NORTHWESTERN UNIVERSITY

Network
Scenario 4
David Hwasoo Lee Steve J. Lee CIS 313 Telecommunications 11/30/2010

David Hwasoo Lee Steve J. Lee Table of Contents Table of Contents..........................................................................................................................2 LAN................................................................................................................................................2 Physical.......................................................................................................................................2 Recommendations.......................................................................................................................3 WAN..............................................................................................................................................4 Physical.......................................................................................................................................4 Recommendations.......................................................................................................................5 Budget/Cost Analysis....................................................................................................................5 Planning technological infrastructure..........................................................................................6 Hardware need............................................................................................................................6 Spares.........................................................................................................................................6 Traffic management....................................................................................................................7 Network simulation.....................................................................................................................7 Security Analysis...........................................................................................................................7 Access control plans (AAA).......................................................................................................8 Firewalls.....................................................................................................................................8 Cryptogenic system (VPN).........................................................................................................8 Compliance.................................................................................................................................9

LAN Physical A LAN physical map was designed according to the needs and requirements of each building. In Building X, three floors were created, assuming a networked printer in each floor. The building required twenty computers (twenty users), three networked printers, and three WAP (one on each floor for the wireless LAN). All computers and electronic 2

David Hwasoo Lee Steve J. Lee

equipments (printers, WAPs) would be connected via access lines to a switch located in each floor. A 48 port switch will be used on each floor (additional users are expected). One WAP (which accommodates 48 users) would be set up on each floor. Additional WAPs could be set up if signal does not reach all users. The switch on each floor is connected to another switch in the floor immediately below it via trunk lines. The switch in floor one is connected to a core switch via a trunk line, which will serve to relay requested information between switches and floors. The core switch is connected to a router which is connected to the WAN (Frame Relay), via third party leased access lines. Building Y's physical map was setup using the same methodology. The building has fourteen computers (fourteen users), two networked printers (located in each floor), and two WAP (one on each floor for the wireless LAN). All computers and electronic equipments are connected via access lines to a switch located in each floor. A 48 port switch will be used on each floor (to provide room for growth). One WAP (which accommodates 48 users) would be set up on each floor. Additional WAPs could be set up if signal does not reach all users. The switch on each floor is connected to another switch in the floor immediately below it via trunk lines. The switch in floor one is connected to a core switch via a trunk line, which will serve to relay requested information between switches and floors. The core switch is connected to a router which is connected to the WAN (Frame Relay), via third party leased access lines. Building Z's physical map was also setup using similar lines of reasoning. The building has eleven computers (eleven users), one networked printer, and one WAP. All computers and electronic equipments (printers, WAP) are connected via access lines to a switch located in each floor. The switch on each floor is connected to another switch in the floor immediately below it via trunk lines. A 48 port switch will be used on each floor (to provide room for growth). One WAP (which accommodates 48 users) would be set up. Additional WAPs could be set up if signal does not reach all users. On the second floor, the server has a firewall and is connected to a switch. The switch in floor one is connected to a core switch via a trunk line, which will serve to relay requested information between switches and floors. The core switch is connected to a router which is connected to the WAN (via third party leased access lines). Recommendations Ethernet will be used as LAN because simple, inexpensive, and adequate performance. Layers 1 and 2 will use OSI standards. 100BASE-TX (100Mbps) standard will be used. If more speed is needed 1000BASE-T (1 Gbps) standard or optical fiber such as 1000BASE-x and 10BASE-x (10 Gbps) will be used. The maximum run length for UTP is 100 meters should be plenty to connect switches to switches and to routers. Link aggregation or bonding will be considered if a little more speed is needed than a standard specifies. The ethernet LAN will use an unreliable protocol because the cost of reliability outweighs the benefits. 3

David Hwasoo Lee Steve J. Lee

The Ethernet will use the required hierarchical switch topology. Backup links will be implemented to provide alternative paths in case there is a failure. RSTP protocol will establish a backup link. VLANs may be used. This may be done to reduce traffic and for security. Wireless LAN o Wireless LAN will provide connectivity for laptops, handhelds, and other mobile devices to the wired LAN. o 802.11g standard (54 Mbps) which uses OFDM will be used. o If more speed is needed 802.11n (100-300 Mbps) which uses MIMO will be used. o Security is a major issue with wireless LAN. Refer to section on Security Analysis for discussion on WPA2 and VPN. o Remote access point management will be used. Central management console will communicate with smart access points. Priority may be used for latency intolerant such as voice, video, network control messages. SLA or QoS will be added to the contract. If there is lack of capacity, more of it will be installed. 24 port switches and appropriate port speeds will be selected as described above. Managed switches and SNMP will be used. This will poll, identify problems, remotely fix switches, and monitor performance. Security o Authentication of users will be done by authentication server. o MAC security will be used to prevent attacks by using RSTP or other management protocols. o Cryptogenic security will be used. Refer to section on security. WAN Physical The physical map of WAN was based on the needs and requirements of the Frame Relay and ISP. A Frame Relay WAN was chosen because it is generally less expensive than using a leased line service, FDDI, ATM, or wireless WAN. Economies of scale will make Frame Relay a more attractive option. Each buildings (Building X, Y, and Z) router is connected to a CSU/DSU device. A single leased line will connect each CSU/DSU to a nearest POP, which is the point of entry to the Frame Relay. The Frame Relay will manage its own internal switches and trunk lines. All buildings (X,Y,Z) will have an Internet Service Provider (ISP). To bring Internet service, ISP carrier lines will connect to the router in each building. Building Z will have Firewall installed and protect the server. All data going into the building through the 4

David Hwasoo Lee Steve J. Lee

router will first pass through the Firewall. The router will connect to the LAN in each building (X,Y,Z). Recommendations The cloud of Frame Relay will most likely use a mesh topology which increases reliability. Frame Relay will use virtual circuits which are less expensive and have less processing work. Fractional T1/E1 leased lines will be used to provide 128-768 kbps. If more speed is needed than bonded T1s or T1 (1.544 Mbps) leased lines will be used. HDSL (768 kbps symmetric transmission) or HDSL2 (1.544 Mbps symmetric) which use 1pair UTP will be used if price is less than fractional T1 or T1 (2 pair UTP). The Frame Relay carrier will provide OAM&P. SLA or QoS will be added to the contract. Budget/Cost Analysis
Building X 3 1 3 0 0 1 Quanitity Building Building Y Z 2 1 3 0 0 1 1 1 1 1 1 1 -

Item Purchased Wireless LAN ISP connection 48 port Switch Server Firewall Enterprise Router Frame Relay Backup Switches Router

Unit Cost $ 1,500 $ 700 $ 2,700 $ 12,500 $ 5,000 $ 9,000 $ 600

Total 6 3 7 1 1 3 1 $

Subtotal 9,000 2,100 18,900 12,500 5,000 27,000

Comments

$ $ $ $ $ $ 600

$ $

2,700 9,000

3 1

$ $

8,100 9,000

One for each building X, Y, and Z

Total Cost:

92,200

$150,000 original budget amount

Budget/cost analysis was done to maximize benefits (such as capacity, reliability, security) and minimize cost. The total estimated cost is $92,200. The original budget amount is $150,000. That leaves $57,800 to buy more items if needed. The required 5

David Hwasoo Lee Steve J. Lee

items for each buildings X,Y,Z were wireless LAN, ISP connection, switches, routers, frame relay; and server and firewall for building Z. Refer to the following section on Capacity Analysis/Future Growth for discussion on why 48 port switches, enterprise routers, and backups were chosen. Capacity Analysis/Future Growth Analysis Planning technological infrastructure The arrangement of hardware, software, and transmission lines will be examined. Normal continuing grow of application traffic demand will be considered. Disruptive applications such as VoIP, P2P, and video that create surges in demand will be considered and likely discouraged. There will the three sites (Buildings X, Y, and Z). If additional sites are added, communication of this building, and its effects on the communication of existing Buildings (X, Y, Z) will be considered. Gaps will be identified, characterized, and documented. Upgrading or replacing with new equipments, and using different topologies will be considered. TCO and scalable solutions will be considered. Hardware need In building X, a 48 port switch will be used on each floor (additional users are expected). Even if all twenty people were users on same floor, there would be enough ports. One WAP (which accommodates 48 users) would be set up on each floor. Additional WAPs could be set up if signal does not reach all users. The building will use an enterprise router to accommodate present and future traffic flow. In building Y, a 48 port switch will be used on each floor (additional users maybe expected). Even if all fourteen people were users on same floor, there would be enough ports. One WAP (which accommodates 48 users) would be set up on each floor. Additional WAPs could be set up if signal does not reach all users. The building will use an enterprise router to accommodate present and future traffic flow. In building Z, a 48 port switch will be used on each floor (additional fourteen users are expected). Even if all eleven people were users on same floor, there would be enough ports. One WAP (which accommodates 48 users) would be set up on each floor. Additional WAPs could be set up if signal does not reach all users. The building will use an enterprise router to accommodate present and future traffic flow. Spares Three backup switches will be available for the three buildings X,Y, and Z. One backup router will be available for the three buildings X,Y, and Z. Backup site Due to significant cost of provisioning, managing, and maintaining it, establishing a backup site will be discussed further.

David Hwasoo Lee Steve J. Lee

Traffic management All Buildings (X,Y,Z) will have traffic management. Priority is generally less expensive than overprovisioning. So, priority will be used. If there is a chronic lack of capacity then more capacity provisioning will be implemented. If a QoS is present with the carrier service, it will provide a level of guarantee on traffic capacity. Traffic shaping will be used. MP3 downloading, video, downloading may be restricted. Specific percentage of capacity on applications may be implemented. Compression and decompression of data will be used. Network simulation Network simulation will be carried out in all Buildings (X,Y,Z). Network simulation will be used to try simplify networks and simulate alternatives to find the best one. It will help in anticipating problems, and finding problems when extrapolating traffic. OPNET IT Guru will be used. o Nodes will be placed on items on simulation work area. o A Frame relay topology will be used. o The speeds of various items will be specific and configured. The outgoing excess burst size may be set to 64 kbps. o All applications will be run on the simulation. o Simulated data will be validated with real network. o Anticipated analysis will be run. For example to see whether adding a router in a particular place will remove bottleneck. o ACE may be used to analyze application performance. SNMP All buildings (X,Y,Z) will use SNMP to manage devices such as printers, WAPs, switches, routers. The administrator will receive device information with device agents. Received information will be stored in MIB. SNMP Get commands will be used to poll all managed devices. SNMP Set commands will be used to change the way device operates. RMON will be used to collect data on network traffic and device objects.

Security Analysis The goal of our security is to provide comprehensive security. Of course it is almost impossible to close off all attacks, attempts will be made to come as close as possible.

David Hwasoo Lee Steve J. Lee

Access control plans (AAA) All Buildings (X,Y,Z) will implement AAA. Authentication All users will be required to prove his or her identity to the authentication server (verifier) by user name and password. Authentication will be used for both on-site and remote access. o Passwords All users will be required to choose strong passwords. These passwords will not be dictionary words, common, or hybrid names because it can be cracked by attackers in seconds. Passwords will be random upper case letters, lower case letters, numbers, and symbols. This can be cracked only by brute force attacks. Password length will be greater than eight characters. Passwords must be reset every six months. All users will be reminded not to leave passwords visible or easily located by others (such as post-it on computers or under keyboards). o Digital certificate authentication This will be used for very sensitive information (such as financial information and other sensitive data). Authorized users will have a public key and a private key. The supplicant will use his or her private key to do a calculation. The verifier will use the public key to test this calculation in the digital certificate. o Wireless Access Point (WAP) WEP2 and 802.1X mode will be used. Authentication will be done by server using EAP Authorization Each user will have specific authorizations that define the actions he or she is permitted to do. Auditing Information will be collected on all users actions and recorded in log files for analysis. Firewalls Building Z will have Firewall. Firewall will copy information about discarded packets to a firewall log file. Firewall managers will read these logs every day to understand types of attackers coming in. Access control lists will be used to allow some outside users to access a selected servers. Also, there will be regulation on which internal users will access which servers. IDSs will supplement Firewalls and identify suspicious packets and log them. IPSs will use deep packet inspection and examine the internet, transport, and application layer in integrated way. Computers in all Buildings (X,Y,Z) will have individual firewall software installed. Cryptogenic system (VPN) All Buildings (X,Y,Z) will implement cryptogenic systems if necessary. 8

David Hwasoo Lee Steve J. Lee

It will be used to protect dialogues that involve exchange of many messages, or data that are sensitive in nature. Symmetric key encryption will be used to encrypt messages. Electronic signatures will be added to provide authentication and message integrity. Digital certificate authentication will be used as described above. Hardening servers All Buildings (X,Y,Z) will practice hardening. All servers will be backed up frequently. Patches will be installed on servers, operating systems, applications. User PCs will be hardened, and antivirus and antispyware programs installed. GPOs will be used to limit user actions such as prohibiting software installation (music file-sharing software). Vulnerability testing will be done to see which attacks that should have been stopped actually succeed. Response All Buildings (X,Y,Z) will have response protocols. An attack will be detected by IDS. The attack will be stopped by reconfiguring firewall ACLs or attack specific actions will be taken. Damage will be repaired by running a clean up program, restoring files from backup. Possibly reformatting the hard drives and reinstallation of software and data. Forensic procedures will be used on the attacker. During major incidents, CSIRT will be mobilized. Back up sites may be employed for IT disaster recovery. If one site fails the other site can take over immediately. Training All Buildings (X,Y,Z) will provide training to all users. All users will be trained with the use, concepts, and functionality of security. All users will be trained in AAA, use of passwords, firewalls, cryptogenic systems, hardening, response, and about compliance. All users will be trained in using computers responsibly. Physical All Buildings (X,Y,Z) will physically practice security. All users must be wearing a visible ID. Some areas will have restricted access, only authorized personnel may enter and use computers in these areas. Compliance Policies, standards procedures will be implemented and followed. CISO will oversee and ensure that these procedures are followed. 9

David Hwasoo Lee Steve J. Lee

10