with the switch (The terminal should display: con0 is now available 2. Switch> Type enable
  • 20. Implementation Plan Template Group 5 UMUC CMIT 495 3. Switch# Type configure terminal 4. Switch(config)# Type hostname ASW1 (sets the device hostname) 5. ASW1(config)# Type ip domain-name NY.WWTC.com 6. ASW1(config)# Type no ip domain-lookup (This disables the switch from translating unfamiliar words) 7. ASW1(config)# Type enable password letmein (sets the enable password) 8. ASW1(config)# Type enable secret NY.Switch (sets an encrypted secret password) 9. ASW1(config)# Type crypto key generate rsa How many bits in the modulus [512]: 2048 10. ASW1(config)# Type line console 0 (enters console line mode) 11. ASW1(config-line)# Type password letmein (sets a password on the line console login) 12. ASW1(config-line)# Type login local (forces the use of the password) 13. ASW1(config-line)# Type transport input ssh 14. ASW1(config-line)# Type exec-timeout 1 00 Type exit 15. ASW1(config)# Type line vty 0 4 (enters the vty mode for all 5 vty lines) 16. ASW1(config-line)# Type password letmein (sets the password for the vty lines) 17. ASW1(config-line)# Type login local (forces the use of the password) 18. ASW1(config-line)# Type transport input ssh 19. ASW1(config-line)# Type exec-timeout 5 Type exit 20. ASW1(config)# Type line vty 5 15 (enters the vty mode for vty lines 5 through 15) 21. ASW1(config-line)# Type password reallykeepout (sets the password for the vty lines) 22. ASW1(config-line)# Type login (forces the use of the password) Type exit 23. ASW1(config)# Type line aux 0 (enters the auxiliary line mode) 24. ASW1(config-line)# Type password letmein (sets the password on the aux port) 25. ASW1(config-line)# Type login (forces the use of the password) Type exit, Type exit 26. ASW1(config)# Type no logging console Type exit 28. ASW1# Type copy run start (saves configuration to NVRAM) 2.10 VLAN configurations The following information is used by IT staff members to setup the individual VLANs on ASW1 and ASW2. VLAN 20 “Staff” will be used as the example. The following commands will assign the appropriate VLAN to the appropriate switch. (Refer below above for name and IP assignments). Display Command 1. ASW1# Press <Enter> to connect with the switch (The terminal should display: con0 is now available 2. ASW1# Type enable 3. ASW1# Type configure terminal 4. ASW1(config)# Type interface f0/1 5. ASW1(config)# Type vlan 20 6. ASW1(config-vlan)# Type name staff 7. ASW1(config-vlan)# Type switchport mode access 8. ASW1(config-vlan)# Type switchport access vlan 20
  • 21. Implementation Plan Template Group 5 UMUC CMIT 495 9. ASW1(config-vlan)# Type switchport port-security mac-address sticky 10. ASW1(config-vlan)# Type switchport port-security maximum 1 11. ASW1(config-vlan)# Type switchport port-security violation shutdown 12. ASW1(config-vlan)# Type ip address 192.168.20.254 255.255.255.0 13. ASW1(config-vlan)# Type no shutdown Type exit 14. ASW1(config)# Type ip default-gateway 192.168.23.193 15. ASW1(config)# Type no shutdown 16. ASW1(config)# Type password letmein (sets the password for the vty lines) 17. ASW1# Type copy run start (saves configuration to NVRAM) Power the laptop OFF by performing normal computer shutdown procedures and disconnect the console cable from the laptop USB port and from the ASW1 switch console port 2.11 Voice VLAN and wireless NY.WWTC site requires network access for users and guest users in limited areas of the three lobbies and two conference rooms throughout Suite A-C. Since NY.WWTC is providing a private network, WWTC wireless users will be designated to VLAN 27 to keep wireless users from accessing the WWTC intranet. Creating a VLAN for the wireless users provides enhanced security to keep unauthorized users from accessing WWTC’s sensitive data. WWTC requires a state of the art VOIP network. The voice and data must be integrated to reduce cost and maintain 100% connectivity. Voice over IP provides a latest platform for internal and external communication. The technology is cheap, simple, and scalable and has high degree of fault tolerance. To prevent network congestion, NY.WWTC isolates the VoIP traffic from the data traffic because VoIP traffic is extremely sensitive to network delays that occur from unavailable bandwidth and bottlenecks. The isolation of the VoIP traffic is accomplished by the creation of separate VLANs. The VoIP traffic will be designated to VLAN 24 to keep VoIP separated from the data traffic on NY.WWTC’s network. By dedicating VoIP to a VLAN, IT managers allow the VoIP services to be easily managed. Table 18 and 19 outline the VoIP assignment and topology. Figure 18 VoIP Assignment
  • 22. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 19 VoIP Topology 2.12 Security technologies The security goals of NY.WWTC.com are to protect key assets which in today’s industry are vulnerable to four common threats. Those are: reconnaissance attacks, intruder threat, denial of service attack and malware infiltration. In addition to those security threats, WWTC is focused on eliminating the lack of security training for WWTC employees. Quarterly, WWTC conducts an all-hands training session that reviews the latest security threats for business. The WWTC’s IT team is also aware that weak security devices (or those lacking functionality), could cost WWTC time and money if/when not properly positioned. The fix: implement a collection of security devices and properly configure and position those devices within the network. Key Assets The NY.WWTC site presents a High Level security plan where key applications, servers and network resources (data) will be kept secure. NY.WWTC presents these security technologies based on current industry standards with multilayered security and a defense-in-depth models. The following areas have been identified as NY.WWTC key assets and will be protected.  Market Tracking Application Servers  Stock and Bond Analytical Application Servers  On Line Trading Sites and Methods  Finance data  Human Resources data  All NY.WWTC Internal Servers The following table lists and describes the security device roles that will be used to protect NY.WWTC key assets. Each icon is represented in Figure 21. The illustration aims at presenting a high level representation and the placement of these devices.
  • 23. Implementation Plan Template Group 5 UMUC CMIT 495 Icon Item Name Description Role Cisco ASR 1001 Edge Router These routers sit at the edge of the WWTC network connecting the company to the WANs Internet Service Provider links 1. Managed services, including VPN and firewall 2. Provides WAN aggregation and secure, encrypted WAN connectivity 3. Provides WWTC with Deep packet Inspection (DPI) Cisco IPS 4270 These Intrusion Prevention Systems monitor IP traffic within WWTC's network 1. An inline network security appliance 2. Detect threats to intellectual property and WWTC customer data 3. Stops sophisticated attackers by detecting behavioral anomalies, evasion, and attacks against WWTC vulnerabilities 4. Reduce the time and effort required to implement and update security measures KG175D High Assurance IP Encryption 1. Encrypts WWTC traffic from NY to Tokyo. 2. Remote HAIPE-to-HAIPE keying 3. Ethernet, IPv4/IPv6 Dual Stack compatible Cisco Access Control System 5.4 WWTC's centralized identity and access policy solution with network access policy and identity strategy 1. WWTC managed access policy device that defines policy rules in both IPv4 and IPv6 networks 2. Integrates with external identity and policy databases, including WWTC's Windows Active Directory to control network access 3. Provides standards-compliant Authentication, Authorization, and Accounting (AAA) services to the WWTC network for VPN and wireless users McAfee EPO Server Provides host base security to prevent malware, exploitations, reconnaissance, denial of service, loss of data, intrusions and is managed from one server. Provides Virus Scanning Enterprise. Integrates Host Intrusion Prevention (HIPS) Prevents data loss with Data Loss Prevention (DLP) Figure 20 Security Technology Figure 21 illustrates the positioning of key asset protection devices. IPsec technology will be deployed on.
  • 24. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 21 IPsec Deployment 2.13 DHCP and DNS The NY.WWTC site has two types of DNS zones; Forward and Reverse. A forward lookup zone resolves a name to an IP address while a reverse lookup zone does the opposite and resolves an IP address to a name. The global catalog domain controller (NYDC01.NY.WWTC.com) has an assigned static IP address of 192.168.20.189 and is considered the zone’s SOA (Start of Authority) record. This server hosts many types of records. A host name record (called an A record, IPv4) translates a name into an IP address. Related to the reverse zone, pointer (PRT) records are always written backwards ( ). NY.WWTC.com uses an Active Directory Integrated zone meaning that all DNS records are stored within Active Directory. Located on the NYDC01.WWTC.com domain controller (assigned as the domain global catalog server), the DNS zone is a Primary zone. All AD domain controllers hold a DNS role. AD is known as a multi-master loosely defined database. This means that all other AD domain controllers replicate and exchange (propagate) information between each other. The benefit of using primary DNS lookup zones is that this propagation is done in a secured manner. For example, when NYDC01 and NYDC02 exchange zone records, the exchange is always done through a technique known as secure dynamic updates. It is true then, that within the entire WWTC.com’ DNS structure (the Forest), all DNS zones are considered primary and replication (known as Zone Transfers) are performed securely. Hong Kong domain controllers replicate to NY.WWTC.com, and vice versa. Below are images of NYDC01.NY.WWTC.com domain controller DNS configuration. Figure 22 illustrates DNS secured configuration, Figure 23 illustrates DNS records and Figure 24 illustrates DNS zone transfer.
  • 25. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 22 DNS Secured Configuration Figure 23 DNS Records Figure 24 DNS Zone Transfer Dynamic Host Configuration Protocol (DHCP) is a method that dynamically and automatically assigns IP addressing (IP Addresses) to client computers located on the NY.WWTC.com domain. NYDC01.NY.WWTC.com is the server that will hold the DHCP role for NY.WWTC.com. NYDC01 not only issues the client IP address, but will also deliver the network subnet mask, the default gateway of the network, and both a primary and secondary DNS server IP addresses to domain client computers. NYDC01.NY.WWTC.com will have 6 scopes illustrated in Figure 25: Scope Name # of Addresses Subnet Mask Default Gateway DNS1 Brokers 126 255.255.255.128 192.168.20.1 192.168.20.189
  • 26. Implementation Plan Template Group 5 UMUC CMIT 495 Managers 62 255.255.255.192 192.168.20.1 192.168.20.189 Executives 30 255.255.255.224 192.168.20.1 192.168.20.189 Staff Scope 30 255.255.255.224 192.168.20.1 192.168.20.189 Phones 254 255.255.255.0 192.168.20.1 192.168.20.189 IT Management 30 255.255.255.224 12.168.20.1 192.168.20.189 Figure 25 NY.WWTC Scopes 2.14 Active Directory Policies Windows BitLocker Drive Encryption is a security feature that provides enhanced data protection for computers by encrypting all data stored on the Windows Operating System volume (Microsoft, 2014). A Trusted Platform Module (TPM) is a microchip that is built into computers to store cryptographic information such as encryption keys. BitLocker uses TPM to help protect the Windows Operating System and user data, and helps to ensure a computer is not tampered with in the invent it is lost or stolen (Microsoft, 2014). To encrypt the workstations and servers in NY.WWTC, the IT team will deploy the BitLocker encryption technology onto these devices. BitLocker drive encryption is a technique that is used to secure data at rest behind unique, hard to crack passwords. BitLocker Drive Encryption encrypts computer data using a strong encryption algorithm offering maximum security for the WWTC business user. As an extreme example, imagine a computer being stolen from WWTC. The thief, after starting the computer, or even removing the hard drive and placing it into a different computer, would be restricted from accessing any information due to the encryption technology. To the thief, the information is jumbled and unreadable. Implementing BitLocker Encryption technology onto WWTC devices requires each employee to have: 1. A separate UBS flash Drive used to store a PIN or key. Or, 2. A computer with a Trusted Platform Module (TPM). A TPM is a special microchip located in the computer that supports advanced security encryption features. TPM version 1.2 or higher stores its key in the TPM itself Enforcing BitLocker encryption on a USB WWTC employees are known to occasionally take data off site. To enforce that BitLocker encrypts only the used space of a removable storage media device (e.g. USB drive), WWTC enforces a group policy that sets BitLocker drive encryption on removable media. WWTC’s IT team sets a GPO under Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption. Figure 26 provides a visual sample of where this setting(s) can be found.
  • 27. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 26 Bitlocker Encryption BranchCache To provide increased manageability, scalability, and data availability, the WWTC IT team enables a technology known as BranchCache across the network. BranchCache is a technology that copies content from WWTC’s Hong Kong file servers and caches (saves in memory) the content on to WWTC’s New York regional office file servers allowing client computers at the regional offices to access the content locally rather than over the WAN. (Microsoft, 2015). A benefit of deploying BranchCache results in efficient optimization and use of bandwidth. For example, when a client accesses remote content in Japan, BranchCache is used to store (cache) the desired content locally on the NY site. If a client wants to access the same content later, that data does not need to be downloaded a second time as it already resides within the BranchCache in NY. By default, BranchCache allocates 5% of the disk space for the cache, but this value can easily be changed by creating and assigning a GPO. One of the concerns is bandwidth. Bandwidth can become quickly saturated if wireless networking (WLAN) is utilized alongside wired methods. Shown in Figure 27 enabling BranchCache on WWTC client computers is done through a group policy. WWTC’s IT team sets a GPO under Computer Configuration | Policies | Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine | Network | BranchCache shown in Figure 4. (Technet, 2015). Figure 27 Branch Cache 2.14.1 Configure Global Catalog Servers and FSMO roles The Schema Master and Domain Naming Master will be located at the Forest root (WWTC.com).
  • 28. Implementation Plan Template Group 5 UMUC CMIT 495 The RID Master, Infrastructure Master, PDC Emulator roles are located in each child domain (NY.WWTC.com), yet there will be only one domain controller performing these jobs per domain. (Testout.com, 2015). On the opened Active Directory Sites and Services snap-in, from the left pane, expand Active Directory Sites and Services (DC-01.NY.WWTC.com) > Sites > Default-First-Site-Name > Servers > DC-01. DC- 01.NY.WWTC.com and DC-01 are the Fully Qualified Domain Name and the hostname of the target Active Directory domain controller that you want to be promoted as a Global Catalog server in this demonstration respectively which is illustrated in example below. On the displayed NTDS Settings Properties box, make sure that the General tab is selected. On the displayed interface, check the Global Catalog checkbox to promote the target Active Directory domain controller to a Global Catalog server. Shown below is a screenshot of where to select a server for Global Catalog. 2.15 Active Directory Forest Domain OU formation WWTC is headquartered in Hong Kong Japan, yet operates regional offices around the world. WWTC’s newest office is being established on Wall Street in New York City. The New York office is largely autonomous and only has a few IT personnel to take care of day-to-day IT support activities such as password resets and troubleshooting virus problems. As well, the IT team is concerned about sensitive data stored in this location. As a result, WWTC is deploying a highly developed OU structure in order to implement security policies uniformly through the use of Group Policy Objects (GPO). This will be performed on the company’s domains, OU’s, and workstations. As a top level diagram, Figure 28 is the structure of WWTC’s forest layout.
  • 29. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 28 Forest Layout The WWTC forest design is: 1. One forest for WWTC.com (Hong Kong based) – this is called the forest root or Parent domain -- WWTC.com is a Tree domain that establishes the company’s name space 2. Within this forest, the IT team has created a second domain called NY.WWTC.com -- NY.WWTC.com is known as a Child domain that shares the common name space 3. WWTC.com and NY.WWTC.com domains trust each other 4. NY.WWTC.com can share resources with WWTC.com and vice versa 5. WWTC.com uses a common schema where all objects within the Forest take advantage of common applications (e.g. mail services (Microsoft Exchange), Intranet web sites, Market Tracking and Stock and Bond Analytical applications) 6. The WWTC Forest can easily accommodate growth (such as additional domains) In general, all WWTC.com computers belong to a domain. These domains have been established based on the physical location of where the local resources reside. The users in Hong Kong belong to WWTC.com and the users in New York are members of NY.WWTC.com. A standardized, shared naming convention (a common space (WWTC.com)) is in place and both domains “trust” each other. Like that of Hong Kong, the New York office has established OUs that mirror the logical structure of the company’s NY office mission. Shown in Figure 29 is the NY.WWTC.com infrastructure of ten OU’s.
  • 30. Implementation Plan Template Group 5 UMUC CMIT 495 _New York Organizational Units Brokers  Users  Workstations Execs (Executives)  Users  Workstations Finance  Users  Workstations HR (Human Resources)  Users  Workstations IT  Users  Workstations Managers  Users  Workstations Printers Servers Clustered Servers Security Groups Figure 29 OU Structure OU’s for each department within the NY.WWTC.com domain have been proposed. Inside each department OU are two other OU’s; Users and Workstations. All employees (users) and their computers (workstations) will be properly placed inside of these nested containers according to their department. 2.16 Active Directory Group Formation Universal groups can be assigned permissions to resources anywhere in the forest. Universal groups can contain members from any domain in the forest. These include Universal groups within the forest, Global groups within the forest and/or Users and computers within the forest (Labsim, 2015). The Universal Groups, who require access within WWTC.com and NY.WWTC.com, are: 1. Execs (Executives) 2. Finance 3. HR (Human Resources) Domain Local groups have permission within the current Domain. The following groups will be created for personnel who need access to only the NY.WWTC.com domain. Below are the Domain Local Groups: 1. Brokers 2. IT (Information Technology) 3. Managers
  • 31. Implementation Plan Template Group 5 UMUC CMIT 495 Global groups can be assigned permissions to resources anywhere in the forest. Global groups can contain members within the same domain. The Global Group is created for users with VPN access when traveling between sites. The following Global Group is: 1. VPN Remote Figure 30 shows the role and the group scope of each type of group: Figure 30 Group Scope PowerShell Scripting Powershell is a command-line tool that offers administrators an alternative over the standard graphical user interface (GUI) environment. Servers are less burdened without memory intensive GUI applications and video rendering software. Related to Active directory, groups can be built by using Powershell scripting. To do a bulk build of groups through a Powershell script, WWTC IT staff recommends importing .csv file that holds data identifying the group information. An example of the NY.WWTC group structure, the below is a representation of information found within a .csv file. GroupName GroupType GroupLocation Brokers DomainLocal OU=_New York,OU=Security Groups Execs Universal OU=_New York,OU=Security Groups Finance Universal OU=_New York,OU=Security Groups HR Universal OU=_New York,OU=Security Groups IT Admins DomainLocal OU=_New York,OU=Security Groups Managers DomainLocal OU=_New York,OU=Security Groups VPN Remote Global OU=_New York,OU=Security Groups
  • 32. Implementation Plan Template Group 5 UMUC CMIT 495 In order to execute the group Powershell command, specific syntax is needed. The following example represents the script syntax required to automatically create NY.WWTC groups. $csv = @() $csv = Import-Csv -Path "C:Desktopbulk_input.csv" #Get Domain Base $searchbase = Get-ADDomain | ForEach { $_.DistinguishedName } ForEach ($item In $csv) { $check = [ADSI]::Exists("LDAP://$($item.GroupLocation),$($searchbase)") If ($check -eq $True) { Try { $exists = Get-ADGroup $item.GroupName Write-Host "Group $($item.GroupName) alread exists! Group creation skipped!" } Catch { $create = New-ADGroup -Name $item.GroupName -GroupScope $item.GroupType -Path ($($item.GroupLocation)+","+$($searchbase)) Write-Host "Group $($item.GroupName) created!" } } Else { Write-Host "Target OU can't be found! Group creation skipped!" } } 2.17 Active Directory GPO Implementation An important management process for NY.WWTC.com is having the ability to define unique yet managed configurations for all users and computers across the WWTC.com forest. The deployment strategy and designed use of group policies is for security configurations, updating and installing software and protecting the confidentially, integrity and availability of WWTC.com computing information systems. For security purposes, the following Group Policies will be applied to the NY.WWTC.com Default Domain Policy shown in the Figure 31 below: 1. Rename the local Administrator Account Policy 2. Disable the Guest Account Policy 3. User Access Control (UAC) Policy
  • 33. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 31 Default Domain Policy Renaming the local Administrator Account on hundreds of systems can be very time consuming which is why enforcing GPOs allows for easier management. This GPO offers security to all systems in the NY.WWTC.com domain by renaming the local Administrator account which could be exploited. The settings for creating this GPO are found in Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options, which can be seen in the flowing Figure 32. Figure 32 Renaming Local Administrator Account Disabling the Guest Account can also be a time consuming task when required on hundreds of systems. The benefit of Active Directory is it can be enforced in the domain. Disabling the Guest Account prevents unauthorized access from a threat. The settings for creating this GPO are found in Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options, which can be seen in Figure 33.
  • 34. Implementation Plan Template Group 5 UMUC CMIT 495 Figure 33 Disabling Guest Account User Account Control provides security which enforces standard user level access and administration authentication for any changes or modifications to a system (Technet, 2015). It prompts a user for Administrative rights when accessing applications, registry or file systems. This enables Administrators to use their user account without having to log on and off systems to enforce Administrator actions. The settings for creating a UAC GPO are found in Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options, which can all be seen in Figure 34. Figure 34 UAC
  • 35. Implementation Plan Template Group 5 UMUC CMIT 495 2.18 Project Time Line Date Completed Project Milestone January 25 Business and design requirements identified for the LAN, Wireless, VoIP, security, and Active Directory implementation. Please refer to Group 5 DR Assignment document. February 4 Preliminary design for the LAN, Wireless, and VoIP has been submitted for client review. Please refer to LAN_VOIP_Wireless Assignment document. February 11 Design modification requests for the LAN, Wireless, and VoIP received from the client. February 15 Preliminary security design submitted for client review. Please refer to Security Polices and Network Security document. February 21 Security design modification requests received from the client. February 22 Preliminary Active Directory Design submitted for client review. Please refer to Active Directory Final document. February 29 Active Directory design modification requests received from the client. March 7 Final Design for LAN, Wireless, VoIP, Security, and Active Directory submitted to client for review.
  • 36. Implementation Plan Template Group 5 UMUC CMIT 495 References Be’ery, Tal. (2014). Smart Card Logon: The Good, the Bad and the Ugly. Retrieved on February 18, 2015 from http://www.aorato.com/blog/windows-smart-card-logon-good-bad-ugly/ BitLocker Group Policy Settings. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_detypefdd BitLocker: How to enable Network Unlock. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en-us/library/jj574173.aspx#BKMK_NUnlockCoreReqs Bond, P., & Bement, A. (2002, December 3). SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES. Retrieved February 10, 2015, from http://csrc.nist.gov/publications/fips/fips140- 2/fips1402.pdf (Bond & Bement, 2002) Cisco Router and Security Device Manager 2.5 User Guide - Site-to-Site VPN [Cisco Router and Security Device Manager]. (2009, July 13). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager/ 25/software/user/guide/SDM25UGD/VPNS2S.html#wp1015553 Cisco ASA 5500-X Series Next-Generation Firewalls - Products & Services. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation- firewalls/index.html?referring_site=bodynav Cisco ASR 1001 Router. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/routers/asr-1001-router/index.html Cisco Aironet 1250 Series Access Point Data Sheet. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1250- series/product_data_sheet0900aecd806b7c5c.html Cisco Catalyst 3560 Series Switches - Products & Services. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/switches/catalyst-3560-series-switches/index.html Cisco IPS 4270-20 Sensor. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/support/security/ips-4270-20-sensor/model.html Cisco Router and Security Device Manager 2.5 User Guide - Site-to-Site VPN [Cisco Router and Security Device Manager]. (2009, July 13). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/td/docs/routers/access/cisco_router_and_security_device_manager /25/software/user/guide/SDM25UGD/VPNS2S.html#wp1015553 Cisco Secure Access Control System - Products & Services. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/security/secure-access-control- system/index.htmlhttp://www.cisco.com/c/en/us/products/collateral/unified- communications/unity-express/reference_guide_c07-566560.html Cisco Unified IP Phone 7912G Data Sheet. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone- 7912g/product_data_sheet09186a00801739c0.html
  • 37. Implementation Plan Template Group 5 UMUC CMIT 495 Cisco Wireless LAN Controllers. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/collateral/wireless/4100-series-wireless-lan- controllers/product_data_sheet0900aecd802570b0.html Cisco Unified Communications 500 Series Model 560 for Small Business: Platform Reference Guide. (n.d.). Retrieved January 25, 2015, from Technet. (2015). Windows Deployment Services Overview. Microsoft. Retrieved on February 20, 2015 from https://technet.microsoft.com/en- us/library/hh831764.aspx Dell Precision T1700 Workstation. (n.d.). Retrieved January 25, 2015, from http://www.dell.com/us/business/p/precision-t1700-workstation/pd Enhanced Interior Gateway Routing Protocol. (2015, January 5). Retrieved February 27, 2015, from http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol- eigrp/16406-eigrp-toc.html Failover Clustering Hardware Requirements and Storage Options. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en-us/library/jj612869.aspx HP 5900 Switch Series. (n.d.). Retrieved January 25, 2015, from http://h17007.www1.hp.com/us/en/networking/products/switches/HP_5900_Switch_Series/#.V MQBUivF-Cl HP Color LaserJet Pro MFP M176n. (n.d.). Retrieved January 25, 2015, from http://store.hp.com/webapp/wcs/stores/servlet/us/en/pdp/printers/hp-color-laserjet-pro-mfp- m176n HP NC365T 4-port Ethernet Server Adapter. (n.d.). Retrieved January 25, 2015, from http://h18004.www1.hp.com/products/servers/networking/nc365t/index.html Hardware requirements for BitLocker Drive Encryption. (n.d.). Retrieved January 25, 2015, from http://windows.microsoft.com/en-us/windows-vista/hardware-requirements-for-bitlocker-drive- encryption HYPERTERMINAL Trial. (2015). Retrieved February 22, 2015, from https://www.hilgraeve.com/hyperterminal-trial/ IPAM Deployment Planning. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en- us/library/jj878312.aspx#hard_soft Information Security Policy Templates. (n.d.). Retrieved February 8, 2015, from http://www.sans.org/security-resources/policies/ Internet Connectivity Options [MPLS]. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00801281f1.sht ml Labsim. (2015). Group Facts. Retrieved on February 20, 2015 from http://content.testout.com/client/labsimanywhere.html?mincachedate=01-08-2015-23-50
  • 38. Implementation Plan Template Group 5 UMUC CMIT 495 MacMall | TrippLite 42U Rack Enclosure Server Cabinet 47.25" Deep 29.5" Wide SR42UBDPWD. (n.d.). Retrieved January 25, 2015, from http://www.macmall.com/p/TrippLite-Racks- Enclosures-And-Arrays/product~dpno~8146725~pdp.gbhdhhb Microsoft. (2014). BitLocker Drive Encryption Overview. Retrieved on February 18, 215 from http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview Microsoft. (2013). Failover Clustering Overview. Retrieved on February 19, 2015 from https://technet.microsoft.com/en-us/library/hh831579.aspx Microsoft. (2012). Plan for Automatic File Classification. Retrieved on February 19, 2015 from https://technet.microsoft.com/en-us/library/jj574209.aspx Microsoft. (2014). IP Address Management (IPAM) Overview. Retrieved on February 19, 2015 from https://technet.microsoft.com/en-us/library/hh831353.aspx Springston, Tim. (2006). Smartcard Logon Considerations, or How I Learned to Love Authentication with Smartcards. Retrieved on February 18, 2015 from http://blogs.technet.com/b/ad/archive/2006/11/13/smartcard-logon-considerations-or-how-i- learned-to-love-authentication-with-smartcards.aspx S813 Biometric Smart Card Reader. (n.d.). Retrieved January 25, 2015, from http://www.amag.com/Products/Card-Readers/S813.aspx SIP Trunking With AT&T IP Flexible Reach. (n.d.). Retrieved January 25, 2015, from http://www.business.att.com/enterprise/Service/voice-services/null/sip-trunking/ Sales and Service. (n.d.). Retrieved January 25, 2015, from http://www.ricoh- usa.com/about/sales_and_service/sales_and_services.aspx?alnv=sas Security with Smart Cards. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en- us/library/cc962052.aspx Security with Smart Cards. (n.d.). Retrieved January 25, 2015, from https://technet.microsoft.com/en us/library/cc962052.aspx Small & Medium Business. (n.d.). Retrieved January 25, 2015, from http://shopping1.hp.com/is- bin/INTERSHOP.enfinity/WFS/WW-USSMBPublicStore-Site/en_US/- /USD/ViewProductDetail- Start;pgid=jDJwlVlq2W9SR0Yk2kO1Yuen0000gcHWdeHl;sid=F8tNwyQ7coxTw3D44yCBV_ 00xcV1sqwevBU=?ProductUUID=sLAQ7EN56zsAAAEuiwpzzsjt&CatalogCategoryID=4e Symmetry Network Cameras. (n.d.). Retrieved January 25, 2015, from http://www.amag.com/Products/Video-Management/Network-Cameras.aspx Technet. (2015). BranchCache. Microsoft. Retrieved on February 18, 2015 from https://technet.microsoft.com/en-us/network/dd425028.aspx Technet. (2015). Client configuration using Group Policy. Microsoft. Retrieved on February 19, 2015 from https://technet.microsoft.com/en-us/library/dd637820%28v=ws.10%29.aspx
  • 39. Implementation Plan Template Group 5 UMUC CMIT 495 Technet. (2015). BitLocker Group Policy Settings. Microsoft. Retrieved on February 18, 2015 from https://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_netunlock Technet. (2015). Try it out: encrypt used space only. Microsoft. Retrieved on February 18, 2015 from https://technet.microsoft.com/en-us/windows/jj983729.aspx TestOut, Online IT Certification Training. (n.d.). Retrieved January 25, 2015, from http://www.testout.com/ Using the Common Access Card for Remote Access VPN with the ASA 5500. (n.d.). Retrieved January 25, 2015, from http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next- generation-firewalls/product_implementation_design_guide0900aecd805fc1d0.html Very Early Smoke Detection Apparatus - Dallas Fire Protection Contractor. (n.d.). Retrieved January 25, 2015, from http://www.baconfire.com/Advanced-Smoke-Detection.html What is Mbps? (n.d.). Retrieved January 25, 2015, from http://www.verizon.com/home/fios-fastest- internet/?AID=10416649&PID=1785757&SID=ti38854877#plans?promotion_code=JUNCT/W 04&CMP=AFC-CJCON_002PZ2_005_014