Designing a Network for a Company - Case Study Example

Designing a network for a client due: Introduction With the advanced technology, today, network security has become a real problem. The security has been threatened by masquerading, which is the main problem of network infrastructure. Masquerading, in this case, refers to the attempt of deceiving a network infrastructure device about the true nature or identity of the messages sending to the device. The messages sent to the device pretend to be valid, while in real sense they are not. Masquerading can happen at any layer of a network. When done at the network layer, it is called network spoofing. Masquerading at the data link layer is called frame spoofing. The other challenge facing network security is hacking, which can be done from different sources. Most hacking is from the internet, where hackers target a particular network. A well-protected network should restrict access from outside since a computer from the outside cannot access a network infrastructure directly from outside. A proper design should cater for security measures to eliminate masquerading. A new design, for this reason, has to be introduced, which has additional features to enhance security (Wong & Yeung, 2009). Techniques such as NAT (Network Address Translation) should be used to deny access to the computers of a network from a remote computer. This makes it extremely hard to hack a network infrastructure from outside. The network infrastructure is at risk if one of its devices is compromised. Hacking from a device of the network infrastructure is much dangerous since passwords or authentication information about the network can be obtained with much ease. For instance, when a router is compromised, routing decisions can be influenced, and packet misrouting attacks can be launched easily from the compromised router. Hacking from a source close to the network infrastructure is extremely dangerous. Security measures such as installation of firewalls should be considered. Firewalls are installed to the boundary to protect the inside of a network (Wong & Yeung, 2009). A flat network design is much vulnerable to masquerading. In a flat network design, all the network infrastructure devices and end computers are connected together and do not have a clear boundary. This means when one computer is compromised, all the network infrastructure can be accessed by an attacker. When an end computer is attacked, all kinds of attacks can be launched on the network infrastructure the attacks include HSRP (Hot Standby Router Protocol), STP (Spanning Tree Protocol), and DHCP(Dynamic Host Configuration Protocol) attacks. The weakness of a flat network design is totally exposed when using Wi-Fi. This I because a wireless computer can become one of the inside computers when placed near a wireless network. Many WLANs (Wireless Local Area Network) allow connection without authentication requirements, making it even more vulnerable to attacks.in this case, such a network infrastructure can be hacked even without any compromise on the end computer of the targeted network. However, the accessibility is not possible from a remote computer due to its firewall protection. Another countermeasure to masquerading is use of authentication mechanisms such as OSPF, which makes masquerading difficulty (Wong & Yeung, 2009). Design of a secure network infrastructure model As it has been discussed above, flat network design is a poor infrastructure. The user, in this case, is interested in setting up a highly secure network since they are involved with defense contracting, who needs top-secret systems. For these reasons, a new, secure network infrastructure should have a network infrastructure separation and tiering. Project Objectives To set up a fully-fledged IT infrastructure, using the available equipment and applications already available in the organization by the end of the three years period. Within the period, the developed network infrastructure should be secure, functional, extensible and future-proof. A secure network should avoid the flat network infrastructure design and instead adopt a well elaborated and reliable network design. In achievement of this, the design should employ a network infrastructure separation and tiering. This technique will be of much importance especially if the infrastructure is running Spanning Tree Protocol (STP). This type of protocol is usually threatened by attacks due to its lack of authentication and its flat design. Two techniques will be used in this network infrastructure. The first technique is called BPDU (Bridge Protocol Data Units) Guard that performs end computer separation by edge Ethernet switches. The second technique called Root Guard, uses restriction of the reception of root information. For instance, if a port is enabled with Root Guard, it can no longer be a root port, or better still, the port never points to the direction of the root. This makes the STP network take the form of a hierarchy with the root switch at the top, followed by many tiers of switches. The Root Guard is enabled at the boundary ports to enforce the tier boundaries. The other approach, to enhancing security of the network infrastructure, would be to use ERS, which in a significant way solves the problem of masquerading. The ERS (Ethernet Routing Switch) design is feasible in practice and can be built by Linux computers running iptables. The effectiveness of the design has been proved from its previous usage. The design is also capable of working in a production network, like the one ISS (Infrastructure Support Services) intends to set up. Moreover, the ERS (Ethernet Routing Switch) design can be used in production devices. The other technique will be the separation of the end computers from the network infrastructure using the MAC (Mandatory access control) filtering technique. In most networks, today, the end computer is connected to a port on an Ethernet switch. This means the network interface card of such a computer can be used to send Ethernet frames. The sent frames of all the devices or computers are then connected to the switched network, which is basically a flat design and hence can easily be compromised. Attacks can, therefore, be launched from such a computer. ISS Company should instead adopt a new and secure network infrastructure model. This can be done by separating the end computers from the network infrastructure. This can be done by using MAC (Mandatory access control) addressing filtering technique. In this technique, new kind Ethernet switches called NI-Switches are used. The switches are used to connect the end computers or servers. In a switched network, the NI (National Instruments) -Switches will act as the edge switches. They are different from ordinary Ethernet switches. In this design, all the existing NI ((National Instruments) devices are compatible with the NI (National Instruments) -Switches and do not require any firmware modification. NAT (Network Address Translation) technique is another way of improving the network infrastructure. The technique restricts each end computer from falling in a single layer three subnet. The new network infrastructure should also be future proof. Since it is meant to provide IP-based services that are bandwidth intensive, the network should, therefore, be capable of supporting the high-speed data transmission rates. The network should provide future-proof solutions, in terms of the expected growth in bandwidth demand for the period of the three years. The network has proved to be economically viable, since the company has been operating it before. To meet the objective of being extensible, the network should be responsible for creation of an authentication method. The authentication scheme used should be negotiated by a remote access client and the authenticator which can either be the Remote Access Server or a RADIUS (Remote Authentication Dial-In User Service) server. Such a network will perform the task of authentication (Schmied & Shimonski, 2003). Project scope Component/task A fully- fledged network infrastructure should comprise of various hardware components if it is to operate properly. The network hardware components should include hardware devices such as routers and switches. The network should be less complex to allow easy security enhancement. For security, every device must be well evaluated to establish its unique strengths and vulnerabilities. Internet connections should be reduced and well controlled to reduce the number of threats on the internet. The threats can come from any physical location globally. In addition to the hardware components, software components will be required to complete the network. The hardware runs the software. The chief role of the software is to make the hardware easy to bypass. A lone locality designed for network purposes, ought to be built for network monitoring and the administrative control of systems with reason of network security. The centralization will let the administrator see a larger picture of the networks and make the appropriate actions on multiple systems or network resources when there is a suspected attack. A centralized area is known as the Network Operations Center (NOC). Use of a NOC makes it easier for detection of an attack, its development and allows a countermeasure. The main disadvantage with NOC is that it is expensive to install and maintain. NOC requires a great deal of support, which may be a challenge. Development and implementation of NOC are not enough, since it needs to be constantly evaluated and changed as required (Pastore & Dulaney, 2006). Function The chief role of the network is to provide smooth communication. For example, it gives a corporate wide e-mail structure to the people working in the company. It should, therefore, support a wide capacity for this function. The communication however needs to be constantly checked to avoid security breaches on the network. The employees should use the network to access corporate resources using multiple access methods, which include LAN (local area network), home, and travel. Common communication infrastructure is required to facilitate the company’s operations. Technology Using the already available equipment at the firm, it will only need to add new equipment, of the latest technology for the state-of-the-art network infrastructure required. Moreover, the network design should meet the expected standards of security, function ability, extensibility in addition to being future-proof. Time-frame The new network infrastructure is intended to be in operation within the three years as per the available budgeting. For this period, the network should be fully functional. This means the staff has to be trained before the design is complete so that when it comes to being, they will adopt it easily. This project is intended to start on May 2015 an end in May 2018. Within this period, the project will be fully integrated into the communications systems of the company. Project team The project is to be set out in Dallas. The personnel includes sales associates, engineers administrators and a team from the Military Security Agency. Out of scope The client needs to continuously check the network for security purposes. The client, therefore, needs some third-party software for this purpose. Some important tools for the client will include WEPCrack, which is an open tool used in the determination of the security of a network. The other software is AirSnort. The AirSnort checks the number of packets intercepted, and then decrypts a shared encryption key. However, to run this software, the client will need Linux system for the application to run. The applications need to be obtained from a third-party (Ogletree, 2004). The two applications, WEPCrack, and AirSnort, are meant to safeguard the network, especially at this era of advanced technology where use of devices to listen to wireless transmissions is no longer illegal. The tools are available to almost everyone, and should, therefore, be used to establish whether the network is as secure as the user thinks. The tools will help both the user and a hacker to gain access to the same intrusion applications. This means the hackers will have a chance to identify vulnerabilities of the network but the user will be ready for the attacks. The user is faced with experience difficulties in deciding who to trust due to threats of hackers. It is therefore recommended that the user uses the open-source applications to have an equal ground with the hackers. By searching the internet, the client can also get several other programs to use for security of his network. Possible solution Description-Alternative 1 Bandwidth and separate network rings and Web-acceleration tools are alternatives to network QoS. In this regard, they ensure performance of ERP systems on the network. To implement this, there are some decisions that have to be made. The first decision is that against all other alternatives, the cost-effectiveness of the method at the higher level has to be considered. It is most likely that the cost-effective solutions are the combinations of the available options. For example, addition of more bandwidth or a QoS (Quality of service), which enables the underlying network infrastructure to support the ERP system. The other consideration to be made is on a cost-effective solution involving a QoS. A critical decision has to be made on the selection of an appropriate QoS tools (Gutiérrez, 2007). The separate network counter rotating rings. The rings work by rotating in opposite directions. The second ring in most cases is uses as a standby ring. The ring may also be used as separate independent network. If a station fails, or if any of the cables are cut at one point, the two rings will be folded into one ring, which is twice as long, and full connectivity is, therefore, maintained. The rings also work by using a concentrator. When using a concentrator, the ring is employed as a star. Every station has a link in and there is also a link out from the concentrator. This means any number of failed stations or links can be bypassed. Concentrators can be linked together to improve the performance. A much more cable is needed to make the signal distance around the ring go up. The concentrator approach is naturally fitted by wiring closets around the building. Self-configuration is permitted through two classes of connections as discussed below. There is a class A connections that always have two physical layers. One of the layers is connected to a primary input and a primary output. The class A connection is usually required for attaching the FDDI (Fiber Distributed Data Interface) without a concentrator. In the class, A connection, there may be zero, one or two MAC (media access control) functions. A station having only one MAC can transmit on only one of the rings. The class A connections can also be used for concentrators, which do not necessarily have a MAC function. In a class B connection, on the other hand, there is a single physical layer and a single MAC function, all which can only attach to the ring through a concentrator. Such a fiber optic token ring provides a high-performance local network which is suitable for connection of mainframe computers to high-performance storage devices. The devices will also be connected each other and also to applications such as telephony and videos, which the Company is interested in setting up. Such a system have features that include, it is a fully distributed protocol which has no concept of a master station. The FDDI standard improves the reliability of the rings, and it uses 4 of 5 code instead of a Manchester code. In the FDDI, a timed token rotation priority scheme is used. This system is advantageous in that it makes very high data transmission rates and also has a high degree of robustness. The FDDI avoids the unnecessary variation in ring network standards. The token-passing protocol that is commonly used in the FDDI operates on the IEEE (The Institute of Electrical and Electronics Engineers) standard of 802.5. The FDDI operates at a transmission rate of 100 Mbps. The FDDI uses fiber optic transmission, which works best with a point-to-point configuration. The FDDI network is therefore highly reliable and fault-tolerant (Rajesh, 2002). Cost and benefits There are three main elements of cost associated with the FDDI and to the workstation. The first cost is of the FDDI concentrator port. The other cost is of the cable, and the third cost is of the FDDI network interface card (NIC), used in the workstation. For instance, the cost of 100m of a two pair fiber and connectors is approximately $ 242.57 including the installation labor. The fiber termination is more expensive than a twisted pair. The network interface card is approximately $ 6064.26. The cost of fiber-optic cable is high compared to costs of LAN technologies, such as the Ethernet. The price of the FDDI concentrator port is $ 68.99. The cable carries the highest cost, making it easier to run FDDI over other media like the twisted pair. This is because the FDDI has fault tolerance, with a dual fiber backbone, enabling it to run even when there is a severed optical cable. Network management is also easier when using FDDI. This is because of its inbuilt capabilities which include ring management, management information base, and frame services. The FDDI can serve long distances of up to 100 kilometers, making it more ideal for implementation of Metropolitan Area Networks (MANs). Benefits The FDDI uses the technology of token ring to transmit data at high speed of 100 Mbps. The speed is extremely faster as compared to the original Ethernet. It achieves such a high speed by using optical fibers that are interconnected by computers instead of copper cables. The features of the FDDI technology involve optical fibers that have an immanently lower error rate and attenuation levels. This allows a larger distance between the active stations of transmission. FDDI can serve up to a maximum of 500 stations, unlike the former token ring which runs by 4 Mbps or 16 Mbps. A token ring can only connect between 50 and 250 stations. FDDI can also operate in various transmission modes, necessary for multimedia data communication. It has both synchronous and asynchronous modes. The synchronous mode usually allows reservation of the bandwidth while the asynchronous mode behaves like the token ring protocol (Steinmetz & Nahrstedt, 2004). The FDDI is also highly secure. For a company like IIS, which is handling highly sensitive data, the FDDI should be the most reliable network to adopt. The fiber optics eliminates the problem of emissions of electromagnetic interference patterns common with copper-based medium. To tap into a fiber optic cable, the cable has to be precisely cut, or else the transmission will be impaired, and the line break detected (Piliouras, 2004). From the above-discussed benefits of the system, IIS as a company will accumulate many profits in monetary terms. This is because the system is far much faster, thereby enhancing faster transmission of data. The system is also highly secure. This means little or no repair charges will be involved. The company can go on operating without fear of infiltration into their data transmission systems by intruders. References Bender, M. (2009). MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration (exam# 70-642). Cengage Learning. Finke, J., Hartmann, D., Olsen, C., & Hartmann, D. (2012). Implementing Cisco Unified Communications Manager. Indianapolis, IN: Cisco Press. Gutiérrez, J. (2007). Business data communications and networking: A research perspective. Hershey, Pa: Idea Group Publishing. Pastore, M. A., & Dulaney, E. A. (2006). CompTIA security+ study guide. Indianapolis, Ind: Wiley. Piliouras, T. C. (2004). Network design: management and technical perspectives. CRC Press. Schmied, W., & Shimonski, R. (2003). MCSE training guide (70-293): Planning and maintaining a Windows server 2003 network infrastructure. Indianapolis, IN: Pearson Certification. Steinmetz, R., & Nahrstedt, K. (2004). Multimedia systems. Berlin [u.a.: Springer. Wong, A., & Yeung, A. (2009). Network infrastructure security. New York: Springer. Read More