Network Environment Management - Report Example

Executive Summary The industrial report will provide a proposed solution that will incorporate network architecture. The previously highlighted issues including accessibility issues for the travelling sales team, as they have to travel to customer premises and store data on the laptop. My incorporating UMTS solution, the sales team is able to connect to the organization’s Virtual network by passing a security check. In this way, there is low risk of data to be stolen or crash. Moreover, for different type of users on the network including managing directors, Managers, Engineers, Finance staff, Sales staff and secretaries, different type of access is required. For instance, finance data must be protected and only be accessible to the finance staff. For this purpose, an authentication mechanism i.e. Microsoft Active Directory is implemented. Microsoft Active directory will enable West Products to centralize data in one location and facilitate in audit functions. Moreover, for protecting unauthorized access, audit trails, user account logs are generated. For security aspect, active directory restricts the user from windows components, data sources, and the Internet. To add extra layer for protecting unauthorized access by the internal as well as external employees, Virtual LAN is implemented. The VLAN will divide the departments logically by separate addresses. For instance, Finance department data will not be intermixed with Sales data. For redundant Internet connections, Service Level Agreement (SLA) is established with Internet Service Provider. 2 Introduction The computer networks involved thousands of elements, a variety of devices and protocols, including interactions and relationships between components therefore enhanced network management for large scale systems has developed. In addition, the network has to fully informative and must contain effective management tools in order to make sure efficient and trouble free operations. Now days, non-integrated tools are used for the usual enterprise wide network management. These tools provides incomplete and limited outlook of the network and the management necessities. For this reason, significant problems arise that effect the management techniques. There is a requirement for a Network Management, Analysis and Testing Environment for achieving unified and inclusive software environment that helps to supervise and orchestrate the operations of the devices and protocols within the network management systems. The network management environment management represents the tools that provide knowledge regarding the management techniques. Moreover, effective deployment of the model resolves various network difficulties. The functional behavior of the network objects are confined and distributed equally. For instance, the distribution process and maintenance of data structures via multiple switches and network controls are involved in a virtual-circuit X.25 network. These distributed objects are significantly examined by the individual devices. Therefore, essential data must be handled by this model facility. Likewise, in a multi layered protocol, the behaviors of the network objects and the behavior of an individual layer are extremely correlated. For instance, a telnet session highly depends on the transport-layer (TCP) and network-layer (IP) functions in TCP/IP protocol suite. As a result, the network level connections failure may lead to the failure in the upper layers. This is represented by the network model as the interpretation of correlated behaviors. On the contrary, the statically configurations do not capture all the correlated behavior changes as, much correlation are the result of the vibrant interactions between the objects. 3 Proposed Solution for West Products The proposed solution for West products requires a synchronized active directory services along with all the 3 branches including the head office. As shown in fig 1.1, the branches are equipped with an active directory site that is synchronized with all the other sites and the domain controller located at the head office. For connecting the sales team with West Products network, the UMTS connectivity is illustrated in the above diagram. For a proposed network solution that will incorporate Active directory, network devices, network cables, VPN, future considerations, security, installation of specialized software, FQDN structure and inter-site connectivity, solution is comprehensively demonstrated below: Figure 1.1 3.1 Design of the Network The network design will be based on Windows 2008 Active Directory architecture and the organization named as West products comprises of three offices distributed around the West of England, including the Head Office, as shown in fig 1.1. For synchronizing networks on all the remote sites including the head office, the resources need to be distributed across the organization and the offices need to be inter-connected. The headquarters need to organize all the resources that are circulated all over the three branches within the West of England. The point to point Ethernet connectivity connecting the countries located within the local jurisdictions. This technique was proposed in order to resolve this issue. In addition, minimal cost is needed in order to implement this method and permission is needed from the internet service provider (ISP). The maintenance responsibility is managed by the internet service providers (ISP). The networks are less difficult by implementing this technique and thus allow the local area network (LAN) and the site links to be managed by others. On the network, a leased line is installed for each and every website in order to obtain access by the entire staff member. By sub netting of the work place the local traffic is minimized although, all resources are still available from any sites. The internal and the external threats are controlled by utilizing hardware firewall on the global router at the root site. But by placing additional domain controllers on each and every site thus making the site independent, the risk of site link failure can be minimized. If the file server turns offline without any reason, the offline files are accessible to the other online sites. For this reason, the sites are made independent and do not require any extra file servers on site with every other site. For the additional servers, the company must form a huge network but for these types of networks there is no need for any other additional servers. Moreover, a switch is given at each site that helps to connect the hosts to the network if needed. For accessing any branch, separate routers are proposed that connects these three branches separately with each other on the network. Likewise, a brand new networking is required by these three branches. For this reason, CAT7 cablings are used for all the horizontal cables and patch panels similarly; CAT6 patches escorts to the endpoints and switches. These deployments are sufficient because all the network cards that are present on the endpoints are only 1 GB however; the CAT7 is backwards and compatible with CAT6. For faster and better output, the LI replaces the switches and endpoints that are based on old technology. Although, it is not necessary to replace the previous technology with the new one as anything over 10 GB does not require this. In order to save a particular amount of money and effort, the infrastructure will move to 10 GB+ with all the horizontal cables and patch panels cabled to CAT7 standard. The TIA-568B pin outs are the terminated standards that are connectors. To access the network, the sales team of West Products requires UMTS access that provides remote connectivity regardless of their locations. The connectivity of UMTS network is provided by the GSM provider, as illustrated in Fig 1.1. 3.1.1 Shared Folders and Permissions The files that are shared on the root file server will add a layer of risk while using that server. In order to reduce the risk, a folder structure is created that share the high level of DATA. Moreover, subfolders are created for the entire four sites (as the root site has no user in it or any data). In fact, these sites are further divided into Management, IT and General. Now at this level the permission may be allowed or denied for the access. In addition, the folders are made secured with the help of Active Directory by simple NTFS permissions (read, read and write, change). This will allows the users or the community to obtain access control list allowing the customers to view the folders. The root folders are initially allows the users to utilize read and write access as, this feature is embedded in this folder. In Active Directory, this can be setup as a distributed fie system root for all the clients in the organizations. In the headquarter branches the HQ folders are still available for all the users of LI. The permission that allows reading and writing of the folders and sub-folders are already intact on the high level DATA folder. On the contrary, permission will be allowed only to the clients for the correct sites within the departmental folders under departmental security group. These folders contain redirected information for the user’s home folder from client’s workstation. In addition, these folders are secured mechanically due to the customers directions and the data is only available for the specific users in order to keep it confidential. The offline files can be obtained on the client’s home folders and on the research folders. This strategy can be helpful if the online sites are failed because the users still need to work on the cache copy of the files waiting till the link works again. The data that is present into the folders will automatically allow the research folders to gain access in order to share the research data. The security groups utilize the structure and permissions format for each and every site in order to prevent or deny access. 3.1.2 Organizational Units The unsurpassed methods for systemizing users, workstations and other data objects into more logical layout are OUs in AD. In fact, the HO.ORG consist a root OU with the 2 sub networks based in West England. These sub networks allows LI to deal out with users for easy viewing and administration network resources that are present worldwide. However, there are several groups and organizations that have similar names and are present in the AD tree. But this is not an issue because the Active Directory utilizes fully specified names along with the object references. Figure 1.3 Moreover, the organizational units (OU) can be further segmented in to resource OU’s for a convenient organization and delegation of administration configurations. All the three branches have their separate OU that is utilized for local administration matters. Moreover, the workstations located in each branch are allocated in the respective branches associated with LI workstation OU that is nested in the branch nested OU. Likewise, OU’s are structured to grant access to different levels of administrative controls for individual departments of West Products controlling their internal employees. For instance, IT manager has been delegated rights to allow the finance department for viewing billing and payroll information on the Group OU, as users are allocated to one of the groups and the granted permission to the finance department for viewing the files will be applicable to all child objects in that particular OU. Moreover, password delegation change control along with other localized administration tasks can be granted to employees located at each branch of West Products in the West of England, as this will enable administrative permissions precise for the resources that are only associated with the same group. Establishing individual sites facilitate WEST PRODUCTS to limit the traffic created by replication processes and during scheduled backups; load is also reduced on WAN links. As we have altogether 3 branches including the head office, the root site is the head office that is located in the West of England, as shown in Fig 1.3 4 Configuring SSL VPN Connectivity For ensuring security, confidentiality and integrity controls are inherent for the VPN solution based on Windows server 2008 R2. Likewise, users have to provide credentials for authenticating to the virtual private network connected to the head office as well as the two remote branches of West Products. These users will be configured as the members of the active directory domain. However, for achieving SSL VPN connectivity, Network Policy Server (NPS) along with default account user permissions is utilized that will grant remote access aligned with NPS policy. In spite of configuring NPS server, the user’s dial-in permission is manually configured. However, to do so, a series of steps is required for activating dial-in permission on the user accounts i.e. users available at the head office, branch 1 and branch 2, as all of these sites must be connected together via SSL VPN server. For configuring dial-in access on the default administration account on the domain, the ‘Active Directory Users and Computers console’ will be accessed from the ‘Administrative Tools Menu’. At the left side of the console, the domain name is expanded and ‘Users Node’ is accessed. After accessing it, ‘Administration Account’ is accessed. The next sub option available is ‘Dial-in’ tab. The default setting in Windows server 2008 R2 is Control Access via NPS Network Policy. As mentioned earlier about the absence of NPS server, the settings will be configured as ‘Allow Access’. The next part of the scenario is the VPN client. For setting up the VPN client, the first step is to configure the Hosts file for simulating a publicly available DNS infrastructure. Likewise, two names must be configured in the host files that will also be utilized for publicly available DNS server. The first name that will be configured is the name of the VPN server that is bound and identical to the SSL VPN Server. Moreover, the second name will be the host file along with the publicly available DNS server located on the certificate. For instance, the two names that will be configured on the Host files will be: 192.168.0.60 sstp.westpmsfirewall.org 192.168.0.60 win2008rc0-dc.westpmsfirewall.org For connecting via Point to Point Tunneling Protocol (PPTP), there is a requirement of configuring a VPN connection to connect a VPN server located at the head office on anyone of the workstations located at the head office, branch 1 and branch 2 of West products premises. As the VPN client is already a domain member, the Certificate authority certificate will be at the default location i.e. installed at the Trusted Root Certificate Authorities machine certificate store and auto enrollment will be initiated. 4.1 UMTS VPN Connectivity for Remote Sales Team For configuring UMTS based VPN connectivity for the mobile sales team of West Products, LANCOM UMTS router and LANCOM VPN remote device will be utilized. Likewise, these devices will be updated to the latest firmware and supporting tools. The primary configuration of this setup will be initiated by configuring the VPN via ‘LANconfig Setup Wizard’. However, there are certain challenges that need to be addressed. For instance, some service providers can block IPsec over UMTS and it can be tackled with negotiating with the ISP to enable access for IPsec over UMTS. The next challenge will be the local IP address, as the Internet connection is a masked connection. To overcome this issue, the connectivity will only be established by the UMTS router along with a request for a global IP address from the ISP and configure the UMTS router with Aggressive mode connection utilizing NAT traversal. Furthermore, the configuration of the LANCOM device will utilize a setup wizard for connecting two local area networks. Within the configuration of the device, the exchange on both the routers should be on the aggressive mode. The next part will follow a remote identity for the connection in order to identity the UMTS based connectivity for servers and clients. Therefore, the local identity located on the router must adhere to the remote identity of the router. After carrying out these essential configurations, the UMTS based VPN server is ready for accepting identical remote access connections from the remote sales team for West Products. 4.2 Network Switch In the local area network, switches are responsible for packet distribution. In order to achieve fast functionalities related to the internet, virtual learning applications, audio and video broadcasting Ethernet switches are needed. These requirements are fulfilled by the Cisco Catalyst 3750 v2 series switches. 4.2.1 Cisco Catalyst 3750 This is the OSI layer 3 stackable switch that supports the energy enhancement factors. The Cisco Catalyst 3750 switch supports the Cisco Energy Wise technology that helps to manage power utilized by the networks. While reducing the power the Cisco Energy Wise technology also cut down the cost and carbon foot prints. Moreover, modern technology that is introduced is the ‘Cisco Energy Wise’ orchestrator that provides the power management solutions to the information systems. It fulfills the energy requirements of the Power over Ethernet (POE) devices and expand the power management toward the workstations and laptops ( ‘Cisco Energy Wise’ Technology - Cisco Systems). 4.2.2 Enhanced Features The improved features of the Cisco catalyst 3750 v2 series switch are that they are perfect for isolated sites environment and also enhances the productivity and utilizes less power for the local area network. In addition to it the network investment is protected with the help of unified network data, video and audio streaming. The two software are supported by the switches called as the input and output systems (IOS). The initial Internet Protocol IOS consist of improved quality of services (QoS), frame rate limiting, access control list (ACL), Open Shortest Path First (OSPF). The routing functionalities and IP v6 supports the future IP v6 matched network devices. The last IOS includes hardware based Internet Protocol Unicast, Internet Protocol Multicast routing and policy based routing (PBR) and thus supports the project networks ( Cisco Catalyst 3750 Series Switches - Products & Services - Cisco Systems ). 5 Specialized Software Installation Active directory is an essential component which provides efficient and effective network administration. As per ‘www.pcmag.com it is defined as “An advanced, hierarchical directory service that comes with Windows servers”. The first step is to prepare a domain. Active directory functions on the domain. The domain name for the organization will be ‘www.abc.com’. Single domain model will be adopted as a forest root domain. After creating the domain, DNS configuration is required and what type of DNS version to be used; the names used for the domains, servers, and services in Active Directory; and the names of the forests and the forest root domains. The trust plan is also required which parallels the creation of the forest and domain plans, outlines any manually created trusts, the direction of the trusts, and the rationale for them. Trusts can be imple­mented for reasons of performance enhancement within a single forest or to allow access to resources between separate forests. 5.1 User And Group Creation 30 users are created with five groups in the active directory. Each user is assigned membership of the following groups. Group 1 named as “MD/ Managers Group” Group 2 named as “Engineers Group” Group 3 named as “Sales Group” Group 4 named as “Finance Group” Group 5 named as “Secretariat Group” 5.2 Limited Access For limiting access to the sales and all the remaining staff, Configuration will be conducted in the “Active directory users and computers” console. Click Start menu?Administrative Tools, ? Active Directory Users and Computers. In the console, click user account Right-click the user accounts, and then click Properties. Click Account and then click Logon Hours. Click All to select all available times, and then click Logon Denied. Select the time blocks as per the requirements to allow the specific user to log on to the domain, and then click Logon Permitted. A status line provides the options to edit logon times including days of the week, and timings. 5.3 User Login Restriction Active Directory Users and Computers?Properties?Accounts Click the logon workstations dialog box by clicking the Log On To tab. Enter the name of a required workstation. Click Add. Replicate this procedure to identify additional workstations as per the organizations requirements. 5.4 User Restriction on Workstation User restriction is possible by applying group policy capabilities in Windows 2003 Domain; Users can be prevented from logging on to different domains rather than their home domain. In the target domain new ‘domain wide group policy object’ is created and activates by activating “Deny logon locally" to the resource of domain user accounts. The check should be enabled for the option “Deny logon locally”  5.5 Configuring mandatory file access Mandatory file access is implemented by configuring the User's Environment Settings. Active Directory Users and Computers? User's Properties ? Profile tab. Click option named as local path. Insert the path to the home directory in the related field. Example C:\ westproducts\ %UserName%. 5.6 Password Policy The password policy will be applied in the Active directory users and computers console. These five elements related to password policy apply on each user created. Enforce password history, (As per organization requirement) Maximum password age, (Maximum 30 days) Minimum password age, (As per organization requirement) Minimum password length (10 Characters) Passwords must meet complexity requirements (As per organization requirement) 5.7 Account Lockout Policy Access the group policy console which is required for account lockout configuration. On the right hand side expand the security options?expand computer configurations? select Windows settings ? click security settings? click local Policies? select security options. By double clicking properties of automatically log off users when login time expires opens a dialog for defining policy. Clicks define this policy setting and click on enabled tab. In this way policy restriction which enforces for logon hours is activated. 5.8 File Server 5.8.1 Drive Mapping To create a network home directory, Active Directory Users and Computers ?Properties?Profile tab. Click Connect option? and choose a drive letter for the home directory. Universal Naming Convention (UNC) notation will be used to type the complete path to the home directory using the, such as: \\ westproducts\USER_DIRS\ %UserName%. The server name is mandatory to mention in the drive path to ensure that the user can access the directory from any computer within the domain. 5.8.2 Access rights on a Shared Folders The department’s shared folder requires read and write access. Right click on the folder ? Properties?Security. Select everyone in user data properties and select read and write from permissions panel for the specific folder. The long term and short term group will be added in user data properties by selecting read from the permission panel for the folder named as ‘Sales2011’.Managers from each department will be added specifically as users against all employees are created in the active directory. Users (representing as managers of the department) will be added to the user data properties and full writes including read, write and delete will be granted from the security panel. 5.9 Intranet 5.9.1 Welcome Page For creating a domain logon script ‘start.exe command is executed. It creates a file named as ‘logon.bat’ which contains the commands that the user wants to execute. Two new file are created named as ‘contentsfile.bat’ to call the logon.bat file. These both files are placed in the ‘Netlogon’ share on the domain controllers. For configuring the ‘Netlogon’ click Active Directory Users and Computers ? Microsoft Management Console (MMC)?configure user to configure ‘Netlogon’ scripts. 5.9.2 Virtual directory A Virtual Directory is a separate directory including a web site that links to another directory. This link can be to directory on the local server or network share. For changing access levels on virtual directories, following steps are used (Assuming that Internet Information Services (IIS) is installed previously). The explanation is in bulleted points for step by step illustration of the process. Click on the directory or web site whose permission you want to change. While highlighted right click and choose Properties from the drop down menu. Choose the Directory Security tab. From within the Password Authentication Group choose Edit. Check the Authentication setting you want. Click OK. 5.9.3 Virtual directory Permissions Log on to RMS client as local administrator. Open Registry Editor. Create a new registry key named DecommissionunderHKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM Under the Decommission registry key, add a new String Value entry, replacing your-license-server with the name of the RMS cluster used for licensing: https:// westproducts /_wmcs/licensing Double-click the new registry entry, type  http://your- westproducts _wmcs/decommission, and then click OK. 5.10 Group Policy The rules applied on an object effects on each user who is a member of that group. The configuration will be conducted on the domain controller by execute the ‘Group policy’ console. On the left column, click ?User configuration?Administrative Templates ?Start menu and Taskbar. On the right side administrative templates will appear. Select the template ‘Remove run menu from start menu’ and Disable Add/ Remove Programs ? Properties ? select disabled from the settings tab. 5.11 Test plan Run the command from the start menu ? Run ? Dcdiag.exe This command illustrates the statistics of successful active directory implementation, connectivity and efficiency. The result of this test must quote “Test Passed”. 6 FQDN Structure for West Products Figure 1.2 7 West Products Inter-site Connectivity Figure 1.3 8 Security Microsoft active directory is not primarily a security control, as it does not mitigate any risks associated with viruses, worms, Trojans, phishing, spam, denial of service attacks etc. however, it provides a secure administration of user profiles and File sharing features. File sharing threats are spreading on a rapid pace, as every now and then, new file sharing technologies are getting being developed and in demand. Controls will not only provide value from all network based services, but will also augment productivity for the organization in terms of revenue, customer loyalty and competitive advantage. Workgroup based environment is not centralized. For instance, users can only login, if they have account created on that specific computer. As far as security is concerned, there are no passwords, resulting in anyone to log on the network. Moreover, workgroup only recognize twenty to twenty five computers that are on the same subnet. For instance, we have application servers that are on the different subnet, users will not be able to access applications, as they are configured on a different subnet. On the other hand, Domain based environment provides centralized administration and access for users. All staff has to enter user credentials, in order to identify themselves on the network before doing any work. Moreover, computers with different subnet are supported and thousands of computers can be connected on the domain based environment. For instance, if a computer stops responding, employees or users can log on from some other computer and no work is halted. Therefore, Domain based network environments are more effective and are compatible to the current network scenario. Moreover, if security auditing features are enabled, user activity and system logs are saved and monitored. Likewise, the lightweight directory access protocol ensures encryption all the way from the domain controller to the workstations via Kerberos. However, network or system security specialist will not be able to monitor, analyze or examine threats from a domain environment. Active directory prevents unauthorized access because users have to provide login credentials for accessing personal file settings, data and customized permitted objects in the operating system. 8.1 Consideration Internet Security and Acceleration Server The ISA server that can be considered as a firewall and a proxy server as well due to support of cache management functions. As per the current scenario, if we assume that West Products network already has an operational firewall, it means that the suspicious packets are handled by the firewall, as it is separately installed. The ISA server is only implemented to enable access management to different services associated with Internet, file sharing etc. ISA server will only prevent unauthorized access to different network services, for example, Internet access. We have covered two logical controls in the current network scenario up till now. The third security control that we have identified is a hardware based firewall. The firewall operates on chain of rules that are defined by the security specialist, consultant or a vendor. The configuration is carried out for restricting or dropping unwanted packets and suspicious packets. However, legitimate packets are allowed for entering tin the network. The firewall only operates on rules and if any suspicious packet hides itself within other packet may enter in the network. Logical vulnerabilities in this current scenario include no additional security controls on firewall, critical servers, and network devices. If any suspicious packet bypasses the firewall, there are no mechanisms to track and monitor the probe of a hacker trying to breach into the core systems. Moreover, if all the three branches of West Product are not protected, this concludes that only Network address translation (NAT) is the only logical security control, whose main purpose is to hide private IP addresses of the local area network and relay the traffic via a global IP address. Suppose, if a threat bypasses a firewall that is located at the head office, there is a high probability and risk that the data residing at all the three branches will be at risk of a security breach. Moreover, if any employee or personnel plugs in the suspicious USB drive in one of the system, there is no mechanism or tools to monitor internal network threats, as it has been proved that internal threats are relatively more probable than external threats. Furthermore, there are no tools for demonstrating events and alerts associated with violation logs. In addition, there are no logical controls linked with the database, as SQL injection techniques have proven to exploit data from the database. Furthermore, for logical vulnerability there is an absence of Virtual local area networks. VLAN’s provide adequate security, “Virtual LAN (VLAN) refers to a logical network in which a group of devices on one or more LANs that are con?gured so that they can communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical, instead of physical, connections, they are very ?exible for user/host management, bandwidth allocation and resource optimization” (Virtual LAN. 2007). VLAN’s separates traffic for each department an also prevent denial of service attacks and unwanted traffic broadcast that may result in network congestion and degradation of network services. 8.2 Internal and Physical Security The internal security is associated with adequate protection from internal threats i.e. humans. It has been evaluated that organizations emphasize only on physical and logical security and often skips adequate protection of internal human controls from threats such as unauthorized access, theft, espionage etc. In the current scenario, there are no security controls addressing human security. Likewise, theft of any critical hardware or software component is easy, as there are no biometric systems available in the premises. Biometric identification systems are considered to be the best physical security control till date. Moreover, there is no surveillance cameras installed on critical locations, as they prevent physical theft of systems as well as identify disasters. For instance, if fire occurs due to any short circuit in one of the critical information assets, it can be controlled in an early stage. However, sensors, water sprinklers and fire extinguishers are considered to be ideal controls in this scenario. 8.3 Intrusion detection system An intrusion detection system is required for continuously monitor threats and vulnerabilities within the West Products network. IDS/IPS derived from the traditional security appliances and is defined as “Intrusion detection system (IDS) is a type of security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions and misuse” (Intrusion Detection System. 2007). References , Active Directory Definition from PC Magazine Encyclopedia . Available: http://www.pcmag.com/encyclopedia_term/0,1237,t=Active+Directory&i=37454,00.asp [8/10/2012, 2012]. , Compare Unified Communications Products - Cisco Systems . Available: http://www.cisco.com/en/US/products/sw/voicesw/products_category_buyers_guide.html [8/10/2012, 2012]. Intrusion Detection System. 2007. Network Dictionary, , pp. 258-258.WALLACE, K.n.d, Implementing Cisco Unified Communications Voice over IP and QoS (Cvoice) Foundation Learning Guide: (CCNP Voice CVoice 642-437) (4th Edition) (Foundation Learning Guides) Cisco Press. Virtual LAN. 2007. Network Dictionary, , pp. 515-515. Read More