The document provides guidelines for creating an Active Directory design and implementation plan for an organization called World Wide Trading Company (WWTC). It outlines steps to create an Active Directory forest called WWTC.com, create organizational units (OUs) for each department, link the WWTC.com forest to the company's headquarters, and establish global, universal, and local user groups for managing permissions. The design aims to provide a scalable and secure directory that supports the company's business needs.
Comprehensive Authentic Assessment Plan DeliverablesFor this c.docx
1. Comprehensive Authentic Assessment Plan Deliverables
For this course AAP is a response for customer’s RFP or
customer’s design requirements and type of solution used in
network design. Typically a customer’s RFP includes following
topics.
· Business goals for the project
· Scope of the project
· Information on existing network
· Information on new applications
· Technical requirements, including scalability, availability,
network performance, security, manageability, usability,
adaptability, and affordability
· Warranty requirements for products
· Environmental or architectural constraints
· Training and support requirements
· Preliminary schedule with milestones and deliverables
· Legal contractual terms and conditions
Your AAP should include responses to all of customer’s RFP
and should include logical and physical component pf the
design, information on technologies used in design solution, and
proposal to implementing the design. The following sections
describe the format of AAP:
A: Executive Summary (ES)
The executive summary briefly states and emphasizes the major
points of the customer’s requirements. The ES should be no
more than one page and should be directed at key decision
maker of the project who will decide whether to accept your
design. The ES can have minimum technical information but NO
technical details. The technical information should be
summarized and organized in order of the customer’s highest-
2. priority objectives for the design project. The ES should be
organized customer top requirements.
B: Project Goal
This section should state the primary goal for the network
design. The goal should be business oriented and related to an
overall objective that organization has to become more
successful in core business. Your objective is to make it clear to
decision maker that you understand the primary purpose and
importance of the network design project. Below is an example
of project goal was written for an actual design.
“The goal of this project is to develop a wide area network
(WAN) that will support new high bandwidth and low-delay
multimedia applications. The new applications are key to the
successful implementation of new training programs for the
sales force. The new WAN facilitate of increasing sales in the
USA by 50% in the next fiscal year.”
C: Project Scope
The project scope section provides information on extent of the
project, including a summary of departments, field offices
networks that will be affected by the project. The project scope
section specifies whether the project is new network or
modifications to an existing network. It indicates whether the
design is for a single network segment, a set of LANs, a
building or campus network, or a set of WAN or remote access
network, VoIP, or enhancing security
D: Design Requirements
In this section, you provide major business and technical
requirements of the network in priority order. In business goal
explain the role network design will play in helping an
organization provide better products and services.
The technical requirement section explain in general term how
3. propose technical improvement is better than or meet the
customer requirement.
Network Application: This section lists and characterizes the
new and existing network applications.
E: Current State of the Network:
This section briefly describes the structure and performance of
the network. It should include a high-level network map that
identifies the location of connecting devices, server farm,
storage systems, and network segment
F: Design
Solution
:
This section includes:
· Logical Network topology which include high level one or
more drawings to illustrate logical architecture of the proposed
network
· Recommended LAN design to implement Client’s key
requirements.
· Recommended Voice over IP solution,
· Recommend solution to implement client’s key security
requirements.
· Recommend solution to implement client’s key Active
Directory requirements
4. · Recommend network management processes and products
G: Implementation Plan:
The implementation plan includes your recommendations for
deploying the network design. The design implementation
description should be detailed as possible. Implementation of a
network design consists of several phases (buy and install
hardware, configure system, test system and so forth). Each
phase consists of several steps, and documentation for each step
should contain the following:
· A project schedule
· Plans with vendors or service providers for installation of
links, equipment or services
· Plan or recommendations for outsourcing the implementation
or management of the network
· A plan for communicating the design to end users, network
administrators, and management
· A training plan for network administrators and end users
· A plan for measuring the effectiveness of the design after it
has been implemented
· A list of known risks that could delay the project
· A fallback plan if the network implementation fails
· A pan for evolving the network design as new application
requirements goals arise
5. Sample Project Schedule Template
Date of Completion
Project Milestone
August 1
Design completed and a beta version of the design document
distributed to key executives, managers, network administrators,
and end users (end users depends on management)
August 15
Comments on the design document due
August 22
Final design document distributed
August 25
Installation of leased lines between all buildings completed by
WAN service provider
August 28-29
Network administrators trained on new system
August 30-31
End users trained on new system
September 6
Pilot implementation completed in Building 1 or head office or
branch office
September 20
Feedback received on pilot from network administrators and
users
6. September 27
Implementation completed on Buildings 2-5 or floors 1-6
October 10
Feedback received from buildings 2-5 from network
administrators and users
October 17
Implementation completed in the rest of buildings or floors
Ongoing or December 31
New system monitored to verify that it meets goals
H: Project Budget
This section should contain the funds the customer needs for
equipment purchases, maintenance, and support agreements,
service contracts, software licenses, training, and staffing. The
budget can also include consulting fees and outsourcing
expenses.
I: Design Document Appendix
Most design documents include one or more appendixes that
present supplemental information about the design and
implementation. Supplemental information can include detailed
topology drawings, device configurations, network addressing
and naming details and comprehensive results from the testing
of the network design. You can include business information
such as list of contact name, numbers and e-mail addresses. The
7. appendix can include warranty on devices, legal agreement, and
any information which is not critical for design, but you have
noted in your gathering information process.
Writing Instructions
Paper must have a minimum of 25 pages and a maximum of 35
pages of text excluding the required title page and bibliography
and optional tables. Text must be Times New Roman, 12 font,
1" margin on all sides, and double spaced.
Students must follow "Publication Manual of the American
Psychological Association, Fifth Edition (APA- 5)", also known
as APA style or format. Only a Microsoft Word file will be
accepted as the final submission; no HTML or PDF files
allowed.
All sources must be properly cited and must be credible. At
least two sources must be Internet sources (for help in
evaluating the credibility of web sources, go to
www.umuc.edu/library/guides/evaluate.shtml). Once you have
completed a good draft, it is strongly advised that you submit it
to UMUC's Effective Writing Center (EWC). In order to allow
sufficient time for their review, you need to submit the draft to
EWC two weeks prior to the paper's due date.
8. Active Directory 20
5 Assignment – Active Directory Design and Active Directory
Implementation
Introduction
The assignment for week three called for the creation of a
document that “will specify organizational Active Directory
design, and develop and implement Active Directory as per
organizational standards and policies” (UMUC, n.d.).
According to the assignment document (UMUC, n.d.), this
section must include but is not limited to:
· Create Active directory policies to include recommended
9. features
· Create and implement forest named WWTC.com
· Create OU for each Department under forest WWTC.com.
· Link WWTC.com to headquarters.
· Create Global, Universal, Local groups for each domain. Each
global group will contain all users in the corresponding
department. Membership in the universal group is restrictive
and membership can be assigned on the basis of least privileged
principle. (For design purpose, you can assume that WTC as a
Single Forest with multiple domains).
· Create GPO and GPO policies (All domains will be serviced
and managed by IT staff at World-Wide Trading Company
The network details were generated from the information
provided in the Case Study World Wide Trading Company
(WWTC) document. (UMUC, n.d.)
WWTC Forest
The Active Directory simplifies the users and resources
management. The elements of the active directory include
scalability, manageable infrastructure and secure resources
10. allocation. Active directory also has an additional important and
utilize emerging technologies. Even though an active directory
is not a special directory, it plays a variety of roles within the
organizations, (Microsoft, 2014). Therefore, the important
designs for active directory that involve deployment decisions
facilitation creation, establishment and deployment of Active
Directory Forest.
Create and implement forest named WWTC.com
The Active Directory of an enterprise is a service directory that
stores and manages information of a network resource. Network
infrastructure administrators use the active directory as a data
base to manage enterprise resources such as computers, users,
hardware and software resources. Domain and Forests are the
two main elements that form a logical and physical
infrastructure of an enterprise network database. Important to
note is that an enterprise may comprise of one to several, on
average three domains and forests. In the case of World-Wide
Trading, (WWTC), this enterprise will require one forest and
one domain for the New York enterprise even though there will
be room for several domains. The aim of this paper is to create
and implement a forest named WWTC.com, create OU for each
Department under forest WWTC.com and link the WWTC.com
to headquarters, (Microsoft, 2014).
11. When creating a forest named WWTC.com, the scope and focus
of will be developing an active directory that offer service
deployment in a straightforward and easy to use network
infrastructure. The role of the forest is to contain one or more
domains while centering on defining and managing
infrastructure that has a central administrative roles and
responsibilities. Active Directory is a forest containing multiple
domains. Multiple domains arranged in the forest assist in
avoiding data replication. When designing a forest, the
administrator is responsible for completing domain design for
the WWTC. The elements of the domain include the forest root
domain, the name of the domain, the scope of the domain and
the number of users that will be using that domain. The network
infrastructure developers should also create and plan a schedule
for upgrade. In WWTC, the scope of the forest has already been
defined. The number of users for this forest is approximately
4,000, the name of the domain will be WWTC.com and the
forest root domain will be WWTC, (Microsoft, 2014).
Being an enterprise with global business and with objectives of
growth, the forest domain for this organization will be
dedicated in terms of design. The purpose of using a dedicated
forest domain includes the following:
· Employability of few network infrastructure administrators,
but who are capable of making unlimited forest-wide changes.
· Ability to replicated forest database backup
12. · Avoiding obsolete resources
· Ownership of a forest domain is easily transferred. This will
happen only if the it will reach a point that the current business
plan will not be favorable.
Active Directory Forest
Domain
WWTC.com
Domain container 2 and the 3rd container replication maybe
present.
13. Figure 1: Active forest directory with domain container and sub
domains containers in a two way transitive relationship.
Create OU for each Department under forest WWTC.com.
14. Organizational units (OUs) are contained under the second
domain and subsequent domain in the active directory forest.
OUs are key elements in the forest domain. While the top level
of the active directory contains a forest, the domains come
second. OUs are third and are contained within the domains.
The organization of these three elements, are called the logical
model of network infrastructure. OUs within an enterprise
organization assist in delegating administrative activities within
the network infrastructure, (Microsoft, 2014). Administrative
activities include creating and developing group policies as well
as restricting visibility.
Within the WWTC in New York organization, OUs are created
and developed after the main forest domain infrastructure is
complete. Within IT’s best practices, OUs are modeled within
the domain and reserved for internal operational managers.
Organizational units are defined as departments and each
department is required to manage its own object within the
larger domain. While the IT staffs are tasked with managing the
overall configuration of the domain, OUs are managed by the
OU owners. Therefore, the OU owners have skills and expertise
similar to those of domain managers. The tasks of the OU
owners include making periodic changes to the OU structure
that reflect changes in the domain, support organizational
business and network policies. Another important characteristic
of the OU is that they are designed to easily change. While OU
15. has been defined, its elements include and are not limited to
other OUs, users, groups and computers and other hardware
objects, (Microsoft, 2014). The OU and sub-OUs are designed
to form a structure within the domain that is primarily used for
management processes. OUs have no limitation on their number
within a domain, but require extensive updates and extensive
resources to make these updates. However, because of the best
IT practices the WWTC will not create OUs that are more than
ten levels. Best practice OU model for WWTC is explained in
the figure below:
In the OU model used above, the Active Directory default
containers include two elements namely users and their
computer terminal containers, and domain controllers of OU.
The principle behind interconnecting system containers under
several OUs is that, enterprises such as the WWTC require high
performance and highest percentage of uptime. Also, the nature
of the business require the highest level of security suggesting
that major scheduled system upgrades will be required. When
there will be an upgrade, OU from one domain container will be
moved to another domain container. The old system of the
active forest domain requires manually moving users from the
domain, which is due to upgrade to another domain to continue
executing their task. However, today, the new forest domain,
such as the domain, which WWTC is going to use, will not
16. require physically moving users to another location.
Link WWTC.com to headquarters
To link the WWTC organization in New York and the
headquarters in Hong Kong require Key Distribution Center
(KDC) topography, borrowed from Kerberos authentication
service. The KDC topography, depending on the domain
services that will be provided has intelligence to detect and
balance shortcut trusts across the geographical locations of the
soon to be linked domains. Linking domains across distant
geographical locations requires non interactive connections. The
non-interactive connections require that before WWTC in the
U.S. employee access resources located in the headquarters in
Hong Kong, trust authentication will be required, (Microsoft,
2014).
The process of accessing resources connected in two
geographical locations identified with two different domains
requires a valid tick when talking over valid KDC. The
company’s main domain is WWTC.com. The U.S. domain is
us.WWTC.com and the China domain is cn.WWTC.com. These
two geographically different locations both access resources
from the main domain. The forest infrastructure interconnects
the domains within the same geographic region with interactive
network, but when connecting with a geographically different
region, the non-interactive network is used hence the process of
17. ticketing employees to access resources in different countries. It
is common to see the network infrastructure using referral ticket
with reference to referral interconnections. Both the main
domain connection and the interconnection between sub
domains located in geographically different locations must
request permission to communicate with each other from the
main domain, (Microsoft, 2014).
In addition to ticket referral when trying to access resources
within different geographical locations, another method of
ticket-granting ticket (TGT) may be applied. The principle
behind using this ticketing system is that some domains may not
have permission to access other domains. For example, the U.S.
domain may not have permission to access the China domain
even though the China domain can access the U.S. domain.
When this restriction is available, it means that one of the
domains is authoritative while another one is less authoritative.
To enhance communication the KDC Kerberos trust relationship
is used.
Global Universal and Local Groups
Active Directory is used within a network environment to
simplify the administration of users, computers, devices and the
general network itself. While it takes a lot of time and effort to
implement a new AD design, the time saved and ease of
administration while supporting the network is the payoff. One
18. way that AD eases administration is by the use of groups.
Groups allow an administrator to easily manage large groups of
users or computers by moving users or computers within these
groups. If a new hire within the company is joining the
accounting department, you can just add them to the accounting
department rather than applying each policy to the user. This is
fast and simple. It is important to plan out your design.
There are three types of groups within AD: Universal, global
and domain local. Universal Groups are stored and replicated to
all global catalogs within the forest, which allows it to cross
domain boundaries. Global groups replicate to all domains,
“but can only contain users and computer accounts from the
domain that the global group is created in” (Minasi, 2014). The
local group is only used within the domain it was created, but
can contain global and universal groups.
For the design of WWTC, we will be using the following
Universal groups:
· President_U
· VPs_U
· CEOs_U
· Managers_U
· Brokers_U
· Staff_U
· ITSupport_U
· Operations_U
19. · IT_U
· Finance_U
· HR_U
· Workstations_U
· Printers_U
· Servers_U
We will create the following Global Groups:
· President
· VPs
· CEOs
· Managers
· Brokers
· Staff
· ITSupport
· Operations
· IT
· Finance
· HR
· Workstations
· Printers
· Servers
We will create the following Domain Local Groups:
· President_Resources
· VPs_Resources
20. · CEOs_Resources
· Managers_Resources
· Brokers_Resources
· Staff_Resources
· ITSupport_Resources
· Operations_Resources
· IT_Resources
· Finance_Resources
· HR_Resources
Once these groups are created, we can begin to organize the
users in a way that will allow us to restrict permissions via the
domain local groups, but easily add domains and allow users to
access resources across the domains and forest as they need to
via the universal groups.
By creating the appropriate groups, administration of the forest
will be simple group movements in order to apply the proper
permissions and restrictions on the appropriate groups. In order
to have the most control over the domain, we will put the
accounts (users and computers) into the Global groups, the
global groups will be put into the appropriate Universal Groups.
Then the Universal Groups will be put into the appropriate
21. Domain Local groups, where the necessary domain restrictions
and permissions can be applied.
Active Directory Policy
Encryption
One of the most effective measures against data being
compromised is to use different methods of encryption to make
it more difficult, and often impossible to recover data even if it
is compromised by a malicious user. By implementing the
following Group Policies for the Computer and Server OU’s we
can ensure that every computer on the network is encrypting
data when not being accessed:
BitLocker
1. Enforce drive encryption type on fixed data drives – Utilize
Full Disk Encryption option, skips encryption options page for
user.
Policy Path = Computer ConfigurationAdministrative
TemplatesWindows ComponentsBitLocker Drive
EncryptionFixed Data Drives
2. Allow network unlock at startup – Automatically unlock the
protected operating system drive on startup
Policy Path = Computer ConfigurationAdministrative
TemplatesWindows ComponentsBitLocker Drive
EncryptionOperating System Drives (Microsoft, 2007).
22. BranchCache
1. Use Group Policy to Configure Domain Member Client
Computers = Turns on BranchCache.
Policy Path = Computer Configuration, Policies, Administrative
Templates: Policy definitions (ADMX files) retrieved from the
local computer, Network, BranchCache. (Microsoft, 2012).
2. Windows Server 2012 encrypts the cache by default for
BranchCache. (Microsoft, 2015).
Failover Clustering
Failover clustering is a new feature provided with Windows
Server 2012 and 2012 R2. It allows you to link multiple servers
together to work in concert, and if one experiences a
catastrophic failure, the others can take over immediately. This
is a recommended feature for WWTC to ensure high availability
as well as scalability. To enable this feature, it simply needs
to be added underAdd Roles and Features, Role-based or
feature-based installation, select the destination server, select
server roles, and select features and then select Failover
Clustering.Add this on all servers you wish to include in the
cluster. (Windows, 2013).
File Server Resource Manager
File Server Resource Manager, or FSRM is "a suite of tools that
allows administrators to understand, control and manage the
23. quantity and type of data stored on their servers." (Microsoft,
2007). An important recommended tool that is controlled by
FSRM, is called File Classification Infrastructure. This gives
the administrator the ability to store files based on how
important to the business they are or what impact they would
have if they were lost. One example is taking files with social
security numbers and classify this document as Personally
Identifiable Information. (Savill, 2013). To install FSRM, open
control panel, click Add or Remove Programs, click
Add/Remove Windows Components. In the Windows
Components Wizard, select the Management and Monitoring
Tools and select Details. Click Next and then Finish.
IP Address Management (IPAM)
An IP Address Management (IPAM) server can offer better
management of your network resources by offering the
following features: Address Space Management, Virtual
Address Space Management, Multi-Server Management,
Network Auditing and Role-based access control. The Address
Space Management and Virtual Address Space Management
tools enable you to have oversight of all of your IP addressing
and view statistics like usage, find and resolve conflicts and is
compatible with IPv4 and IPv6. The Multi-Server Management
tool allows you to manage all of the DHCP and DNS servers
from one location, and can automatically locate all of them
24. across the entire forest. With Network Auditing, you can track
users, IP addresses and their devices, configure reports, view
changes to IPAM and resolve conflicts. It also offers Role-
based management to delegate duties to other IT professionals.
The IPAM software needs to be installed on a domain member
and cannot be installed on an AD Domain Controller. They can
be deployed in 3 different ways: Distributed, Centralized and
Hybrid. Distributed has an IPAM server at each site.
Centralized has one for the enterprise. And Hybrid has one
central server with other servers at each site. (Microsoft, 2014).
Smart Cards
In order to provide the most secure protection for the network,
it is recommended to use a two-factor authentication system,
which in this case should be a smart card issued to employees
and a PIN which the user will create and remember. By having
two factor authentication, the user must meet the requirements
of something they have, and something they know. This will
give an attacker less chance of having both pieces of the
security puzzle. The Smart Card setup requires a PKI or Public
Key Infrastructure for the card to work. The private keys on the
smart cards must match a user in Active Directory. The
certificates are mapped to a user account and allows you to
force interactive logon and other features. Group Policy can be
used to push policies across different OU’s. Administrative
25. tasks can be delegated in Active Directory to help with
management. (Microsoft, 2007).
Active Directory Group Policy
WWTC mentioned several improvements they would like to
have completed within their new Active Directory additions.
Most of the features to be implemented are security related that
must be enforced through Windows Server 2012 group policies
(GPO). The WWTC Company policy was created to work in
conjunction with the Default Domain policy. The key security
feature that was requested to be configured was BitLocker
requirements at the pre-boot level of WWTC’s computers. In
addition, policies were put in place to allow BitLocker
encrypted machines to automatically unlock itself when
physically connected to the network. The next GPO setting
configured involved enabling the BranchCache service. A list of
key policies have been applied for BranchCache to run in hosted
mode, which includes the use of the Background Intelligence
Transfer Protocol Service (BITS). The offline GPO settings is
used to enforce two data security requirements, preventing end-
users from storing data offline and to encrypt data that has been
cached on a computer. Smart Card GPO settings are set to
control how an end-user’s smart card interacts with the
computer, what type of certificates are allowed for use with the
26. smart card, and what prompts will be received in regards to the
smart card. Lastly, the file classification GPO settings enables
the use of automated rules to classify a file’s sensitivity using a
predetermined set of properties, while also presenting custom
notification for denied access to any files or folders.
Default Domain Policy GPO
Password Policy GPO Settings
Enforce password history = 6
Maximum password age = 60
Minimum password age = 15
Minimum password length = 12
Password must meet complexity requirement
Store passwords using reversible encryption for all users in the
domain
Account lockout duration = 15
Account lockout threshold = 3
Reset lockout counter after = 15
Account Audit GPO Settings
Audit account logon events = success / failure
Audit account management = success / failure
Audit directory service access = success / failure
Audit logon events = success / failure
27. Audit object access = success / failure
Audit policy change = success / failure
Audit privilege use = success / failure
Audit process tracking = success / failure
Audit system events = success / failure
User Access Control (UAC) GPO Settings
User Account Control: Admin Approval Mode for the Built-in
Administrator account = enabled
User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode = prompt for consent
on the secure desktop
User Account Control: Behavior of the elevation prompt for
standard users = prompt for credentials
User Account Control: Detect application installations and
prompt for elevation = enabled
User Account Control: Only elevate executables that are signed
and validated = enabled
User Account Control: Run all administrators in Admin
Approval Mode = enabled
User Account Control: Switch to the secure desktop when
prompting for elevation = enabled
User Account Control: Virtualize file and registry write failures
to per-user locations = enabled
28. WWTC Company Policy GPO
BitLocker Policy GPO Settings
Choose drive encryption method and cipher strength = enabled;
AES 256-bit
Allow enhanced PINs for startup = enabled
Use enhanced Boot Configuration Data validation profile =
enabled
Choose how BitLocker-protected operating system drives can be
recovered = enabled; store in AD DS
Enforce drive encryption type on operating system drives =
enabled; full disk encryption
Require additional authentication at startup = enabled; TPM
with Pin
Allow network unlock at startup = enabled
Configure minimum PIN length for startup = enabled; min. 6
characters
Configure use of hardware-based encryption for operating
system drives = enabled
Allow Secure Boot for integrity validation = enabled
Configure TPM platform validation profile for BIOS-based
firmware configurations = enabled
Configure TPM platform validation profile for native UEFI
firmware configurations = enabled
System cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing = enabled
29. System cryptography: Force strong key protection for user keys
stored on the computer = user is prompted when key is first
used
BranchCache GPO Settings
Turn on BranchCache = enabled
Set percentage of disk space used for client computer cache =
enabled; 15%
Set BranchCache Hosted Cache mode = enabled
Configure BranchCache for network files = enabled
Enable Automatic Hosted Cache Discovery by Service
Connection Point = enabled
Configure Hosted Cache Servers = enabled
Set age for segments in the data cache = enabled; 15 days
Timeout for inactive BITS jobs = enabled
Limit the maximum BITS job download time = enabled; 5 days
Limit the maximum network bandwidth for BITS background
transfers = enabled
Set up a work schedule to limit the maximum network
bandwidth used for BITS background transfers = enabled
Set up a maintenance schedule to limit the maximum network
bandwidth used for BITS background transfers = enabled
Allow BITS Peercaching = enabled
Limit the age of files in the BITS Peercache = enabled; 10 days
Limit the BITS Peercache size = enabled; 10%
30. Limit the maximum network bandwidth used for Peercaching =
enabled
Set default download behavior for BITS jobs on costed
networks = enabled
Limit the maximum number of BITS jobs for this computer =
enabled
Limit the maximum number of BITS jobs for each user =
enabled
Limit the maximum number of files allowed in a BITS job =
enabled
Limit the maximum number of ranges that can be added to the
file in a BITS job = enabled
Hash Publication for BranchCache = enabled
Hash Version support for BranchCache = enabled; value of 3
Offline (Cache) Encryption GPO Settings
Default cache size = enabled; 15%
Allow or Disallow use of the Offline Files feature = enabled
Encrypt the Offline Files cache = enabled
Event logging level = enabled
Files not cached = enabled
Action on server disconnect = enabled; never go offline
Prevent use of Offline Files folder = enabled
Prohibit user configuration of Offline Files = enabled
Remove "Make Available Offline" command = enabled
31. Remove "Make Available Offline" for these files and folders =
enabled
At logoff delete local copy of user’s offline files = enabled
Limit disk space used by Offline Files = enabled
Smart Card GPO Settings
Interactive logon: Do not display last user name = enabled
Interactive Logon: Display user information when session is
locked = name only
Interactive logon: Machine account lockout threshold = 3
attempts
Interactive logon: Machine inactivity limit = 7 minutes
Interactive logon: Message text for users attempting to logon =
TBD
Interactive logon: Message title for users attempting to logon =
TBD
Interactive logon: Number of previous logons to cache (in case
domain controller is not available) = 1 logons
Interactive logon: Prompt user to change password before
expiration = 15 days
Interactive logon: Require smart card = enabled
Interactive logon: Smart card removal behavior = lock
workstation
Allow certificates with no extended key usage certificate
attribute = enabled
32. Filter duplicate logon certificates = enabled
Allow signature keys valid for Logon = enabled
Turn on certificate propagation from smart card = enabled
Configure root certificate clean up = enabled
Turn on root certificate propagation from smart card = enabled
Display string when smart card is blocked = enabled
Prevent plaintext PINs from being returned by Credential
Manager = enabled
Allow user name hint = enabled
Turn on Smart Card Plug and Play service = enabled
Notify user of successful smart card driver installation =
enabled
Allow ECC certificates to be used for logon and authentication
= enabled
File Classification GPO Settings
File Classification Infrastructure: Display Classification tab in
File Explorer = enabled
File Classification Infrastructure: Specify classification
properties list = enabled
Customize message for Access Denied errors = enabled
Enable access-denied assistance on client for all file types =
enabled
(Microsoft, 2015)
33. References
Microsoft. (Apr 30, 2007). Windows BitLocker Drive
Encryption Step-by-Step Guide. Retrieved from
https://technet.microsoft.com/en-us/library/c61f2a12-8ae6-
4957-b031-97b4d762cf31
Microsoft. (Jul 25, 2012). Use Group Policy To Configure
Domain Member Client Computers. Retrieved from
https://technet.microsoft.com/en-
gb/library/jj572988.aspx#bkmk_gp
Microsoft. (Oct 19, 2015). BranchCache Overview. Retrieved
from https://technet.microsoft.com/en-us/library/hh831696.aspx
Microsoft. (Nov 1, 2013). Create a Failover Cluster. Retrieved
from https://technet.microsoft.com/en-us/library/dn505754.aspx
Microsoft. (Apr 25, 2007). Introduction to File Server
Resource Manager. Retrieved from
https://technet.microsoft.com/en-
us/library/cc755670%28v=ws.10%29.aspx
Microsoft. (April 15, 2014). IP Address Management
Overview. Retrieved from https://technet.microsoft.com/en-
GB/library/hh831353.aspx#ASM
Microsoft. (2007). The Secure Access Using Smart Cards
Planning Guide. Retrieved fromhttps://www.microsoft.com/en-
us/download/confirmation.aspx?id=4184
34. Microsoft (2015, November 23). Group Policy Settings
Reference for Windows and Windows Server: Windows 8.1
Update and Windows Server 2012 R2 Update 1 .xlsx. Retrieved
February 22, 2016, from https://www.microsoft.com/en-
us/download/details.aspx?id=25250
Microsoft, (2014). What are Domains and Forests? TechNet.
Retrieved on February 22, 2016 from
https://technet.microsoft.com/enus/library/cc759073(v=ws.10).a
spx#w2k3tr_logic_what_ovkc
Minasi, M. (2014). Mastering Windows server 2012 R2 (1st
ed.).
Savill, J. (May 29, 2013). Windows Server 2012 File
Classification Infrastructure. Retrieved from
http://windowsitpro.com/windows-server-2012/windows-server-
2012-fci
UMUC. (n.d.). Case Study World Wide Trading Company.
Retrieved February 22, 2016, from
https://learn.umuc.edu/d2l/le/dropbox/173660/290354/Downloa
dAttachment?fid=4908850
UMUC. (n.d.). WWTC Office Layout. Retrieved February 22,
2016, from
https://learn.umuc.edu/d2l/common/viewFile.d2lfile/Database/N
DkwODg1NA/WWTC Office Layout.png?ou=173660
UMUC. (n.d.). Active Directory Design and Implementation
Assignment. Retrieved February 22, 2016, from
35. https://learn.umuc.edu/d2l/common/viewFile.d2lfile/Database/N
DkwODg1OQ/Security Policy and Security Design
Assignment.docx?ou=173660
LAN, VOIP and Wireless 19
3- Network LAN Design with VoIP and Wireless Services
Introduction
The assignment for week three called for the creation of a
“detailed LAN design of network with VoIP services, Wireless
services, protocols, devices, and interconnectivity, with WAN”
(UMUC, n.d.). According to the assignment document (UMUC,
n.d.), “this section must include but is not limited to:
36. · Equipment List
· Hierarchical IP scheme and VLAN
· Link IP addresses
· High Level Diagram
· Voice and Wireless Design
The network details were generated from the information
provided in the Case Study World Wide Trading Company
document. (UMUC, n.d.)
Equipment List
The company has provided a list of requirements that must be
met in order for the newly designed network to meet the
company's current and long term business plans. Requirements
that impact the LAN design directly include the need for much
faster, higher performance network services. This requires a
design that not only provides for higher available bandwidth,
but also is designed in such a way as to reduce congestion that
can occur due to issues such as excessive broadcast traffic,
multicast flooding and routing loops. Another essential
requirement is scalability and provision for 100% growth, so
that the network is capable of supporting the business without
major additions as the company expands to over twice the
current size. Modularity is another requirement, which would
ensure that when expansion is needed, or network changes are
37. required, the company can make those changes with minimal
disruption to network performance and the business. Migration
provision to IPv6, while not an immediate need, must also be
built into the network infrastructure so that as the use of IPv6
becomes more prevalent, the company can leave IPv4 behind
with minimal business disruption and expense. Centralized
network administration with DHCP services, hierarchical IP
address scheme with route aggregation, integrated support for
VoIP, streaming video/media support, and a solid, layered
defense in-depth security approach. A thorough and detailed
plan is necessary in order to accommodate these requirements.
The equipment chosen for network design that meets all of the
above requirements must be very high performance, have double
the number of ports required currently by the business, integrate
well into a layered network structure that facilitates centralized
administration, and support high availability configurations.
The Cisco product line supports all of these attributes and
building a network infrastructure using equipment from a single
vendor is a widely used strategy because it ensures seamless
hardware, protocol and interface integration so that the network
performs as a single unit from the end user perspective which is
highly desirable.
The devices listed in the following table will easily
accommodate twice the current 250 device demand within the
company while also delivering high performance for VoIP and
38. streaming media applications, high availability, and wireless
integration, along with the other aforementioned requirements.
Device
Cisco Model #
Quantity
Comments
Redundant Core Switches
6509-E
2
Fault tolerant support for up to 534 devices, IP services
Distribution layer switches
4503-E
2
Fault tolerant full mesh distribution layer, IP services
Access layer switches
WS-C3850-48U-E
22
UPoE support, 48 Gig ports per switch, IP services, stackable
for fault tolerant performance, integrated wireless controller
Firewall with IPS
ASA 5508-X
2
Redundant support for dual WAN link design
39. Ingress/egress IPS security
Redundant power supply for access switch
PWR-C1-1100WAC
22
Second power supply for each WS-C3850-48U-E
Cisco 6500 switch supervisor
Cisco VS-S2T-10G-XL
4
Provides 10G redundant support at the core
Cisco 6500 switch second power supply
Cisco CAB-AC-2500W-US1
2
Provides redundant power supply support
Cisco 4500 switch supervisor
Cisco WS-X45-Sup 7L-E
4
Provides 10G redundant distribution support
Cisco 4500 series line card
Cisco Catalyst 4500E UPOE Line Card
4
Provides 1G redundant access support
40. The network design is focused on centralized administration for
the purpose of decreasing administrative overhead by enabling a
lower number of IT staff to maintain the network. All network
services such as DHCP, DNS, Active Directory and software
maintenance and deployment services (for example) are
managed in a centralized yet hierarchical configuration. The
network design also delivers a high degree of redundancy.
Every switch within the infrastructure has dual uplink
connections to the network infrastructure. Each switch is also
equipped with dual power supplies, and the network itself is
configured in a partial mesh so that there is no single point of
failure that could cause business disruption for the company. In
addition, each chassis switch (the Cisco 4500 and 6500 series)
have dual supervisor engines so that if one engine fails, this
fault tolerant configuration enables the switch to continue
operating. To fulfill the security requirements of the company,
the network is equipped with a Cisco ASA 5500 series firewall
that features IPS services so that would be intrusions can be
detected and quickly shutdown while administrators are alerted
to the attack. Each department is configured with its own
VLAN, and ACLs are configured between the VLANs so that
only authorized traffic is allowed to pass between VLANs on
the network. Should the company deem it necessary, the 4500
and 6500 series switches can also be equipped with IPS
41. supervisor engines so that the core and distribution layers of the
network are also protected by IPS (providing yet another layer
of defense against intruders). The 3850 series switches feature
an integrated wireless controller which enables seamless
wireless mobility throughout the wireless networking area
within the building. All switches will be configured with RSTP
to prevent network loop issues, EIGRP to automate routing table
population and maintenance (with fast convergence), and route
summation employed on a per subnet basis for efficiency. All
switches also support IGMP, IGMP snooping, and PIM
protocols for layer 2 and 3 multicast forwarding, with PoE and
VoIP services supported at the access layer for IP
telecommunications services. Finally, each switch features
modular capability, enabling the company to add new features
to the network in the future should the need arise.
In order to effectively manage the new network infrastructure, a
naming convention plan must be drafted that provides IT staff
(and users) with a logical, understandable means for identifying
network devices. Following is a table that provides such a plan:
Device Type
Device
Device Configured Name
Placement
Connection
42. Comments
Redundant Core Switches
Cisco 6509-E switch
CoreSwitch1
CoreSwitch2
Data Center
10G to Distribution
Fault tolerant support for up to 534 devices, IP services
Distribution layer switches
Cisco 4503-E switch
DistSwitch1
DisSwitch2
Data Center
10G to Core
1G to Access
Fault tolerant full mesh distribution layer, IP services
Access layer switches
WS-C3850-48U-E
Quad1-1
Quad1-2
Quad1-3
Quad1-4
Quad1-5
Quad2-1
44. Data Center
1G to LAN
100Mbps to WAN
Redundant support for dual WAN link design
Ingress/egress IPS security
Redundant power supply for access switch
PWR-C1-1100WAC
Installed in CoreSwitch1 and CoreSwitch2
N/A
Second power supply for each WS-C3850-48U-E
Wireless AP
Cisco Aironet 2600
Ceiling mount caddy corner half way to center
1G to Access
802.11b/g/n to clients
450Mbps data rate support, 802.11a/b/g/n, LAN integration,
VLAN, 128 client session support
Cisco 6500 switch supervisor
Cisco VS-S2T-10G-XL
Installed in CoreSwitch1 and CoreSwitch2
N/A
Provides 10G redundant support at the core
45. Cisco 6500 switch second power supply
Cisco CAB-AC-2500W-US1
Installed in CoreSwitch1 and CoreSwitch2
N/A
Provides redundant power supply support
Cisco 4500 switch supervisor
Cisco WS-X45-Sup 7L-E
Installed in DistSwitch1 and DistSwitch2
N/A
Provides 10G redundant distribution support
Cisco 4500 series line card
Cisco Catalyst 4500E UPOE Line Card
Installed in DistSwitch1 and DistSwitch2
N/A
Provides 1G redundant access support
(Cisco ASA 5508-X with FirePOWER Services, n.d.)
(Cisco Catalyst 6500 Series Switches - Products & Services,
n.d.)
(Cisco Catalyst 6509-E Switch, n.d.)
(Compare Models, n.d.)
(Cisco Catalyst 6500 Series Switches - Interfaces and Modules,
n.d.)
46. (Cisco Firewall Services Module for Cisco Catalyst 6500 and
Cisco 7600 Series, n.d.)
(Cisco Aironet 2600 Series - Products & Services, n.d.)
Hierarchical IP Scheme and VLAN
Location/Dept
# of IP Addresses Required
Future Growth
Rounded Power of 2
Number of Host Bits
Subnet Address Assigned
OPR
21
21
64
10
172.16.6.1-62/26
NW USA
32
32
128
9
172.16.1.1-126/25
SW USA
32
49. Vacant/Future Growth
VLAN 9
Voice VLAN (VOIP)
All Departments
VLAN 10
The WWTC VLAN assignment will follow industry best
practices in alleviating traffic by designation of user, position,
and type. Additionally, the default VLAN assigned to all Cisco
switches, VLAN 1, will remain unassigned as any default
settings that persist can be a potential target for outside attack.
Voice traffic will be segregated to its own VLAN in order to
compensate for the required switch configurations that favor
voice traffic including quality of service (QoS), full duplex, and
other such configurations advantageous to voice and/or
streaming traffic.
According to the case study diagram, WWTC will require a
management VLAN for upper-level executives, a staff VLAN
for regular staff, a designated VLAN for brokers, a voice VLAN
for VOIP traffic, and a black hole VLAN to ensure all unused
ports slated for future growth are not used in any illicit manner.
The chart above details the VLAN number assignment for the
aforementioned configuration. The Black Hole VLAN covers
any amount of users exceeding the required number, as this
50. number represents current users. The management VLAN
applies to any executive (President, VP, CEO), executive
assistant or manager within a particular VP’s department.
Configurations at the switch port level will allow for traffic
between VLANs via trunking in the case that WWTC wishes to
designate each VP’s individual staff as its own department, and
communication is required interdepartmentally. This
configuration addresses the concern regarding regular staff
obtaining sensitive company data and housing it on their
systems. VLAN segregation by employee level helps ensure
traffic with specific sensitivity is only shared with others whose
position should allow them to access such information.
Link IP Addresses
As part of the design process, it is important to plan out the link
IP addresses that will be used to connect your network
infrastructure. These links will be static connections between
devices that will allow them to communicate effectively and
securely, which is a requirement of WWTC. The links also
provide redundancy so that if any single or multiple devices
were to be lost, the network would be able to continue to
operate aside from the immediate device connections. Below
you will find the corresponding tables that provide the link
information for the core, distribution and access layers of the
modular network design. The network is designed as a mesh to
51. provide recovery from multiple failures, should it occur.
Additionally, in order to efficiently use IP addresses, each
network is a /30 in order to provide only the 2 device IP
addresses that are required of these small subnets.
Unfortunately, due to the design of the IP Hierarchy, it will not
be possible to use summarization points in this design.
Core Routing
Device A
Device B
Device A Address
Device B Address
Network Address
FireWall1
CoreSwitch1
172.30.0.1
172.30.0.2
172.30.0.0
FireWall1
CoreSwitch2
172.30.0.5
172.30.0.6
172.30.0.4
FireWall2
CoreSwitch1
75. Voice over IP telephone network will be implemented. Every
aspect of the business has been reviewed and the VoIP network
will be sure to be a valuable asset and exceed the expectations
of WWTC.
World-Wide Trading Company has several specific design
requirements that relate to the Voice over IP network. First, the
system should be fully integrated with the data network and also
the entire network should be in a centralized location. The
network also needs to be modular and scalable as they are
expecting massive growth. Another consideration needs to be
the reduction of incoming telephone lines from the phone
company to reduce costs. And lastly, provide for video
conferencing and multi-casting services.
In order to meet and exceed the requirements of WWTC, the
following proposed items have been recommended for purchase.
The servers we are recommending are the HP ProLiant DL320
G8 which are fully compatible with the Cisco Unified
Communications Manager (CUCM) and the Cisco Unity
Connection voicemail system software. Redundancy has been
accounted for with dual power supplies, and quad 10GbE
Ethernet ports. Two servers would be allocated to hosting the
CUCM, and two servers would be allocated to host the Cisco
Unity voicemail system. By having redundant servers in place
for each system, the voice network is capable of surviving a
catastrophic failure. The Cisco voicemail is also able to
76. provide redundancy by running in an active-active
configuration. (Cisco Unity, 2011) The servers will fit
seamlessly into the new network architecture and be fully
integrated into the data network. (HP, 2015). The telephone
sets are the newer supported models, the 7942G is recommended
for the bulk of the employees, with 3 7962G sets with expansion
modules for the reception areas. These expansion modules will
give the receptionists the ability to add 24 extra lines, hotlines
or speed-dials which can help speed service when transferring.
(Cisco 7915, nd.). The phones are high-fidelity wideband audio
which provide more frequency range as compared to traditional
analog phones. This results in users being less fatigued and
able to understand customers better when on the phone. (Cisco
7942G, nd.). Another great feature with these sets, are the
XML services that are compatible with these types of phones.
They can greatly enhance the user experience by allowing you
to have world clocks, watch stocks, check the weather and
convert currency right on your phone.(XML Services, 2016).
And of course they come with a full range of features that you
would expect from a traditional phone such as speed dials, call
forwarding, 3 way conferencing as well as having a built in
switch port to provide connectivity to a co-located PC, reducing
costs of having to install extra cabling. Power can be provided
directly from the switches using Power over Ethernet, or with
an additional power supply. (Cisco Portfolio, nd.) These
77. phones can also allow headset communications as well as
speaker-phone. (Cisco 7962G, nd.). To go along with state of
the art communications capabilities, we are also recommending
the Linksys Edge Video conferencing equipment for the
conference rooms to provide high definition video conferencing
abilities to the conference rooms. (Video Conferencing, nd.).
This will be an important feature to bridge the gap as the
headquarters is located overseas, and bring people and ideas
together as if they were in the same office. The voice network
is scalable to well over 100% of its current capability, and
additional phones/licenses can be purchased as the company
eventually expands. Another great feature of this state of the
art voice network, is that it will eliminate the need for having
multiple separate phone lines ran into the building from the
phone company, instead this system will rely on the internet
connections from the ISP, which will reduce overall operating
costs. This design recommends having two separate ISP
accounts from different providers, with one of the ISP accounts
used as redundancy. In case of a WAN outage from one ISP,
the network will failover to the other ISP account. If both of
the ISP accounts were to fail, the voice network will then
failover to the Public Switched Telephone Network (PSTN)
through the Voice Enabled Router. This redundant design will
ensure that if one route of communications is not available, it
will automatically divert traffic to the other.
78. In order for the Network Administrators for the New York
office to effectively manage the Voice Network, the following
device names should be used for the server equipment:
Device Type
Device
Device Name
Placement
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
Server
CUCM-1
Data Center
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
Server
CUCM-2
Data Center
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
Server
79. UNITY-1
Data Center
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
Server
UNITY-2
Data Center
The table below represents an estimated bandwidth requirement
for the VoIP Network using the recommended manufacturer
settings. The figures below are based on the G.711 Codec
which both the Cisco 7942G and 7962G support. The rate at
which samples are taken is every 30ms. Maximum bandwidth
needed is calculated on 70% of 105 users on the phone at the
same time.
IP Phone
CODEC
Rate
Sample Time
Payload
Packets Per Second
Bandwidth
Frame Relay
cRTP
7942G, 7962G
80. G.711
64 Kbps
30 ms
240 bytes
33.3
79.4 Kbps
76.2 Kbps
66.6 Kbps
Multiplied by 105 x 70%
G.711
5,835.9 Kbps
5,600 Kbps
4,895 Kbps
The total number of current employees assigned to the new
WWTC building is right around 105, taking into account the
currently vacant offices which have been assigned IP phones.
In order to provide for future expansion at the New York site, a
Class C IP addressing scheme has been chosen to provide up to
254 usable IP addresses. The Voice Network has been assigned
to VLAN 10 to keep voice traffic separated, and to allow for
81. easy prioritization of voice traffic to ensure no delays or
degraded telephone conversations.
Devices
Needs
IP Addressing
VLAN
Cisco IP Phones
Minimum 105 addresses needed. Class C will provide 254
addresses for future VoIP expansion.
172.20.0.0/24
10
In closing, this Voice Network design provides the necessary
redundancy by covering both equipment failure as well as ISP
outages, and provides for necessary spare phones on site in case
of faults with the phones themselves. The network is scalable
and can handle over 100% growth easily with easily obtained IP
phones. IP addressing also can handle the amount of IP
addresses that will be needed in the future. The IP phones are
feature rich and will provide the employees with a positive user
experience as well as making them more productive. Video
conferencing will bridge the distance gap, and result in easier,
more productive conversations. The need for multiple phone
lines for each phone number coming into the building will be
eliminated with the new system. To sum it all up, this plan will
82. save the business money, while providing the communication
tools for the employees to accomplish their work goals.
Wireless Design
The following chart provides a detailed equipment listing and
office locations that will be servicing the World Wide Trade
Company’s wireless network.
Wireless Network Placement Table
Office Location
Access Point Requirements
Wireless LAN Controller Requirements
Total AP
Total WLC
Server Room
2
2
Lobby
6
6
Conference
84. AIR-CAP2702I-xK910 (10-pack)
14
Supports 802.11ac/n, speeds up to 1.3 Gbps, guest access,
BYOD, wIPS, IPv6, and 802.1X
Wireless LAN Controller (WLC)
Cisco 5520 Wireless Controller
AIR-CT5520-K9
2
Supports 802.11ac/n, Bonjour services, guest access, BYOD,
wIPS, IPv6, and 802.1X
Access Layer Switch
Cisco Catalyst 3850 Series Switch
(24 Ports)
WS-C3850-24P-S
2
Supports PoE, Gigabit speed, expansion of WLAN, and
integration with wireless infrastructure
This chart details each infrastructure device, providing its
unique name and location within in World Wide Trade
Company’s new location.
Wireless Infrastructure Device Name and Placement
Device
Device Name
86. Cisco Aironet 2700i Access Point
WWTCnyc011
WWTCnyc012
WWTCnyc013
WWTCnyc014
Conference Room #2
Access Layer Switch
vLAN 11 (Bonjour Services)
Cisco 5520 Wireless Controller
WWTCwlan01
WWTCwlan02
Server Room
Access Layer Switch
vLAN 11 (Bonjour Services)
Distribution Layer Switch
Cisco Catalyst 3850 Series Switch (Access Layer)
WWTCwlan.access01
WWTCwlan.access02
Server Room
Access Points
Wireless LAN Controller
87. The wireless LAN will have its own subnet, providing enough
IP addresses (200) for end-users in the lobby and both
conference rooms. In addition, Fifty-four IP addresses will be
reserved for wireless infrastructure devices to assist with any
potential of expansion of the network.
Devices
Needs
IP Addressing
VLAN
Multiple Wireless Devices
Separate subnet will be provided for the WLAN with 200 IP
address available for clients and 52 reserved for additional
infrastructure devices (i.e. access points); vLAN will be needed
for Bonjour Services (Apple Devices)
172.16.10.0/24
200 – IP Addresses Available for Clients
54 - IP Addresses Reserved
11
88. References
Cisco ASA 5508-X with FirePOWER Services. (2016, January
01). Retrieved February 01, 2016, from
http://www.cisco.com/c/en/us/support/security/asa-5508-x-
firepower-services/model.html
Cisco Catalyst 6500 Series Switches - Products & Services.
(2016, January 01). Retrieved February 01, 2016, from
http://www.cisco.com/c/en/us/products/switches/catalyst-6500-
series-switches/index.html
Cisco Catalyst 6509-E Switch. (2016, January 01). Retrieved
February 01, 2016, from
http://www.cisco.com/c/en/us/products/switches/catalyst-6509-
e-switch/index.html
Compare Models. (2016, January 01). Retrieved February 01,
2016, from
http://www.cisco.com/c/en/us/products/switches/catalyst-6500-
series-switches/models-comparison.html
Cisco Catalyst 6500 Series Switches - Interfaces and Modules.
(2016, January 01). Retrieved February 01, 2016, from
http://www.cisco.com/c/en/us/products/switches/catalyst-6500-
series-switches/relevant-interfaces-and-modules.html
89. Cisco Firewall Services Module for Cisco Catalyst 6500 and
Cisco 7600 Series. (2016, January 01). Retrieved February 01,
2016, from
http://www.cisco.com/c/en/us/products/collateral/interfaces-
modules/catalyst-6500-series-firewall-services-
module/product_data_sheet0900aecd803e69c3.html
Cisco Aironet 2600 Series - Products & Services. (2016,
January 01). Retrieved February 01, 2016, from
http://www.cisco.com/c/en/us/products/wireless/aironet-2600-
series/index.html
UMUC. (n.d.). Case Study World Wide Trading Company.
Retrieved February 1st, 2016, from
https://learn.umuc.edu/d2l/le/dropbox/173660/290354/Downloa
dAttachment?fid=4908850
UMUC. (n.d.). LAN Assignments Instructions 2015. Retrieved
February 1, 2016, from
https://learn.umuc.edu/d2l/common/viewFile.d2lfile/Database/N
DkwODg1Ng/LAN Assignments Instructions
2015.docx?ou=173660
UMUC. (n.d.). LAN, VOIP, and Wireless Assignment.
Retrieved February 1, 2016, from
https://learn.umuc.edu/d2l/common/viewFile.d2lfile/Database/N
DkwODg1NQ/LAN, VoIP, and Wireless
Assignment.docx?ou=173660
UMUC. (n.d.). WWTC Office Layout. Retrieved February 1,
96. Introduction
The assignment for week two was to generate design
requirements that show an understanding of the customer’s
needs and direction the project should begin to take. According
to the Design Requirements document (UMUC, n.d.), “the
requirements include but are not limited to:
· Design Requirements of LAN, VOIP and Wireless
· Design Requirements of Security
· Design Requirements of Active Directory”
The requirements were generated from the information provided
in the Case Study World Wide Trading Company document.
(UMUC, n.d.)
97. Local Area Network Requirements
Lan Business Goals
LAN Design Requirements
Provide A Modular, Scalable Network
Implement modular design recommended by vendor that can
scale up or down depending on company needs.
Implement network switching devices with at least 20%
capacity reserved for future use.
Provide Availability And Redundancy
Implement network redundancy such as Spanning Tree Protocol
98. and procure warm and cold spares for mission critical devices
Optimize IP Addressing And Routing Schema
Implement logical IP addressing scheme that provide security
and efficiency to include route summarization
Security And Defense In Depth Of Network
Implement security controls for all layers of the OSI model.
(Port Security, encryption, VPN tunnels, Firewalls etc.)
Provide Faster Network Services
Implement Gigabit connections to access layer devices and 10
Gigabit connections between core and distribution layers.
Implement 10Gigabit connections to all high utilization servers
(File Servers, Exchange, AD)
Power
Implement Power over Ethernet (PoE) to support device power
needs
Voice over Internet Protocol (VOIP) Requirements
VOIP Business Goals
VOIP Design Requirements
Integrate Voice And Data Networks
VoIP phones should share existing LAN cabling using pass
through connection to provide data connection to the
99. corresponding workstation. Reduces need for separate site
based PBX.
Power
Switches should provide Power over Ethernet to reduce need for
power adapters on phones and other devices that are PoE
capable.
Scalability
Leaving at least 20% spare ports on the switches will ensure
that more VoIP instruments can be added at a later date.
100% Outside Dialing Capability With Minimum Number Of
Outside Lines
By using SIP (Session Initiated Protocol), the number of
physical phone lines coming into the building can be minimized.
Provide Wireless VOIP Capability Where Wired Services Are
Not Present
Recommend using wireless VoIP.
Availability Of Services
Having two separate ISP providers with a failover system.
Also, call continuity, which would forward calls to specific
mobile devices in case of an outage. Spare VoIP instruments
should be on site in case of device faults.
Security
100. Purchase separate VoIP security software. Encrypt traffic.
Manageability
Managing voice network may require some training for IT
department/users depending on experience.
Bandwidth
Estimate VoIP bandwidth usage based on previous call history,
amount of users. Factor this figure in to the overall network
bandwidth requirements.
Wireless Local Area Network (LAN) Requirements
Wireless LAN Business Goals
Wireless LAN Design Requirements
Fast wireless service
Implement a wireless LAN controller and access points to meet
minimum network speed requirements
Secure Wireless Service (Defense-In-Depth)
Implement wireless networking hardware that supports IPSec
encryption, secure mounting, wireless Intrusion Prevention
System (wIPS), and CA certificate services
Available Coverage In Three Rooms (Lobby And 2x Conference
Room)
Two redundant wireless LAN controllers can be implemented to
support between 12 – 300 access points
101. Provide guest access (Lobby)
Guest access to the wireless can be handle by the receptionist.
Keeping in-line with defense-in-depth, guest will have to
register with the receptionist for a guest access login
IP Scheme redesign
The wireless LAN section of the network can have its own
subnet applied using route summarization
Support for Bonjour services (AFP protocol)
The wireless LAN controller has the Bonjour gateway solution
which includes support for the Apple Filing Protocol (AFP)
Support for IPv6
Although IPv6 is not an immediate requirement, both the
wireless LAN controller and access points support IPv6
functionality
Security Requirements
Security Business Goals
Security Design Requirements
Secure means of customer purchase and payment over the
Internet
Secured web server using one of the approved session
encryption protocols i.e. SSL/TLS inside of a DMZ to protect
private network
102. Secure Wireless Services To Lobby And Large Conference
Room
WAN access points should provide maximum coverage of areas
(overhead), on single SSID with varying channels and possible
two factor authentication
Separation Of Internet Connectivity From Other Unclassified
Networks
Recommended use of a combination hard line and wireless, in
addition to VLANs to separate public and private access
Increased Logical Control System Authentication
A combination of username, password, and session initiation
server-side (i.e. Kerberos) could provide for extra security
Dissolve Clear Text Transfer Of Business Information Between
Server And Client
Recommend building-wide encryption standard between server
and client, through any manner of protocol (SSL/TLS) or
service (RADIUS)
Control Put In A Place To Prevent Local Users From Removing
Data From Systems
Utilizing Active Directory and managing USB access can
control access by local users in a centralized location
Secure Email To Control For Business Sensitive Data
Proxy servers attached to internal and external communications
can challenge for criteria and curtail exchange of data
103. Secure Confidential Data Transmitted Through End User
Laptops
Suggest aggressive registration of end user devices to be used
for business purposes, in conjunction with Access Control Lists
on switches and routers
Central Storage Of Classified Data, Away From Unclassified
Network
Recommend storage pools which can be designated to one or
more servers and placed behind any number of firewalls and
Access Control List controls
Active Directory and Server Requirements
Active Directory Technical Goals
Active Directory Design Requirements
Utilize Active Directory To Manage User Rights, Access And
Security Requirements
Implement Organizational Units (OU) that mirror the company
and allow for the managing of users and devices
Develop Group Policy Objects (GPO) to manage OUs
Implement Global, Universal and Local groups to manage users
Implement architecture to support AD (AD DS, DNS, AD
Federation Services, Certificate Authority, Read Only DC)
Encryption Of Data At Rest And In Motion
104. Implement BitLocker, Branch Cache, and other features that
provide data encryption throughout the corporate network
High Availability Services
Implement Failovers and Clustering through physical and
virtual machines across multiple locations to provide disaster
recovery
File Classification Tools To Protect Data
Implement Microsoft File Server Resource Management
Tools To Manage Devices On Network
Implement Microsoft IP Address Management
Multifactor Authentication
Implement Smart Cards and Pins as authentication factors
Remotely Deployed Operating Systems
Implement Windows Deployment Services
References
UMUC. (n.d.). Case Study World Wide Trading Company.
Retrieved January 25, 2016, from
https://learn.umuc.edu/d2l/le/dropbox/173660/290354/Downloa
dAttachment?fid=4908850
UMUC. (n.d.). Design Requirements. Retrieved January 25,
2016, from
https://learn.umuc.edu/d2l/le/dropbox/173660/290354/Downloa
105. dAttachment?fid=4908852
Appendix Contents
Appendix A) LAN
1. LAN Naming Conventions and Devices
2. Hierarchical IP Scheme and VLAN
3. Link IP Addressing
4. High Level Network Diagram
5. High Level VOIP Diagram
6. High Level Wireless Diagram
7. VOIP Devices
8. VOIP Device Naming Conventions
9. VOIP Bandwidth
10. Wireless Network Placement Table
11. Wireless Equipment List
12. Wireless Infrastructure Device name and Placement
13. Wireless Device Addressing
Appendix B) Security
1. General Security Architecture
2. High Availability Security
3. High Level Security Diagram
Appendix C) Active Directory Design
1. Active Directory Forest
2. Active Forest Directory
3. Replication
106. 4. Group Permissions
5. Group Lists
6. Default Domain Policy GPO
7. WWTC Company Policy GPO
Appendix D) Implementation
1. Employee Contact Information
2. LAN Implementation Task List
3. AD Implementation Task List
4. Security Implementation Task List
5. Router Configuration
6. Tools Required
7. Switch Configuration Template
8. Trunking Template
9. Port Security Template
10. VLAN Configuration Template
11. Security Technology Configuration Task List
12. DHCP Configuration Template
13. DNS Configuration Template
14. DNS Configuration Steps
15. Active Directory Configuration Steps
16. Active Directory GPO Implementation Steps
Appendix E) Miscellaneous
1. Project Timeline
Appendix A: LAN
1. LAN Naming Conventions and Devices
107. Device Type
Device
Device Configured Name
Placement
Connection
Comments
Redundant Core Switches
Cisco 6509-E switch
CoreSwitch1
CoreSwitch2
Data Center
10G to Distribution
Fault tolerant support for up to 534 devices, IP services
Distribution layer switches
Cisco 4503-E switch
DistSwitch1
DisSwitch2
Data Center
10G to Core
1G to Access
Fault tolerant full mesh distribution layer, IP services
Access layer switches
WS-C3850-48U-E
Quad1-1
109. for fault tolerant performance, integrated wireless controller
Firewall with IPS
ASA 5508-X
Firewall1
Firewall2
Data Center
1G to LAN
100Mbps to WAN
Redundant support for dual WAN link design
Ingress/egress IPS security
Redundant power supply for access switch
PWR-C1-1100WAC
Installed in CoreSwitch1 and CoreSwitch2
N/A
Second power supply for each WS-C3850-48U-E
Wireless AP
Cisco Aironet 2600
Ceiling mount caddy corner half way to center
1G to Access
802.11b/g/n to clients
450Mbps data rate support, 802.11a/b/g/n, LAN integration,
VLAN, 128 client session support
Cisco 6500 switch supervisor
110. Cisco VS-S2T-10G-XL
Installed in CoreSwitch1 and CoreSwitch2
N/A
Provides 10G redundant support at the core
Cisco 6500 switch second power supply
Cisco CAB-AC-2500W-US1
Installed in CoreSwitch1 and CoreSwitch2
N/A
Provides redundant power supply support
Cisco 4500 switch supervisor
Cisco WS-X45-Sup 7L-E
Installed in DistSwitch1 and DistSwitch2
N/A
Provides 10G redundant distribution support
Cisco 4500 series line card
Cisco Catalyst 4500E UPOE Line Card
Installed in DistSwitch1 and DistSwitch2
N/A
Provides 1G redundant access support
2. Hierarchical IP Scheme and VLAN
111. Location/Dept
# of IP Addresses Required
Future Growth
Rounded Power of 2
Number of Host Bits
Subnet Address Assigned
OPR
21
21
64
10
172.16.6.1-62/26
NW USA
32
32
128
9
172.16.1.1-126/25
SW USA
32
32
128
9
172.16.2.1-126/25
NE USA
137. 4. High Level Network Diagram
5. High Level VOIP Diagram
6. High Level Wireless Diagram
138. 7. VOIP Devices
Devices
Needs
IP Addressing
VLAN
Cisco IP Phones
Minimum 105 addresses needed. Class C will provide 254
addresses for future VoIP expansion.
172.20.0.0/24
10
8. VOIP Device Naming Conventions
Device Type
Device
Device Name
Placement
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
139. Server
CUCM-1
Data Center
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
Server
CUCM-2
Data Center
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
Server
UNITY-1
Data Center
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
Server
UNITY-2
Data Center
9. VOIP Bandwidth
IP Phone
CODEC
Rate
Sample Time
Payload
140. Packets Per Second
Bandwidth
Frame Relay
cRTP
7942G, 7962G
G.711
64 Kbps
30 ms
240 bytes
33.3
79.4 Kbps
76.2 Kbps
66.6 Kbps
Multiplied by 105 x 70%
G.711
5,835.9 Kbps
5,600 Kbps
4,895 Kbps
141. 10. Wireless Network Placement Table
Wireless Network Placement Table
Office Location
Access Point Requirements
Wireless LAN Controller Requirements
Total AP
Total WLC
Server Room
2
2
Lobby
6
6
Conference
Room #1
4
4
Conference
Room #2
142. 4
4
Total
14
2
11. Wireless Equipment List
Cisco Equipment List
Device
Cisco Model#
Quantity
Comments
Access Point (AP)
Cisco Aironet 2700i Access Point
AIR-CAP2702I-xK910 (10-pack)
14
Supports 802.11ac/n, speeds up to 1.3 Gbps, guest access,
BYOD, wIPS, IPv6, and 802.1X
Wireless LAN Controller (WLC)
Cisco 5520 Wireless Controller
AIR-CT5520-K9
143. 2
Supports 802.11ac/n, Bonjour services, guest access, BYOD,
wIPS, IPv6, and 802.1X
Access Layer Switch
Cisco Catalyst 3850 Series Switch
(24 Ports)
WS-C3850-24P-S
2
Supports PoE, Gigabit speed, expansion of WLAN, and
integration with wireless infrastructure
12. Wireless Infrastructure Device Name and Placement
Wireless Infrastructure Device Name and Placement
Device
Device Name
Placement
Connection
Cisco Aironet 2700i Access Point
WWTCnyc001
WWTCnyc002
WWTCnyc003
WWTCnyc004
145. Access Layer Switch
vLAN 11 (Bonjour Services)
Cisco 5520 Wireless Controller
WWTCwlan01
WWTCwlan02
Server Room
Access Layer Switch
vLAN 11 (Bonjour Services)
Distribution Layer Switch
Cisco Catalyst 3850 Series Switch (Access Layer)
WWTCwlan.access01
WWTCwlan.access02
Server Room
Access Points
Wireless LAN Controller
13. Wireless Device Addressing
Devices
Needs
IP Addressing
VLAN
Multiple Wireless Devices
146. Separate subnet will be provided for the WLAN with 200 IP
address available for clients and 52 reserved for additional
infrastructure devices (i.e. access points); vLAN will be needed
for Bonjour Services (Apple Devices)
172.16.10.0/24
200 – IP Addresses Available for Clients
54 - IP Addresses Reserved
11
Appendix B: Security
1. General Security Architecture
WWTC IT Security Architecture Framework
Data/Information
Security
Identity and Access Management
Authorization
IT Security Policy
Implementation
Audit
Authentication
Application
Security
148. Appendix C: Active Directory Design
1. Active Directory Forest
Domain
WWTC.com
Domain container 2 and the 3rd container replication maybe
present.
149. 2. Active Forest Directory
3. Replication
4. Group Permissions
5. Group Lists
For the design of WWTC, we will be using the following
Universal groups:
· President_U
· VPs_U
· CEOs_U
· Managers_U
· Brokers_U
· Staff_U
· ITSupport_U
· Operations_U
· IT_U
· Finance_U
· HR_U
· Workstations_U
150. · Printers_U
· Servers_U
We will create the following Global Groups:
· President
· VPs
· CEOs
· Managers
· Brokers
· Staff
· ITSupport
· Operations
· IT
· Finance
· HR
· Workstations
· Printers
· Servers
We will create the following Domain Local Groups:
· President_Resources
· VPs_Resources
· CEOs_Resources
· Managers_Resources
· Brokers_Resources
· Staff_Resources
151. · ITSupport_Resources
· Operations_Resources
· IT_Resources
· Finance_Resources
· HR_Resources
6. Default Domain Policy GPO
Password Policy GPO Settings
Enforce password history = 6
Maximum password age = 60
Minimum password age = 15
Minimum password length = 12
Password must meet complexity requirement
Store passwords using reversible encryption for all users in the
domain
Account lockout duration = 15
Account lockout threshold = 3
Reset lockout counter after = 15
Account Audit GPO Settings
Audit account logon events = success / failure
Audit account management = success / failure
Audit directory service access = success / failure
Audit logon events = success / failure
Audit object access = success / failure
152. Audit policy change = success / failure
Audit privilege use = success / failure
Audit process tracking = success / failure
Audit system events = success / failure
User Access Control (UAC) GPO Settings
User Account Control: Admin Approval Mode for the Built-in
Administrator account = enabled
User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode = prompt for consent
on the secure desktop
User Account Control: Behavior of the elevation prompt for
standard users = prompt for credentials
User Account Control: Detect application installations and
prompt for elevation = enabled
User Account Control: Only elevate executables that are signed
and validated = enabled
User Account Control: Run all administrators in Admin
Approval Mode = enabled
User Account Control: Switch to the secure desktop when
prompting for elevation = enabled
User Account Control: Virtualize file and registry write failures
to per-user locations = enabled
7. WWTC Company Policy GPO
153. BitLocker Policy GPO Settings
Choose drive encryption method and cipher strength = enabled;
AES 256-bit
Allow enhanced PINs for startup = enabled
Use enhanced Boot Configuration Data validation profile =
enabled
Choose how BitLocker-protected operating system drives can be
recovered = enabled; store in AD DS
Enforce drive encryption type on operating system drives =
enabled; full disk encryption
Require additional authentication at startup = enabled; TPM
with Pin
Allow network unlock at startup = enabled
Configure minimum PIN length for startup = enabled; min. 6
characters
Configure use of hardware-based encryption for operating
system drives = enabled
Allow Secure Boot for integrity validation = enabled
Configure TPM platform validation profile for BIOS-based
firmware configurations = enabled
Configure TPM platform validation profile for native UEFI
firmware configurations = enabled
System cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing = enabled
System cryptography: Force strong key protection for user keys
154. stored on the computer = user is prompted when key is first
used
BranchCache GPO Settings
Turn on BranchCache = enabled
Set percentage of disk space used for client computer cache =
enabled; 15%
Set BranchCache Hosted Cache mode = enabled
Configure BranchCache for network files = enabled
Enable Automatic Hosted Cache Discovery by Service
Connection Point = enabled
Configure Hosted Cache Servers = enabled
Set age for segments in the data cache = enabled; 15 days
Timeout for inactive BITS jobs = enabled
Limit the maximum BITS job download time = enabled; 5 days
Limit the maximum network bandwidth for BITS background
transfers = enabled
Set up a work schedule to limit the maximum network
bandwidth used for BITS background transfers = enabled
Set up a maintenance schedule to limit the maximum network
bandwidth used for BITS background transfers = enabled
Allow BITS Peercaching = enabled
Limit the age of files in the BITS Peercache = enabled; 10 days
Limit the BITS Peercache size = enabled; 10%
Limit the maximum network bandwidth used for Peercaching =
155. enabled
Set default download behavior for BITS jobs on costed
networks = enabled
Limit the maximum number of BITS jobs for this computer =
enabled
Limit the maximum number of BITS jobs for each user =
enabled
Limit the maximum number of files allowed in a BITS job =
enabled
Limit the maximum number of ranges that can be added to the
file in a BITS job = enabled
Hash Publication for BranchCache = enabled
Hash Version support for BranchCache = enabled; value of 3
Offline (Cache) Encryption GPO Settings
Default cache size = enabled; 15%
Allow or Disallow use of the Offline Files feature = enabled
Encrypt the Offline Files cache = enabled
Event logging level = enabled
Files not cached = enabled
Action on server disconnect = enabled; never go offline
Prevent use of Offline Files folder = enabled
Prohibit user configuration of Offline Files = enabled
Remove "Make Available Offline" command = enabled
Remove "Make Available Offline" for these files and folders =
