Secure Network Solution For Tyrell Corporation

Published Date: 02 Nov 2017

Abstract

This project report discusses about a network design for a small and medium business company named as Tyrell co-operation. The intent of the design is to provide a solution to the company which is moving to a new location. So the design has to evaluate the existing network design adopt existing network topology to overcome newly aroused designing goals such as new physical topology, scalability issues, providing network services to mobile users and placement of the logical work groups to accommodate spacious issues and distance issues of the new facilities. To achieve solutions to these kinds of issues approaching modular a design approach, buying high capability network devices, laying a high speed cabling infrastructure to carry signals without any interruption. In addition this report discusses about the network security policies, strategies and plans for network and performance monitoring and maintenance, potential risks and proposes a disaster management and contingency plan as well.

Table of Contents

1. Introduction

For any network design, any complex network problem it will be always good to follow a structured approach. To help that kind of approach certain network design models can be followed. By following some sort of network design model not only the design process is much easier but also the design will give so many benefits in so many ways. Some of them are

Scalability

High performances

Redundancy and high availability

Low cost

Easy to manage and maintain

High security

For this particular design purpose Cisco hierarchical network design model can be used.  This hierarchical network design model breaks the complex problem of network design into smaller, more manageable problems. Each level, or tier in the hierarchy addresses a different set of problems. This helps the designer optimize network hardware and software to perform specific roles. For example, devices at the lowest tier are optimized to accept traffic into a network and pass that traffic to the higher layers. Cisco offers a three-tiered hierarchy as the preferred approach to network design.

In the three-layer network design model, network devices and links are grouped according to three layers.

Core

Distribution

Access

Layered models are useful because they facilitate modularity. Devices at each layer have similar and well-defined functions. This allows administrators to easily add, replace, and remove individual pieces of the network. This kind of flexibility and adaptability makes a hierarchical network design highly scalable.

2. Scenario

Tyrell Corporation is a small and medium sized company which has bought a new site for their main base operation and soon tries to move to the new site. The company comprise of 250 employees. They don’t have any branch offices as well.

The new site is located on the banks of river Avon and consists of two buildings. The first of the two buildings, Nexus, has two floors. The first (ground) floor is intended to house a visitor’s center, offering a cafeteria, a conference room and a showroom. Wireless access should be available to the visitors. The second floor of the Nexus building contains a number of offices and is intended to house the management, human resources and sales departments. This floor has more office space than currently required by those three departments.

The second building, Operandi, is a three storey building located about 120 meters away from Nexus. The two buildings are separated by the company’s privately owned car park. As the company is very security conscious access to the Operandi building is for authorized company personnel only. The IT facilities office and server rooms are located on the first (ground) floor. The rest of the space in the building is to be used for office space by the company’s remaining 6 departments (finance, research and development, engineering, design, legal and marketing). Despite this building having an extra floor there is not enough space for all of the employees of those departments.

The company owns some land nearby and, assuming the company keeps on expanding and the funds needed can be found, intends to build an additional building there at some point in the future (in a few years maybe).

2.1 Assumptions

Following assumptions are made for the scenario since the details has not been given.

Number of users as per departments

Department

Building

Users

Management

Nexus

10

HR

Nexus

10

Sales

Nexus

60

IT

Operandi

10

Finance

Operandi

30

Research and Development

Operandi

10

Engineering

Operandi

30

Design

Operandi

30

Legal

Operandi

5

Marketing

Operandi

55

Since as per the scenario class C addresses ranges has been chosen following addressing ranges has been used. - 192.168.1.0/24,192.168.2.0/24

Following public addressing ranges has been used. - 200.165.240.244/30,200.165.240.240/30

Following servers are available

Server

Authorized users

Filer and Mail server

All

Engineering Application server & Design application server

Engineering , Design ,Research and Development, Managers, IT

Sales , Marketing server

Sales, Marketing, Managers, IT

Web server

Outside users, IT

Domain Controller and DNS server

IT and Managers

Future growth of 10% of users is been expected from all departments as well.

Assumed floor plans are as follows with some modifications to the floor according the design.

Nexus – Ground Floor Nexus – First floor

nexus_building_floor1.pngnexus_building_floor2.png

Operandi – Ground floor Operandi – First floor

operandhi ground floor.pngoperandhi ground floor1.png

Operandi – Second floor

operandhi ground floor2.png

Hardware availability

Eight 48port network switches are used in the current network. These switches provide Vlan capabilities, Fiber modules, Fast Ethernet auto mdix switch ports, full duplex connectivity, IEEE spanning standards, link aggregation technologies and advanced security features.

There is an edge router which has two wan interface cards which supports several wan protocols. In addition with full duplex fast Ethernet ports and advanced security features.

The company has existing wireless access point this can be used for the design.

3. Design Approach

3.1 Requirement gathering process

As per the scenario the company is moving to a new location. When gathering requirements for the design, the process started with evaluating current network topology. With evaluation the observation was made that the network topology is not somewhat modular or hierarchical. Thus we are not cable of scaling the network for the future needs easily. So solution is to redesign the network physical and logical topology. Since the company has clearly stated that company has another extra land nearby and the company is willing expand their business and 10% of growth of the users is expected in future scalability has become a top requirement for this design.

The current location is limited to a one building. So logical groups within the network have been limited to a single building. But the new site has two buildings and logical network groups are spread among two buildings. In addition the buildings has considerable amount of distance (120m) between the buildings as well. Redefining a physical and a logical network topology and laying a new caballing infrastructure is also another requirement as well.

Since the placement of the users, IP addressing schemes severs location and network topology will be changed new access policy and security policy has to be put up when designing the network as well.

In order to network be more productive and meet the business needs of the company network has to be optimized with latest network technologies so that the network will cater demanding data and other services expected from the network.

Link aggregation, implementing high speed layer 3 switching, redundancy and setting up gigabit Ethernet network infrastructure are some of them. In order to achieve that kind of a design goal, new devices such as multilayer switches, fiber Ethernet capable devices has to be purchased.

3.2 Design process and presentation

As mentioned in the introduction the design follows hierarchical network design approach. The design begins with access layer where we will have to deploy sufficient amount of network switches cater the end users. As per the current number of users and future growth there should be a port density about 500 for end users only. So to be more economical existing 48port switches can be used for the design and considering future growth the company must be able to buy another three network switches from the same gear. Because these switches provide all features that are expected from the design.

According to the model there will be another two layers, i.e distribution layer and core layer. The purpose of putting the distribution layer is to aggregate and providing services to access layer switches. In addition to that the distribution layer connect access layer to the core layer where high speed switching and server farms are located. The core is considered as the back bone of the network. So logical network topology will be look like this.

C:\Users\GaynsaNk\Desktop\Pkt project\Snap1.png

This design is somewhat costly. Because of the number of multilayer switches that have been used in the network and the cabling infrastructure. Considering redundancy and the physical topology of the network the design can use two multilayer switches. Because one switch can cater one building and the other switch can cater other building and redundancy and load balancing can be enabled between those switches. The main reason for setting up a core layer is when distribution layer become more unmanageable and to aggregate the distribution layer we can use core layer. In this design we have only two distribution layer switches, still can be manageable. To be economical and manageable following design can be derived.

Untitled.png

3.3 Choosing a cabling infrastructure

Ultimate purpose of a network is to provide application layer communication. There are so many applications communicating in the network. Since application such as Engineering and Design application require high-speed communication and consume more bandwidth fiber cabling is deployed between servers and distribution layer switches and also between access layer switches and distribution layer switches. For the communication between users and access switches UTP cabling has been used.

3.4 Features and Benefits

Scalability – A design like above is scale well. Which means more and more devices can be added easily. For instance if the business is expanded as a result more station are required then simply we can add a network switch to access layer and connect that distribution layer switch without suffering the performance of the network while preserving design goals as well. Even though scaling increase the number of devices the design would become less complex. In addition more and more IP subnets also can be added to the network using distribution layer as well. In addition if the distribution layer is grown up and become unmanageable for this design a core layer switch can be added.

Redundancy – Since the access layer switches have four fiber modules four fiber links can be run towards distribution layer switches. If one fiber is failed by spanning tree protocol the link will automatically fail over to the other link. At the same time if a distribution layer switch is failed then with redundancy protocols such as HSRP, VRRP and STP end users can still communicate through network with few seconds of down time. Thus smooth flow of operation and enhanced performance can be achieved. (CISCO, 2009), (Packetlife, 2012)

Performance – The higher the layers higher the data requirements and also bandwidth overhead on the links are high. With this model link aggregation protocols can be implemented easily. For instance between distribution layer switches, between core layer switches or between three layers link aggregation can be implemented easily. Even manipulating root bridge selection of the spanning tree topology to higher layers such as distribution layer performance can be enhanced. Implementing subnets and Vlans at the distribution layer can make simpler and small broad cast domains. These things can have an adverse effect on the network performance.

Security – With modular approach security policies can be easily implemented for the layers. This means access layer security features such as port security and port authentication can be easily applied to access layer. Attacks coming from the inside of the networks such as DHCP spoofing attacks, Mac-address flooding attacks can be easily prevented by implementing security policies at the access layers and the distribution layers. In addition the can have more secure spanning tree topology. At the distribution layer access to the other network resources could be posed with help of access control lists, setting up isolated Vlans. Thus this modular approach different security policy can be implemented at different places effectively. (Microsoft, 2013)

Manageability – Consistency between switches at each level makes management easier. Deploying network cabling would be really easier because of this modular approach. Access layer switches racks can be placed close to employees of the individual departments in two buildings while distribution layer switches that aggregate the access layer can be placed in separate racks. Routers with server farms can be situated separately in racks. In disaster situation this method will be really helpful as the physical access to the devices can be easily documented and mapped.

Maintainability – With this layered approach everything is separated and can be traced easily. Changes can be done without overly complicated. For instance there is space shortage in the Operandhi building, so we can move few stations to the Nexus where more space available add those stations to the access layer switches of the Nexus.

3.5 Wireless Planning and designing

As per the company requirement wireless access has been given to the visitors. By using strong access point with longer ranges wireless access can be provided to the whole floor of the nexus as an added service. So the conference room is also capable of achieving instant access to the network. Wireless access point is placed at the ground floor of the network at the center and connected to access layer switch in the floor1 of Nexus building. No security has been implemented for wireless users, but they are restricted to internal resources.

4. Technical Approach

4.1 Physical Topology

Access layer switches will be placed in the racks on the walls of the floors of the buildings. Each rack will have a one fiber patch panel and an Utp patch panel. Every access switches four fiber modules. So there will be four fiber links going out each distribution layer switch located in the server room. These fiber links are bundled and made two Etherchannels for each distribution layer switches. Fiber cables used are OM4 (50/125) multi-mode fibers. The fibers will terminate at the patch panel of the switch rack in the server room. (CISCO, 2004)

Two distribution layer switches has to be purchased. These will be placed in a switch rack located in the server room. There will be a UTP cable going from each switch towards the router fast Ethernet interfaces.

The servers are connected to distribution layer switches via fiber network cards.

4.2 Device Specifications

For access layer switches following features are required.

Fast Ethernet auto Mdix switch ports

Fiber modules with multi mode signaling support

802.1q vlans deployment

RPVST support

Link aggregation Protocols

SSH

Port security

Full duplex Ethernet ports

Port density – 48

To full fill this kind of requirements Cisco Catalyst 2960S-48FPS-L switches are used. There will be 11 such switches for the design. 44 multi mode SPF converters also have to be purchased. (CISCO, 2011)

For distribution layer following features are required.

Fiber module support line cards

Fast Ethernet support port

802.1 q vlans deployments

RPVST support

Link aggregation protocols

SSH

Layer 3 switching capability

Port security

Gateway redundancy protocols

To full fill this kind of requirements two Cisco Catalyst 6503 switches with four 16port Gibic Modules have to be purchased. (CISCO, 2002)

The existing router can be used with fire wall features enabled.

4.3 IP addressing Scheme

When planning IP addressing scheme future growth and expansion of the company is considered. Future growth is expected as below.

Department

Current Users

Future growth

Management

10

11

HR

10

11

Sales

70

77

IT

10

11

Finance

20

22

Research and Development

10

11

Engineering

30

33

Design

30

33

Legal

5

6

Marketing

55

61

For the efficient use of available class c subnets VLSM is used. Since the sub netting is done as per the future growth of the users there is always space for the growing need of individual departments’ users. In addition if a new logical group is required then an available subnet can be used. For management, security and scalability purposes users are separated for logical groups by creating VLANs. Following vlans and subnet schemes has been used. Since the network is designed to use High redundancy protocols such as HSRP another three IP addresses have been added when considering number of hosts per subnet.

Department

Vlan

Subnet

Management

10

192.168.2.208/28

HR

20

192.168.2.160/28

Sales

30

192.168.1.128/25

IT

40

192.168.2.176/28

Finance

50

192.168.2.128/27

Research and Development

60

192.168.2.192/28

Engineering

70

192.168.2.0/26

Design

80

192.168.2.64/26

Legal

90

192.168.2.224/28

Marketing

100

192.168.1.0/25

Server Farm

110

192.168.2.240/29

First IP address of the subnet is allocated as Virtual IP address of the redundancy protocol and consecutive second and third IP addresses are allocated to DLS_switch1 and DLS_switch2 accordingly. Rest of the IP addresses are allocated to Hosts.

Following IP addresses has been used between distributions layer switches and Router and for the internet links.

Device

Interface

IP address

Mask

Description

Dls_Sw1

Fa0/1

192.168.2.249

30

Link to Router

Dls_Sw2

Fa0/1

192.168.2.253

30

Link to Router

Router

Fa0/0

192.168.2.250

30

Link to Dls_Sw1

Router

Fa0/1

192.168.2.254

30

Link to Dls_Sw2

Router

S0/0

200.165.240.246

30

Primary internet link

Router

S0/1

200.165.240.242

30

Backup internet link

NAT/PAT will be enabled in the router to use the internet for users. Then other Nat entries will be configured to access inside resources to outside users.

For management Vlan which is vlan 199 will be used 10.0.0/24 IP address range since the given class C address blocks have been utilized by other logical groups.

Network hosts will get their IP addresses via DHCP from the distribution layer switches.

4.4 Network Protocol Implementation

As per the routing protocol OSPF will be enabled. Router will advertise a default route towards distribution layer switches via OSPF. Other advanced OSPF features have been enabled in order to optimize and avoid using suboptimal paths for the communication between two buildings.

Ether channel will be created on the links between distribution layer switches and access layer switches. LACP has been enabled as negotiation protocol. After proper analyze of the traffic patterns proper Hashing algorithm can be deployed to enhance performances.

HSRP will be enabled for the high availability of the network among distribution layer switches. Gateways will be shared between distribution layer switches so that overhead and processing power is shared between the distribution layer switches.

DLS_Sw1 will act as gateways for subnets resides in Operandi building while DLS_Sw2 will act as gateways for the subnets resides in nexus building.

End to end Vlans will be created since there will be spacious wise issues in the Operandi building so that hosts can be moved towards Nexus building without losing its logical group.

Rapid spanning tree protocol will be chosen as spanning tree protocol. Since rapid spanning tree reacts so efficiently. So there will be little time when failing over to other links.

5. Security and access policy

Most of the threats could be expected from the inside. So following security measures can be taken to mitigate inside attacks.

Port security will be enabled in order to mitigate Mac address flooding attacks, avoid unauthorized users.

VTY ports are secured using ACLs allowing only IT staff to access network devices. In addition since clear text communication can be sniffed using software SSH will be enabled for remote management.

DHCP spoofing attacks will be disabled by enabling DHCP snooping feature at the access layer switches. At the same this act will help to mitigate Man in the middle attacks as well.

Sever communications are restricted only authorized people. This can be achieved by putting ACL at DLS_Sw1. This will mitigate unauthorized people accessing server data.

Ping sweeps and gathering knowledge about the network will be disabled by filtering ICMP echo request packets at distribution layer switches and in the router as well. This act will mitigate DOS attacks as well.

Enabling passive interface features within the routing protocol implementation will prevent unauthorized people taking routing updates.

To mitigate attacks that coming from outside following measures can be taken.

Enabling firewall features in the edge router will inspect packets that come inside network.

Putting proper ACL in the router will mitigate DOS attacks coming from outside as well.

Routing protocol authentication can be enabled as a good security measure.

6. Performance Monitoring and Maintenance

For maintenance and monitoring first a base line has to be created. This will include net performance statics fetched by a SNMP software on a normal operation day. Software like solar wind will be a good solution for this particular design. At the same time following documents have to be set up for the easiness of management of network. (CISCO, 2008)

Network configuration table – this document will contain up to date hard ware, software and configuration details about the network devices.

End system configuration table – this document will contain up to date hard, software and configuration details about the end computers , servers and other equipments such as printers.

Network Topology – This document will contain graphical overview of network topology as well as interfaces, IP addresses and subnets.

After putting base line key performance data can be collected for a period of time. This data will give a overview of network topology. Then decisions can be taken how does the network perform during a normal day, Over utilized and underutilized areas, traffic patterns, what is the thresh hold values where personal interruption required to mitigate problems and can the network provide the result that expected.

7. Potential Risks and Disaster recovery management

Following potential risks can be identified for this network.

External risks – Since the new site is at a river bank there are risks of flooding risks, tornado and sinking risks,

Data systems risks – Virus attacks, telecommunication and network failures, server damages.

Facility risks – Electricity risks, building collapsing, fire

Departmental risks – A failure with in a department

Desk level risks – Errors occurred at user station levels

To meet a disaster incident predefined disaster recovery plan has to be created. First potential risks have to be identified. Then the risk assessment has to be done which could give which is more likely to happen and the time that will take to restore the network. The higher assessment value the higher the attention. Then procedures can be implemented to restore operational state. These procedures have to be documented. It is really important to elect a disaster recovery committee. At the same time precautions for natural disasters, electricity hazards and data and configuration backup system has to be created. (CISCO, 2008)

8. Conclusion

This small and medium sized business network will achieves its goals, such as scalability, reliability, performance in a secure environment. This network will be properly monitored and optimized with plan that has been proposed by the design. Ultimately company network will be able reflect business values of the company so that business wise company will be able to provide satisfactory level of service for its customers. The investment that will be put on the design will be beneficial for the huge growth of the co-operation.