AAP: Design Requirement 1

Design Requirements

Group 4

University of Maryland University College

CMIT 495 AAP: Design Requirement 2

Introduction of Business Goals

World-Wide Trading Company (WWTC) expansion to a regional office in New York

City will be a profitable venture. Current estimates show that this regional office will increase revenue from 10 billion to 40 billion by 2015. Initial operating cost for WWTC will rise, but the new regional office’s growth will reduce the operating cost from 30 to 15 percent by 2015. Both of these goals will be accomplished by implementing a system for buying and selling through E- commerce.

DRs of Security

Entering the world of E-commerce will open WWTC to new risks. This market is heavily reliant upon customer trust; their financial and other personal information must be kept secure. There is zero room for error and thus security will be a high priority for WWTC when expanding into this new market. WWTC will need to provide customers with a secure means to perform online transactions and a secure way to store the information. There will also need to be a security policy drawn up that will create process for change management, technical standards, and employee training. The security policy will be drawn up with input from management and an information assurance expert. The security policy will cover acceptable use, connections to other WWTC offices, how sensitive information is handled, privacy protection for network users and customer data, device baseline requirements necessary to connect them to the network, and basis for any legal action that would be pertinent to WTCC network operations.

There will also need to be a secure means to transmit sensitive data such as business strategy and customer data. One of the best ways is to train employees to use the encryption option on Microsoft outlook. This will encrypt the data and send it in cipher text instead of plain AAP: Design Requirement 3 text across the network. This will help stop man-in-the-middle attacks. Another option is to create secure tunnels with encryption devices such as the KG1-75G from General Dynamics.

This device will allow you to create small secure network that can connect to WWTC headquarters sensitive network. This can be connected to the edge router or core layer switch.

You can then place an access layer switch behind the KG-175G to connect a limited amount of sensitive computers. The KG-175G will provide NSA certified encryption to the information that will be tunneled across the WAN to headquarters to keep the sensitive information secure.

DRs of Local Area Network (LAN), VoIP and Wireless

The New York region will also be the first region to create a state of the art Voice over IP

(VoIP) and Data Network that the rest of the company will eventually duplicate. Utilizing VoIP will allow the company to integrate voice and data networks into one data network. Instead of requiring 4 circuits from the Internet Service Providers (2 for each network) the New York

Regional office will only require 2 outside connections owing to the fact that both voice and data services will run on the same network. While these two connections will be a little larger and more expensive, it will still be less expensive than having 4 separate circuits. When using VoIP phones they will receive power from PoE (Power over Ethernet). This requires the network switches to be PoE so they can provide power to the VoIP phones. This is a great feature, because it does not require the phone to have a power outlet. Instead it uses the same cable for network connection to power the phone. The phones can also act as bridges for any other co- located network devices, reducing the cabling requirements from access level switches.

There will need to be Virtual LANs (VLANs) for each department. This will protect the network from layer 2 loops, add performance enhancement, and enhance overall network security. AAP: Design Requirement 4

VLANs do this by isolating departmental traffic to one Virtual LAN to ensure that no one can accidentally or maliciously view network traffic from another department. Isolated VLANs will ensure that the department “employees do not have to share a broadcast domain with other users on the network, which improves performance. “ VLANs also helps cut costs by separating the departments while using one set of devices rather than purchasing different devices for every department.

The initial requirements include approximately 330 devices on the New York network. A

“/23” network (capable of handling 512 IP addresses) can fit all of the devices, but a /22 would be better for future expansion. A /22 would allow for around 1000 devices to be on the WWTC network at the New York Regional Office. Another requirement to permit the number of devices necessary will be access switches. Access switches are the switches that users are directly connected to, allowing access to the network. Access switches then connect to distribution switches at a ten to one ratio, with redundant connections for network availability. Up to six distribution switches will each then connect to a core layer switch (with a redundant connection to a separate core switch). The core layer switches will be the backbone of the network and will handle the traffic to and from the internet routers. The core switches will be based on the Cisco

Catalyst 6500 chassis utilizing the supervisory engine and a Ethernet modules for every 3 distribution switches. The distribution layer switches will be Cisco Catalyst 4500 Series chassis, with supervisory units and line cards that will support single mode fiber connections to the access layer switches. The access layer switches will be Cisco Catalyst 2960 series switches.

These switches will provide PoE for the VoIP phones and the Wireless access points. They will use single mode fiber to connect back to the distribution layer switches and cat5e cables to connect to user devices. AAP: Design Requirement 5

Wireless will be installed in the lobby and two large conference rooms, providing flexibility and increasing productivity for employees by allowing them mobile access to the network. The site survey for these areas has been completed and there is no interfering signals that will disrupt the signal. When deploying Wireless there will need to be a wireless controller and access points for users to connect to the network. The Cisco 2125 Wireless LAN Controller would be the best fit for WWTC needs. It will support up to 25 Access Points (APs). The Cisco

Aironet 1140 will use the 802.11n standard to allow for a bandwidth up to 300 Mbps to each AP and the frequency will not be compromised by Bluetooth signals from other devices users could be using such as cell phones or other personal wireless devices. The Access Points can cover a radius of 100 feet effectively and will work most efficient if they are placed equal distances from the middle of the room. This means that there would be an Access Point 33 ft. from one wall and an AP 33 ft. from the opposite wall since the room along the wall that is 100 feet. The Access

Points will also run off of PoE, which will allow them to get power from the same cable that provides them connectivity to the switch. The APs can handle 2048 devices at one time, but it is not recommend having more than 30 devices at one time, allowing for consistent network performance for every user. There should be two AP nodes in each conference rooms and the lobby. This will allow for 60 users at each location without network degradation.

DRs of Active Directory

In the server farm there will be 6 servers that will run WSUS, DHCP, Active Directory,

DNS, application, and File services. Three of the servers will be active while the other three will be secondary. The active servers will replicate data every six hours to the secondary servers.

One server will run DNS and DHCP services. Another server will run Active Directory and

WSUS services. The third active server will run File and application services. All servers will AAP: Design Requirement 6 run Windows Server 2012 Operating System. DHCP service will automatically assign devices

IP’s that are on the network. This service will help save technician man hours; because they will not have to physically assign every IP address to each device. The DNS service will be implemented to allow users to type in webpages, such as www.google.com, instead of having to remember the numerical IP address. The Active Directory server will sync user accounts with

BitLocker encryption to secure users’ hard drives on their workstations. This means that each user will have to authenticate with active directory before they can access any information when logging into their workstation. If a laptop gets stolen then the BitLocker encryption will prevent access to the information on the computer. The Active Directory service will also allow for group policies that will limit the amount of space that can be used on the shared file server. This will make sure every user has room on the shared memory space. Users will authenticate to

Active Directory using a smart card and a PIN in order to gain access to the network. This will provide two factor authentication by making the user use something they have and something they know to access the network. The file and application services will act as a shared device using BranchCache to allow users to run applications from the server itself rather than on their own device. It will also act as a share drive for users to store information that can be accessed by employees on the WTCC network. The WSUS service will be used to push out windows updates to the users during times with the majority of employees are off work. It will also allow employees to pull updates directly from the server when the time is right for them. Whenever a new computer is added to the network, they will be able to update directly from the WSUS server. AAP: Design Requirement 7

Reference

Cisco Catalyst 6500-E Series Chassis Data Sheet. (n.d.). Retrieved November 1, 2014, from http://www.cisco.com/c/en/us/products/routers/asr-1000-series-aggregation-services- routers/models-comparison.html

Cisco Catalyst 6500-E Series Chassis Data Sheet. (n.d.). Retrieved November 1, 2014, from http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series- switches/data_sheet_c78-708665.html

Cisco Catalyst 4500 Series Switches. (n.d.). Retrieved November 1, 2014, from http://www.cisco.com/c/en/us/products/switches/catalyst-4500-series-switches/index.html

Cisco Aironet 1140 Series Access Point Data Sheet. (n.d.). Retrieved November 1, 2014, from http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-1130-ag-series/datasheet_c78- 502793.html

TACLANE-1G (KG-175G) Encryptor. (n.d.). Retrieved November 2, 2014, from http://www.gdc4s.com/taclane-1g-(kg-175g).html

Wahl, C., & Pantol, S. (2014). How Virtual Switching Differs from Physical Switching. In Networking for VMware Administrators. VMware Press.