Remote Working System Project PDF

Remote Working System Project
Written by Jonathan Camilleri
Introduction ..............................................................................................................................3
Business environment..............................................................................................................3
IT Environment.........................................................................................................................4
Requirements...........................................................................................................................6
Network setup ......................................................................................................................6
Internet connectivity for remote workers ...........................................................................6
Authentication and connection ..........................................................................................7
Electronic mail ..................................................................................................................8
Presentations....................................................................................................................8
Common security threats and the impact on the business ................................................9
Benefits and weaknesses of telecommuting.......................................................................11
Benefits for the company ................................................................................................11
Drawbacks for the company............................................................................................11
Benefits for employees ...................................................................................................12
Drawbacks for employees...............................................................................................12
Trade Union Issues.........................................................................................................13
Budgeted costs...................................................................................................................14
Technical design and deployment..........................................................................................23
VPN Overview ................................................................................................................24
IP Sec Overview .............................................................................................................24
Client connection ............................................................................................................24
Server authentication and connection .............................................................................25
Project plan.....................................................................................................................27
Responsibilities and duties.....................................................................................................33
Business and service management ................................................................................33
Network Management and Security ................................................................................33
Project management.......................................................................................................33
Conclusion and recommendations .....................................................................................34
Appendix A - Technical specifications ................................................................................35
References and bibliography ..............................................................................................50
Introduction
This document describes the requirement, analysis and implementation plan for the setup of
network access for sales staff operating remotely in order to provide the best possible service
to current and potential customers. This will be achieved by providing:
1. Secure remote access to its sales force operating from mobile client computers and
wireless devices;
2. Access to electronic mail;
3. Access to updated customer and transaction information through client software
installed on the remote workstations which queries the central database;
4. Access for the client software installed on remote workstations to be able to carry out
online and offline sales transactions. Synchronisation of offline transactions can be
carried out remotely or directly at the head office.
5. Suitable office applications installed on the remote workstations to enable the sales
force to display presentations on the various products to customers, report to the
companys management and carry out the general office duties as necessary.
6. Backup of remote workstations to run overnight when the network is not being used.
This will be done either through a scheduled automated backup script or manually by
the users, depending on the available technologies.
7. Training to the sales force and network administrators, in view of the proposed setup
with guidelines on security concerns and appropriate usage of the equipment
provided to reduce exposing the companys integrity at risk, as far as possible.
Business environment
Garner Insurance Ltd., herein referred to as the company, is one of Maltas leading
insurance companies established since 1999, offering various insurance products at
competitive prices intended to cover its personal and business customers on various risks at
different levels. Although relatively new to the market, the company has managed to double
its profits over the last 5 years, notwithstanding fierce competition with companies that are
more established locally.
The companys workforce employs than 300 personnel, including a sales team of 156. This is
expected to increase to 400 employees over the next 5 years according to the current
business plan.
Table 1 - Sales force projections
2005
2010
Senior
sales staff
Normal
sales staff
60
100
156
300
In addition to substantial investment in advertising and promotion, the targets set by senior
management focus on the ability and competency of its sales force to promote its products.
One of the sales distribution channels is to sell directly to its customers, on a door-to-door
selling policy.
Senior sales staff have over 5 years experience in direct sales and insurance, providing
support and supervision to the sales staff.
Normal sales staff are given extensive and continuous training on the companys products
and are expected to perform their duties within the companys sales objectives:
1. Seek potential customers in order to attract them into buying the companys products;
2. Ensure customer satisfaction to ensure customer loyalty;
3. Liaise directly with senior sales staff providing feedback obtained through customer
feedback. In turn senior sales staff analyse feedback and provide management with
recommendations to further increase the companys local market, and,
4. Seek support from senior sales staff to enable them to close sales within the
companys sales guidelines.
IT Environment
The company network at the Head Office is a client-server setup. Description of the main
servers:
Table 2 - Server Information
Server name
Main function
Description
Giorgio
SQL server
Database server hosting a MS SQL 2000

central database for the companys core
system. The system holds product,
customer, transaction, audit and
management information and is a critical
element in the running of the business.
Alberto
E-mail server
Electronic mail is stored centrally for all

users. E-mail addressing format is namesurname@garner.com.mt. Each mailbox
has a maximum allocated size of 200Mb.
When exceeding this size the user can
transfer the information for a pre-agreed
location for archiving, after erasing irrelevant
correspondence. The mail server runs
Sendmails Mailstream Manager.
Edmundo
Intranet server
This server is used as an Intranet server

hosting access to the companys core
system and used within the company.
Juan
Active Directory Server
This is currently the Windows Active

Directory server used to authenticate and
allocate network resources to the users.
Carlo
File / application server
This server hosts files for users to store files

within user directories in order to ensure that
the files are backed up regularly. Users are
responsible for the backup of files hosted on
workstations.
Server names are not used in this diagram for illustration purposes.
Figure 1 Current Head Office network overview
All server disks are installed with RAID level 1 (mirroring) to avoid redundancy in case of
failure. Windows 2000 Server is installed on all servers.
A full backup is taken every Sunday, whilst incremental backups are taken daily on DLT
tapes, during non-operational hours. Weekly backups are sent for safe keeping to an off-site
location in agreement with a service provider. The company is in the process of reviewing its
maintenance agreement and in order to provide replacement of any equipment within the
server farm.
A spare server is already available as a replacement. Due to expected heavier loads on the
SQL Server, the company is currently investigating the possibility of configuring this server to
be used in conjunction with the current database server as an active / failover cluster. This
would require upgrading the OS on the database servers to Windows Advanced Server 2000
in order to provide this functionality. The company is also evaluating the risks associated with
not having spare servers at the premises so as not to have redundant servers on the
premises.
The companys website is hosted on a domain hosted by a service provider and maintained
by a specialized marketing company.
It is companys procedure to retain at least 1 spare computer for each 10 used by its
employees. This policy also applies for desktops, laptops and desk printers. Other spare
equipment, such as scanners, networking equipment, cables and parts are held by the IT
section. Spare PDAs will be purchased as standby equipment on a 1 to 10 basis.
Duplicate equipment shall be purchased for essential networking equipment (e.g. VPN
concentrators, switches, firewalls), and where possible configured so as not to be left
redundant. However, the main purpose is to have failover equipment to prevent that the
companys communication lines are interrupted in the case that the equipment is faulty.
Ideally the switchover should be transparent to the local and remote users, so as not to
disrupt the daily running of the business.
Remote workers using laptops shall be able to login to the companys core system by logging
in to the Web server and carrying out transactions normally.
User-interface software for Personal Digital Assistants is still being developed. Testing will be
done before the installation of the software during the pilot stage of this project. Whilst
software errors may result at any phase, the client software that will be installed shall be the
accepted final version of the software that will be used.
Requirements
Network setup
Internet connectivity for remote workers
Remote users will connect to the head office network be establishing a Virtual Private
Network with the company network via Internet access.
Remote workers using laptops shall connect from home through a broadband internet
connection. They can also connect to the internet through a GPRS connection if they are not
at home. Users with PDAs shall connect through a GPRS connection. This shall be useful to
keep communication lines open whilst remote workers are travelling, on training, whilst
attending meetings and conferences and to keep in touch with their colleagues during
extended vacation periods.
Wireless technology offers a wider bandwidth than GPRS connection and this could provide a
better alternative for connecting laptops. However, this technology would be more expensive
compared to GPRS, since this is a relatively new technology in Malta. Moreover, GPRS
connection on laptops is only being considered as a backup communication line, since it is
expected that the employees will use mainly their home connection. Management has to take
preventive measures to avoid possible abuse leading to increased communication costs.
The company has to ensure that costs on the usage of GPRS connections are kept to a
minimum, by applying and enforcing a set of guidelines for remote teleworkers:
Where possible connection that is paid periodically (e.g. connection to ISP) is to be
used and GPRS connection is used only where the connection to Internet is not
available at a cheaper price e.g. attending conferences or while travelling on the
road especially abroad. The mobile operator has to be contacted beforehand for
correct usage of the device using roaming services while abroad.
Installation of Internet traffic monitoring software that reports usage statistics to the
network administrator for monitoring.
E-mails are ideally downloaded once or twice a day, except for urgent
communications, rather than continuously.
Attachments are downloaded through the broadband Internet connection, since
charges are not applicable by download size, or else at the Head Office.
GPRS connection should not be used for personal interests, although it may be
generally accepted that some communication is done on a personal level (e.g. to
keep in touch with colleagues), as long as this is acceptable by management.
Multimedia files including pictures, music files, videos are not to be downloaded
except where strictly necessary.
The mobile operator and internet service provider shall provide a reliable connection to
Internet for the remote workers. On the other hand the company is responsible for the
maintenance and integrity of the internal network and the equipment owned (or leased).
Authentication and connection
The VPN Server hardware shall authenticate the user and send unencrypted authentication
information to the MS Active Directory Server. Traffic is filtered by internal firewall and routed
to the Server Farm VLAN, by the switch connected to the internal network.
Once a user is authenticated a VPN tunnel is created and the user is connected to the
internal network. Each user will be able to access the same resources locally and remotely,
with the exception of peripherals that are only used at Head Office such as scanners, faxes
and printers.
The VPN Server shall have a static host or IP address since it will be accessed from all
remote connections.
IPSec protocol over VPN shall be used since it has the advantage of essentially making the
remote computer part of the corporate network. Applications run without awareness that any
encryption or Internet routing is happening. It can be a drawback, in that any security
exposure on the remote computer becomes a risk to the corporate network. Various security
controls can be configured centrally to reduce this risk.
Data will be encrypted using 168-bit 3DES algorithm, which has to be supported by the VPN
server. As the name implies, 3DES uses three stages of DES and suffices for most
applications. In 2001, National Institute of Standards and Technology replaced DES by AES
(Advanced Encryption Standard), which is hoped to remain strong enough for the next 10 to
20 years. However, 168-bit 3DES is considered to be sufficiently secure for remote teleworking.
The internal firewall shall be configured to allow traffic only from the public mailserver and the
VPN concentrator (i.e. authentication and data passed once the session has been
established).
Electronic mail
E-mail within the companys LAN is transferred by the e-mail server on Alberto. E-mail
received on this server addressed to mailboxes within the companys LAN is transferred to
those addresses on the LAN. E-mail addressed to other e-mail addresses is forwarded to the
mail server of the Internet Service Provider used by the company.
E-mail from outside the companys LAN can be received on the e-mail server not connected
directly to the companys LAN (known as the Demilitarized Zone - DMZ) where it is scanned
for viruses and spam e-mail using appropriate software and then automatically forwarded to
the e-mail server within the companys LAN. Once the data has been transferred within the
LAN, the e-mails are then erased permanently from the e-mail server within the DMZ zone.
This option shall entail the procurement of:
1. A server with disks supporting RAID level 1 (mirroring) inline with current practice,
backup hardware and backup management software;
2. Installation of Operating System, e-mail server software, anti-virus and spam-filtering
software including software licenses;
3. Setup and configuration of the network connection to the companys network;
4. Configuration of the e-mail server within the DMZ zone to relay e-mails to the server
within the internal network.
5. Testing for connectivity, security before the end-user testing within the project plan;
6. Maintenance and support agreements for the above.
Presentations
Presentations are done by Sales staff and management from time to time. A number of
overhead projectors are held at the companys premises, to be used by Senior Sales staff to
carry out presentations when required. This is particularly useful when meeting corporate
customers or carrying out presentations to students.
Ten projectors and appropriate software licenses shall be purchased and held at Head Office.
When presentations are to be done, the staff is to contact IT Department for the usage of a
projector and installation of software to be able to display presentations.
Common security threats and the impact on the business

Common network threats include:
Packet sniffers. A packet sniffer is a legitimate management tool that can be

abused by hackers to capture data transmitted over a network, such as usernames
and passwords.
IP spoofing. An IP spoofing attack occurs when a hacker inside or outside a network
impersonates a trusted computer to gain access to network information.
Denial of service. Perhaps the most widely publicized form of attack, can be
initiated using programs that are available for downloading on the Internet. They
focus on making a service unavailable for normal use, often by exhausting a resource
on the network, operating system, or application.
Spam. Another growing threat to network operations is spam, or unsolicited mass email, which slows mail servers, overruns storage space, and reduces user
productivity by clogging individual mailboxes.
Man-in-the-middle attack. A man-in-the-middle attack is initiated by hackers who
have access to network packets that move across a wired or wireless network. During
this attack, hackers hijack a network session to gain access to private network
resources, steal information, or analyze traffic to learn about a network and its users.
Viruses, Trojan horses, and worms. End-user PCs and workstations are
especially vulnerable to viruses and Trojan horse attacks. Viruses are malicious
software code that is attached to another program to execute an unwanted function
on a user's PC. Trojan horse attacks are similar to viruses, but disguise the
application to look like something else. Worms are malicious programs that replicate
themselves.
Hypertext Transfer Protocol (HTTP) exploits. HTTP attacks use a Web server
application to perform malicious activities by exploiting the relatively insecure access
to company Web servers. If attackers can take control of the Web server to perform
malicious activities, they can access resources that would otherwise be unavailable.
Application layer attacks. Hackers can initiate application layer attacks using
several different methods. One of the most common is exploiting well-known
weaknesses in software that are commonly found on servers, such as sendmail,
HTTP, and File Transfer Protocol (FTP), to gain access to a computer with a high
level of administrative access.
Network security breaches can be devastating, costing significant loss of revenue,

productivity, and business, not to mention the expenses involved in repairing damage. Small
organizations are especially vulnerable because they often lack the staff and budget needed
to respond effectively to a security breach. The impact to businesses can be significant,
including:
Loss of customer revenue. When a customer attempts to access resources the

company's Web site only to find that it has been hacked, they will likely take their
business elsewhere.
Loss of customer confidence. Customers are understandably reluctant to share
private information with a company that cannot protect it.
Liability due to fraud. Credit card fraud has become increasingly prevalent.
Customers who use a credit card to purchase goods or services on an e-commerce
site are entrusting the company with confidential information. Fraud and identity theft
due to network breaches expose the organization to liability risks that can threaten its
very survival.
Server names are not used in this diagram for illustration purposes.
Figure 2 - Remote connection overview
10
Benefits and weaknesses of telecommuting

Improvements in technology improve employee productivity, create operational efficiencies
and reduce costs. Teleworking allows workers to keep in touch with the company and at the
same time, perform their duties with a more flexible schedule.
Benefits for the company

1. Reduced Cost. Employees can focus on more strategic tasks that generate
revenue. Information is updated in real-time and the ability to execute transactions
(e.g. quotes, look up customer information, query the central database) into the
hands of the employees who initiate them, reduces the need for intermediary
personnel. This way organizations can scale rapidly while keeping the rate of support
staff growth much lower than the growth rate of the overall workforce and business.
For example, a salesman does not need to call up head office in order to check upon
queries done by the customer on existing policies. E-mails are a relatively
inexpensive and effective way to communicate given the amount of communication
that goes through the business on a daily basis. Employers can save on space and
lighting at the head office.
2. Empowered Employees. Employees can use the Internet to get timely, accurate
information on demand, regardless of their locations, with the use of scheduling
software available on the market. Employees who are empowered with information,
guidelines, key metrics, and decision-making responsibility can react dynamically. In
customer-facing roles, for example, empowered employees can dramatically improve
customer interaction quality by promptly and knowledgeably addressing issues, rather
than by handing tasks and decisions off to a superior.
3. Improved Productivity. Transactions can be effected at source, without having to
discuss with other departments. Less paperwork is involved due to the availability of
soft copies of documents, online forms etc. Transfer of data is faster and more
secure than relying on the employee handling in all the required documents when he
goes to the office. Transactions are more accurate since there is a lesser chance of
documents missing along the way or information copied incorrectly, especially with
regards handwritten forms.
4. Improved work conditions. In addition to being an incentive for new employees,
skilled employees can be retained by offering them more flexible conditions, including
telecommuting.
Drawbacks for the company

1. Maintenance issues. Installing and configuring equipment in remote locations can
be cumbersome and expensive. On the other hand support can be given remotely by
support staff and users can be trained to provide information to a support helpdesk,
and enough information to enable them to provide first line of support. Anyone
working at home would some ability to deal with equipment faults and minor software
problems.
11
2. Employer-employee relationship. Existing managers may resist moves towards

telecommuting because of the fear that their positions may become redundant, or that
they cannot monitor the time spent by employees while working. Remote workers
have to be able to motivate themselves to work without supervision. Although
security settings can be done to avoid this, the company still relies on the employees
personal responsibility so as not to abuse from the companys assets to their
personal advantage. This includes usage of the equipment provided and
communication lines (Internet, GPRS connection) for personal use (which could be
acceptable if used reasonably). The company should recommend proper guidelines
and monitor its employees that fall outside of the established parameters. Preferably,
employees are pre-advised of such restrictions, since this would achieve some level
of self-discipline from employees.
Benefits for employees

1. Less travelling time. Employees do not have to travel everyday to go to work, thus
more time to meet customers, report to the company and more time for their personal
interests. This would be greatly appreciated by employees residing or who want to
reside and work in Gozo, thus less travelling expenses incurred to travel by ship
everyday.
2. Flexibility. Work can be organized in a flexible manner, as long as the performance
standards are met. Work activities can be fitted around other activities for
employees. For example, one can start working after taking children to school, and
doing the household chores.
Drawbacks for employees

1. Less time to socialize. Less time socializing with their colleagues at coffee breaks
or during office hours. The employee may feel detached from the company from a
social point of view. The company may organize regular social activities to enable
employees to get together out of the office, such sports activities, dinners and
competitions. It is useful to spend some time at the office, say every week or when
meetings are held. This provides an opportunity to make informal suggestions and
bounce ideas off people.
2. Isolation. Isolated employees may be exploited, or fear they are exploited, in an
environment where they cant easily get support from co-workers or unions.
3. Space and security. It is necessary to have space available at home to setup
computers. For security reasons the employee has to ensure that it is physically
secure and make proper use of equipment to avoid information being lost, stolen or
disclosed to unauthorized persons. Appropriate training will guide employees to the
proper usage of equipment and software.
12
Trade Union Issues

In view of issues that may arise with the workers trade unions, the following guidelines are
recommended by MSF Information Technology Professionals Association (UK):
1. Teleworkers should be employees of an enterprise and not deemed self-employed.
2. To avoid isolation, contracts of employment should require home workers to
periodically attend the office.
3. There should be a separate room available at home for teleworking, a separate
telephone and payment for additional costs such as heating and lighting.
4. There should be regular meetings between teleworkers and the provision of
electronic mail and telephone links with other teleworkers, all to be provided at the
employer's expense.
5. There should be regular weekly liaison discussions between a teleworker and his or
her supervisor / manager.
6. Teleworkers should enjoy the same rates of pay and employment benefits as office
based workers including child care provision and family leave. There should be a
defined number of working hours. They should be included in career development
and appraisal schemes including training opportunities.
7. All computer equipment should be provided, paid for and serviced by the employer
who will be responsible for installation, maintenance, insurance and compliance with
health and safety requirements. The employer should also accept legal responsibility
for any accident or injury.
8. Teleworkers should have access to trade union representation and be able to attend
meetings within working hours. Health and safety advisors and trade union
representatives should be able to visit teleworkers.
9. Telecommuting should be voluntary with a right to return to working from the office.
13
Budgeted costs
Costs are expected to include substantial capital investment as well as recurrent expenditure, especially with regards connectivity charges. Controls should
be in place to keep costs at a minimum, particularly where the company is charged on the usage as in the case of the GPRS connections.
Budgeted expense with current sales force
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Servers
E-mail Server
IBM X-Series 346
pcs
USD
16,136.00
5,300.00
Firewall server
IBM X-Series 346
pcs
USD
16,136.00
5,300.00
Installation and configuration (including

software)
24
Maintenance and support (10%)
Sub-total
Yes
10
manhours
240.00
1,100.00
11,940.00
4.63%
14
Connectivity
GPRS Access fee (annual)
Mobile Connect Card (GPRS connection for
laptops)
GPRS Connection - PDA users
GPRS Connection - Laptop users
ADSL Internet Connection

(512Kb download / 128 Kb upload)
Installation charges
Modem deposit (refundable)
Yes
Yes
Yes
156
users
MTL
60.00
9,400.00
8
3
11
60
156
60
users
users
users
MTL
MTL
MTL
93.00
504.00
42.00
5,600.00
77,000.00
2,500.00
5
4
60
60
60
users
users
users
MTL
MTL
MTL
378.00
50.00
50.00
22,700.00
3,000.00
3,000.00
9, 13
66
laptops
Yes
Installation and configuration

Maintenance and support
Sub-total
2 manhours
660.00
Yes
123,860.00
48.07%
15
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Networking equipment
Cisco PIX 515E Security Appliance
including chassis, restricted license,
software, 3 10/100 interfaces, 64 Mb RAM,
10 desktop and 1 server license of Cisco
Security Agent, CiscowWorks VMS Basic
Failover Active/Active Software license
Encryption license - 168 bit 3DES
Ethernet cabling and sockets
1000
80

Sub-total
Yes
10
pcs
mtrs
manhours
USD
4,591.00
1,500.00
2,000.00
350.00
80.00
5,580.00
2.17%
16
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Connectivity
GPRS Access fee (annual)
Mobile Connect Card (GPRS connection
for laptops)
GPRS Connection - PDA users
GPRS Connection - Laptop users
ADSL Internet Connection

(512Kb download / 128 Kb upload)
Installation charges
Modem deposit (refundable)
Yes
156
users
MTL
60.00
9,400.00
Yes
8
3, 19
60
156
users
users
MTL
MTL
93.00
504.00
5,600.00
77,000.00
Yes
11, 19
60
users
MTL
42.00
2,500.00
Yes
19
5
4
60
60
60
users
users
users
MTL
MTL
MTL
378.00
50.00
50.00
22,700.00
3,000.00
3,000.00
9, 13
66
laptops

Sub-total
2 manhours
660.00
Yes
123,860.00
48.07%
17
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Client equipment and software
Dell Inspiron 1150
Microsoft Office 2003 including Word,
Excel and Outlook.
Norton Internet Security 2005 - 15 month
Dell All-in-one Inkjet 922C Printer
30 day Online Security Training
Standard support package and cover
against accidents
1 Year Collect and Return Warranty
ADSL Modem (provided by ISP)

HP iPAQ H6340
see note
16
Yes
13, 14
66
pcs
GBP
709.00
30,000.00
15
66
pcs
MTL
0.00
0.00
170
pcs
MTL
315.00
54,000.00
Epson Powerlite S1 projectors

Microsoft Powerpoint 2003
10
10
pcs
licenses
USD
USD
899.00
162.94
3,000.00
540.00
Cisco VPN 3000 Client Software - Laptops
66
licenses
USD
37.99
830.00
18
Description
Recurrent
expenditure
AnthaVPN v5.0 VPN Client - PDAs

Client for accessing database
Note
Qty
18
170
236
9
9
80
40
120

Training
Testing
Yes
Unit
Currency
quoted
licenses
licenses
USD
MTL
69.00
15.00
11,700.00
3,500.00
MTL
MTL
5.00
5.00
400.00
200.00
MTL
5.00
600.00
manhours
hours
manhours
Cost per
unit
Total
10
3,300.00
Sub-total
108,070.00
41.94%
19
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Network and Security Management
Software
Checkpoint Express C1 Firewall software
(up to 500 users)
Checkpoint Express Update and Support
pack (up to 500 users)
Yes
licenses
USD
15,000.00
5,000.00
licenses
USD
6,750.00
2,200.00
5.00
1,000.00

200
Sub-total
Total
manhours
10,17
MTL
8,200.00
257,650.00
3.18%
20
Notes and assumptions

1. Prices quoted are indicative and have been included for budgeting purposes.
2. Prices originally quoted in foreign currency are converted to local currency at a
nominal exchange rate.
3. PDA users shall use GPRS connection daily, whilst laptop users shall use GPRS
connection when Internet connection is not available.
Table 3 - GPRS usage (size)
GPRS usage per user
Electronic mail
Company's core system (queries)
Browsing the Internet and other
Number of weeks in a year
Expected download through GPRS
connection (yearly)
PDA
users
Mb per
week
2
3
1
6
52
312
Laptop
users
150
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
Connection charge (post-paid) is Lm 2 per Mb transferred.

GPRS connection reaches typical speeds of 40Kbps, up to 45Kbps.
Monthly service charge is Lm 5 per month, if payable by Direct Debit
Mandate, and includes a bundle of 5Mb.
ADSL Modem deposit is refundable upon termination of service.
This charge may be waivered if the company negotiates the possibility of doing the
installations using its own technical resources. Prices and fees have not yet been
negotiated in view of bulk purchasing.
Recurrent annual expenditure expected.
Unless a maintenance agreement is negotiated to cover for the risk it is calculated
that failover equipment will be purchased.
Price to be confirmed by supplier.
Approximate cost per man-hour is calculated at Lm 5 per hour during normal working
hours and does not include second line of support. A working week is calculated to
have 40 working hours.
Maintenance and support calculated as 10% of hardware purchase price. Quotes still
to be confirmed by supplier.
Connection charge for Mobile Connect Card under 'Everyday Plan' is Lm7.50
monthly, including 10Mb and Lm 0.70 per Mb of data.
Delivery within 2 to 4 weeks.
Includes spare equipment for replacement.
Included in ISP package (see Connectivity).
Renewal of subscription will require extension of software license from Symantec.
Support for Checkpoint software already included in purchase.
First line of support provided by service providers.
Tape cartridges, ink cartridges and other consumables will be required for these
products.
Static external IP addresses are to be purchased from the GPRS provider and ISP in
order for security reasons.
Purchases for laptops are expected to increase in 2010 when sales force is increased by 400.
If the current scenario is kept, total PDAs to be held in stock shall increase to 330, whilst the
number of laptops shall increase to 170, including spare laptops held.
21
Price variations in cost using current prices for installing remote connections as per Table 1
(pg. 3) would be as follows:
Description
Approx Cost
Increase /
MTL
Decrease in cost**
Servers
nc
Networking Equipment
nc
Connectivity
220,000
76% increase
Client equipment and software
194,000
79% increase
Network and Security Management Software
nc
** Compared to cost incurred with current sales force.
Since computer equipment prices change continually it is difficult to predict the cost that will
be incurred in five years time, however it additional equipment, software and connectivity
charges (wireless and internet) shall be required for new remote teleworkers.
22
Technical design and deployment

The following diagram illustrates the setup proposed including specific products that will be
used. For detailed technical specifications see Appendix A (page 35).
Head Office Internal Network
SQL Server
Web / Intranet server

E-mail server
SQL Server (failover)
Domain Controller
VPN Authentication Server
File / Application server
Server farm VLAN1

Head Office Workstations VLAN2
Switch
Checkpoint
express
running on
IBM X
Series 346
server
DMZ Zone
IBM X
Series 346
Public Mailserver
Firewall
VPN Server
Internet
DMZ Zone VLAN

Cisco 830
Series Router
Cisco
PIX Security Appliance
515E
Vodafone Malta
(mobile operator)
OnVol (ISP)
GPRS connection
GPRS connection
ADSL Modem
Dell
Inspiron 1150
Dell Inkjet
922C
Laptop from
home
Dell
Inspiron 1150
Dell Inkjet
922C
HP iPAQ H6340
Laptop roaming
Figure 3 - Network setup - product specifications
23
VPN Overview
A Virtual Private Network is a network that is connected to the Internet, but uses encryption to
scramble all the data sent through the Internet so the entire network is "virtually" private.
Virtual Private Networking provides four critical functions to ensure security for data:
Authentication. Ensuring that the data originates at the source that it claims.
Access Control. Restricting unauthorized users from gaining admission to the
network.
Confidentiality. Preventing anyone from reading or copying data as it travels across
the Internet.
Data Integrity. Ensuring that nobody tampers with data as it travels across the
Internet.
Tunnelling allows senders to encapsulate data in IP packets that hide the underlying routing
and switching infrastructure of the internet from both senders and receivers. These
encapsulated packets can be protected against snooping by outsiders by encrypting data
transferred.
IP Sec Overview
IPSec is often considered the best VPN solution for IP environments, as it includes strong
security measures, particularly encryption, authentication and key management. Encryption
is the processing and altering data so only the intended recipient can read or use it. The
recipient of the encrypted data must have the proper decryption key and program to decipher
the data back to its original form. Keys are used to authenticate users and devices (PDAs
and laptops) when connecting to the VPN Server.
Client connection
The user shall connect to Internet through the Windows dial-up interface and the VPN client
shall be configured with the settings to connect to the corporate VPN server.
Client IP Address
Description
Comments
External IP address.
Assigned by the ISP when

establishing the connection to
Internet.
Static IP addresses can be used for
clients to enable filtering of the
authorized IP addresses on the
VPN server.
Server IP Address
vpn.garner.com.mt OR
IP address allocated
External IP address of the VPN

Server.
This should have a static IP
address since users will be
authenticating through this
connection. A fixed host, e.g.
vpn.garner.com.mt shall be used
24
Description
Authentication
Digital Certificates shall be

used to authenticate clients.
These shall be installed and
configured during the client
setup.
Encryption
Data shall be encrypted using

168-bit 3DES through the
VPN tunnel established.
Protocol for communication is
IPSec.
Comments
Firewall software shall be installed on the laptops. For the time being the software bundled
with the hardware being recommended can be used and during the evaluation.
Split tunnelling shall be disabled, since the laptop computers are intended to be used to
connect to the company network. Should the user be authorized to use the laptop on, say,
his personal home network, it should be only used when disconnected from the company
network.
Figure 4 - Illustration of VPN Tunnel
Server authentication and connection

Connections from the Internet are filtered through the router and the external firewall.
Internet Edge Firewall and VPN Authentication Server

Cisco PIX 515E shall be set up as the firewall on the perimeter of the network, protecting the
DMZ zone from the Internet.
The firewall is intended for Small-to-Medium Business and Enterprise environments and
provides up to 188 Mbps of firewall throughput with the ability to handle 125,000 simultaneous
sessions. More economical models using similar technology provide up to 20 Mbps of
firewall throughput and 16 Mbps of 3DES VPN throughput.
Connections originating from remote clients are filtered by the firewall, which protects the
internal network from external threats
Control over instant messaging, peer-to-peer file sharing and tunnelling applications
to protect network bandwidth;
Protection services from forms of attacks including denial-of-service (DOS),
fragmented attacks, replay attacks, and malformed packet attacks.
The device shall also be used to authenticate remote users, using the Windows Active
Directory server as the authentication server. The user shall then be able to access
resources allocated to them.
25
Internal IP addresses are masqueraded from the public network as an external IP address.
Digital certificates can be revoked by the administrator if suspected to have been
compromised. The user can be given a new certificate to be able to authenticate.
Public e-mail server

The e-mail server within the Demilitarized Zone shall be configured for the following functions:
Scanning of e-mail for viruses and filtered for spam using Sendmails scanning
engines.
Transmission of e-mail to external e-mail addresses. External refers to e-mails
addressed to which have been transmitted since they are not hosted on the
companys internal e-mail server.
Receiving of e-mails from external e-mail addresses. The public mail server, shall be
configured to relay e-mails addressed to e-mail addresses pertaining to the
companys LAN (e.g. john.smith@garner.com.mt) to the internal e-mail server. Emails for other addresses, which are received from within the companys internal email addresses are routed to the providers e-mail server for transmission.
Internal firewall
Checkpoint Express (software) shall be used to accept connections coming only from devices
on the DMZ Zone VLAN. It shall also allow VPN tunnel connections, which have been
authenticated by the external firewall, to be made for the remote users to connect to the
internal network. The purpose of the internal firewall using different technology is that one
firewall may have bugs that would allow a malicious attacker to bypass the external firewall.
The firewall protecting the internal network is an extra security layer to reduce this risk, since
hackers are continually finding new ways of penetrating networks.
Before Checkpoint is installed, the underlying OS must be secured for the highest security
level possible, particularly by disabling unnecessary services and applying security patches
regularly.
The DMZ zone cannot contain anything the company cannot bear to loose, particularly critical
business data. The purpose of establishing an island is to be aware of attempted breaches
of security before they reach the internal network.
The firewall server shall be installed over Microsoft Server 2003. Although the general trend
is to go for Unix-based Operating Systems, such as Red Hat Linux, the Operating System is
being recommended with a view to use the server for applications currently in use that use
Windows-based technology.
Most of the time, security measures and protection are a reactive measure rather than a
proactive measure.
Further recommendations
Up to 10 network segments can be allocated to each user and this provides the possibility of
further splitting the internal network into separate VLANs for each department e.g. VLAN2a
for Motor Insurance, VLAN2b for Life Insurance, VLAN3 for Administration, VLAN4 for
Network Management Staff etc. This has the advantage of adding more internal security and
improving network performance. Moreover, one of the PCs within the LAN could be used to
store all the users files (for that section) rather than a centralized server.
Currently the business does not have a disaster recovery server (standby) for the File /
Application server (Carlo) and Active Directory server (Juan) see figure 1 on page 5. The
server being purchased can possibly be used as a disaster recovery machine for these critical
machines.
26
Project plan
Set-up and configuration of the remote working system, including selection of suppliers,
installation of equipment and software and testing should take less than four months, within
the proposed scenario.
1. Project approval
An overview of the project plan shall be delivered by the Network Manager to the companys
senior management.
Once the project is approved a Project Team is selected, and it is also decided whether
external resources shall be required to assist the Network Team within the required
timeframe.
The Project Team shall consist of a number of persons from the following departments
sections, the number of people depending on the focus of the task in hand, as is being
recommended:
Project Coordinator
IT (Hardware) Team
IT (Software) Team
IT Support Team
Financing Department
Budget and schedule for the resources required shall be monitored to ensure that it is
delivered on time and on budget.
The Human Resources Department shall pre-advise the staff involved of the impending
changes as soon as the project is approved, in order to gather feedback and liaise with the
Project Team.
Expected duration: 2 weeks
2. Selection of suppliers hardware

Quotations from different suppliers shall be gathered for the hardware required . Current
company policy recommends taking quotes from at least three distributors. The Project Team
shall require mainly resources from the IT (Hardware) Team. The suppliers concerned shall
be informed of the decision taken.
Expected duration: 1 week
3. Selection of software - suppliers and packages

Quotations for the software required shall be gathered for the software packages required.
Software bundled with hardware shall be discussed at this stage. The Project Team shall
require mainly resources from the IS (Software) Team. The accepted supplier shall be
informed of the decision taken.
27
4. Purchasing orders for server and networking equipment

Once a decision has been taken for the equipment to be purchased the networking equipment
shall be ordered, according to the specifications required as gathered in the previous two
tasks. This shall include ordering software related to the network connectivity and
management (e.g. VPN Client and Server Software).
The Project Team shall require resources from the IT Hardware) Team, IS (Software) Team
and mainly from the Financing Department with regards accountability and budgeting. It
should be noted that the capital expense involved is substantial.
5. Purchasing orders for laptops and PDAs

Laptops, PDAs and equipment to be attached to remote clients shall be ordered.
The Project Team shall require resources from the IT Hardware) Team, IS (Software) Team
and mainly from the Financing Department.
6. Negotiate and conclude agreements with ISP

An Internet Service Provider shall be selected and arrangements made for the provision of
Internet connectivity service for remote teleworkers. It may be appropriate to consider the
current service agreement at this stage. The Project Team shall require resources from the
Network Team and from the Financing Department.
7. Negotiation of hardware and maintenance agreements

Hardware maintenance agreements shall be reviewed and discussed with the providers. The
Project Team shall required resources from the IT (Hardware) Team and from the Financing
Department.
8. Acceptance of client software for PDAs

Client software for the companys core system should be tested and ideally accepted by the
company at this stage. The Project Team shall require liaison with the developers or software
support staff with for the installation and configuration of the software. It is expected that
sufficient technical documentation shall be provided, to guide installation, configuration and
first-hand troubleshooting without requiring third party intervention. Ideally, soft-copies of the
required documentation is made available to the IS/IT Department of the company.
Expected duration: 2 3 days
28
9. Equipment received and confirmed

Servers and networking equipment is received, confirmed to comply with the specifications
and quality checked.
The Project Team shall require resources from the IT (Hardware) Team.
Expected duration: 2-3 days.
10. Laptops and PDAs received and confirmed

Laptops, printers and PDAs are received, confirmed to comply with the specifications and
quality checked. A sample check of the equipment that shall be used in the pilot testing
should be appropriate for the scope.
The Project Team shall require resources from the IT (Hardware) Team.
11. Installation and configuration of E-mail server

This shall involve the installation of Operating System, software applications, electronic mail
server, configuration and testing as a stand-alone server in the laboratory.
The Project Team shall require resources from the IT (Hardware) Team and IS (Software)
Team.
12. Laboratory setup of network equipment and preliminary testing

Security Appliance (VPN Server), firewalls, networks and switches configured and initially
tested at the laboratory.
The Project Team shall require resources from the IT (Hardware) Team and the Network
Team.
Expected duration: 2 weeks.
13. Installation and configuration of DMZ zone

Demilitarized Zone set-up, configured and initially tested. The network segment shall not be
connected at this stage.
The Project Team shall require resources from the Network Team.
Expected duration: 1 week.
29
14. Migration to new network setup

Any critical issues relating to connectivity and security have to be solved before initiation of
this stage. This includes connectivity to the Internet and configuration of the network
equipment. Ideally this shall be done over a weekend, during non-operational hours, so as
not to disrupt operations.
Issues have to be dealt with in a way to avoid minimum disconnection during operational
hours. Hence, this stage might require temporary solutions and the actual solution discussed
over the coming week and implemented over the next available weekend or non-working
days.
The Project Team shall require resources from the Network Team.
Expected duration: 2 days.
15. Pilot testing

Installation of Operating System (if required) or upgrades, VPN Client software, Client
Software for the companys core system and office applications shall be done on a sample of
5 laptops and 5 PDAs. Testing shall include:
Connectivity and acceptable traffic.

Testing of all applications used by remote teleworkers.
Testing of connectivity to network points at Head Office in order to synchronize offline information.
Penetration testing.
Sample performance testing, especially at peak hours.
The Project Team shall require resources from the IT (Hardware) Team, IT (Software) Team,
Network Team, the Internet Service Provider, the Mobile Operator and users who shall carry
out the testing and provide feedback to the Project Team, in order to move on to the next
stage.
16. Software installation on clients

Installation of all required software and configuration changes made to laptops, PDAs and
servers and equipment on the network, including spare equipment to be held at the
companys premises. Installation procedures and guidelines should be updated before this
stage.
Installation can be done by copying hard disk images from a standard set of clients with preinstalled software and configurations already set-up to make the process more efficient.
The Project Team shall require resources from the IT (Software) Team and Network Team.
30
17. Training
Laptops and PDAs can be distributed to the current remote workers and a short training
course organized to introduce the new way of working to the employees. This shall include a
briefing on connecting remotely, changes in working procedures and any changes in working
conditions.
IT support Staff shall be given an overview of the changes implemented and supplemented
with the necessary technical documentation.
The Project Team shall require resources from Human Resources Department, IT (Support)
Team and obviously the users themselves.
Expected duration: 1 week.
18. Live
Once the users are generally satisfied with the new setup, feedback shall be gathered from
users and support staff, to be collated and included in the final report for management. It
would be safe to plan an IS Audit at this stage.
31
Week Week Week Week Week Week Week Week Week Week Week Week Week
Timeline
1
2
3
4
5
6
7
8
9
10
11
13
14
Task
1 Project approval by management
2 Selection of suppliers - hardware
3 Selection of software - suppliers and packages
4 Purchasing orders for server and networking equipment
5 Purchasing orders for laptops and PDAs
6 Negotiate and conclude agreements with ISP and mobile operator
7 Negotiation of hardware and maintenance agreements
8 Acceptance of client software for PDAs
9 Equipment received and confirmed
10 Laptops and PDAs received and confirmed
11 Installation and configuration of e-mail server
12 Laboratory setup of network equipment and preliminary testing
13 Installation and configuration of DMZ zone
14 Migration to new network setup
15 Pilot test
16 Software installation on clients
17 Training
18 Live
Activities
Managerial
Administrative / Technical
Technical
Administrative
Live
Figure 5 Schedule (overview)
32
Responsibilities and duties

The Network Manager is currently responsible for the data and voice communication within
the company and for communication between the company and external entities. This
includes data and voice communication.
Business and service management

Communication technology supports the business in reducing the distance between various
persons. The Network Manager takes an active part in the review of the IT/IS strategy and to
implement the approved proposals according to the allocated budget.
Network Management and Security

Currently the Network Team has the following objectives:
Administration and allocation of network resources
Monitoring and security of the internal network
Securing the network from external and internal threats, including also physical
threats.
Collaboration with other departments, providing support where necessary.
Liaison with IS/IT department and collaboration on technology related projects.
The Network Manager is currently responsible for maintaining the network up and running to
a satisfactory level of performance, particularly during business hours. This is done through
the use of appropriate Network Management Software to monitor and control the network,
implementation, monitoring and reviewing the Security Policy to protect the information
running over the network. In view of this implementation the Network Manager shall be
responsible for the reliability and integrity of the connections made through the public
network.
Staff have to ensure that they comply with the policies and follow the guidelines issued from
time by the IS/IT Department, including recommendations from the Networking Team.
With the availability of remote connections, it has to be ensured that the network is
satisfactory even after business running.
The Network Manager also co-ordinates the Network Team in order to fulfil their objectives,
providing leadership support and guidance where required.
Project management
The project shall be monitored by the Network Manager or his delegate and he shall take
active part in the project to gather and use the project resources.
Decisions including choosing the appropriate suppliers and providers will require his input
during the initial stages of the project, particularly with regards network equipment and their
maintenance, connectivity and security.
Negotiation with suppliers of networking equipment and connectivity shall require his direct
intervention in order to guide management to the most appropriate options available on the
market. He shall liaise closely with other departments throughout this project in order to
obtain the best possible package for the remote teleworking system.
33
Conclusion and recommendations

It may be considered to set-up a Web server within the DMZ zone, whilst keeping the Intranet
server within the internal network. Given the substantial investment in security and network
infrastructure, the company shall have greater control over the maintenance of the data.
In view of current trends and proven cost-benefit savings from other business scenarios,
management may consider the option of implementing VOIP to replace the current PABX
technology.
It is recommended that a review assessment is effected six months after implementation to
assess network performance and reliability, security, gather feedback from remote workers on
the impact of this change to their lifestyle and enable management to analyse the benefits
gained by this scenario. This can be done by planning an IS Audit to support the Network
Team in identifying possible weaknesses.
34
Appendix A - Technical specifications
IBM X Series 346
Table 4 - IBM X Series 346 Technical Specifications

Server / Client
Software / Hardware
Purpose
Server
Hardware
Servers on which firewall and
public mailserver are to be
installed.
Specifications purchased allows
for further uses of the server (see
Further recommendations on
previous page).
Processors
Two Dual 2.8 Ghz Mhz with 800 Mhz frontside bus.
1Mb L2 Cache Intel Xeon Processor
Memory
1GB PC2-3200 (2 x 512 Mb) ECC DDR2

SDRAM RDIMM Kit
Controller
Integrated Dual-Channel Ultra-320 SCSI

Controller
Diskette drive
IBM 1.44 3.5 diskette drive
Optical drive
IBM 8X DVD-ROM Ultrabay Slim Drive
Ethernet
Dual integrated 10/100/1000 Mbps Ethernet
System Management
System Management Processor
Power Supply
625 Watt Hot-Swap Power-Supply
35
Operating System
Windows Server 2003 Enterprise Edition
Storage adapter
Serve RAID 7k controller
Primary array (RAID level 1)
Primary Array 36GB 15K U320 SCSI HS

Option
Secondary array (RAID level 1)
Primary Array 36GB 15K U320 SCSI HS

Option.
IBM 160/320Gb SDLT Tape Drive
External Tape drive

Keyboard
IBM USB Keyboard with UltraNav US

English
Uninterruptable Power Supply
APC 2U Smart UPS 1400 RMB
Weight and dimensions
Weight 64 lbs
Height 3.36
Width 17.5
Depth 27.5
Features
Power-on password, privileged access

password, selectable boot, Unattended startup.
Support
3 year Remote Technical Support for

xSeries, IBM Director, Windows and Linux.
(Source: IBM Corporation, USA)
36
Dell Inspiron 1150
Table 5 - Dell Inspiron 1150 Technical Specifications

Server / Client
Software / Hardware
Purpose
Client
Hardware
Laptop used by remote
teleworkers.
Processor
Intel Celeron Processor 2.4Ghz
Display
15 XGA
Support service
Standard Package Basic and cover against

accidents.
30 Day Online Security Training.
USB/ Parallel Cables
USB 2.0 Printer Cable
Memory
512 Mb 266Mhz DDR RAM (2 x 256Mb)
Hard drive
40Gb (5400 rpm) ULTRA ATA-100 Hard

Drive
Optical drive
Fixed Internal 8x DVD Drive and software
Modem
Internal 56k v.92 Capable Fax Modem 1
Network Interface
Primary Battery
Integrated 10/100 Fast Ethernet Network

Card 2
8 Cell 65Whr LI-ION Primary Battery
Power supply
D-Series 65W AC Adapter
Keyboard
Dell keyboard with touchpad
Security Software
Norton Internet Security 2005 15 month trial

version.
37
Warranty
1 Year Collect and Return
Carry case
Nylon carry case3
Weight and Dimensions

Width: 12.9" (329 mm)
Depth: 10.8" (275 mm)
Weight (with cables): 1.01 lbs. (0.46 kg)
1. This can be useful for sending faxes and for the eventual set-up of an emergency
dial-up connection to the Internet Service Provider.
2. To enable connection to the network points at Head Office.
3. The case purchased is suitable to carry the printer and cabling as well.
(Source: Dell, United Kingdom)
38
Dell Printer 922
Table 6 - Dell Printer 922 Technical Specifications

Server / Client
Software / Hardware
Purpose
Client
Hardware (peripheral)
Printer used by laptop users.
Media Type
Transparencies, Photo Paper, Standard Paper,

Card Stock, Labels.
Printer Type
Inkjet Color Printer
Depth
Operating: 17.5", Closed: 12.7"
Features
Dell Ink Management System , Borderless

printing
Height
Operating: 11.4", Closed: 6.6"
Weight
10 lbs
Connectivity Technology
Cable
Dimensions (WxDxH):
Operating: 17.2" x 17.5" x 11.4", Closed: 17.2" x

12.7" x 6.6"
Monochrome: Up to 19 ppm , Color: Up to 14 ppm
Max Speed:
Media Feeder(s):
Operating System
100 pages
Support
1-Year Advanced Exchange Service; 1-Year 24x7

toll-free tech support
Included
Power Adapter, Standard Capacity Color

Cartridge, Standard Capacity Monochrome
Cartridge, Placemat, Sample Dell Premium
Photo Paper Pack, Owners manual, Consumables
Recycle/Return Plastic Bag, Hardware Recycle
Program Label.
4800x1200 dpi
Max Resolution Color
Microsoft Windows 2000/XP
39
Port(s) Total (Free) / Connector Type

Total Media Capacity
USB
Input Tray: 100 pages, Output Tray: 50 pages
Copying Speed
Monochrome: Up to 12 cpm, Color: Up to 8 cpm
(Source: Dell, United Kingdom)
40
Cisco PIX 515E Security Appliance
Table 7 - Cisco PIX 515E Technical Specifications

Server / Client
Server
Software / Hardware
Hardware
Purpose
Internet edge firewall. The
appliance includes software for
managing and configuration of
security and accounting.
Features
Benefit
Reliable and Expandable Security Appliance
Purpose-Built
Security Appliance
Uses a proprietary, hardened operating system that eliminates the security

risks associated with general-purpose operating systems
Combines Cisco product quality with no moving parts to provide a highly
reliable security platform
Fast Ethernet
Expansion Options
Supports easy installation of additional network interfaces two PCI

expansion slots
Supports expansion cards including single-port Fast Ethernet and four-port
Fast Ethernet cards
Hardware VPN
Acceleration
Delivers high speed VPN services through the addition of either a VPN
Accelerator Card (VAC) or a VPN Accelerator Card+ (VAC+)-Unrestricted
(UR), Failover (FO) and Failover-Active/Active (FO-AA) models have
integrated hardware VPN acceleration services
Integration with
Leading Third-Party
Solutions
Supports the broad range of Cisco Technology Developer partner

solutions that provide URL filtering, content filtering, virus protection,
scalable remote management, and more
Industry
Certifications and
Evaluations
Earned numerous leading industry certifications and evaluations,

including:
Common Criteria Evaluated Assurance Level 4 (EAL4)
ICSA Labs Firewall 4.0 Certification, Corporate RSSP Category
Network Equipment Building Standards (NEBS) Level-3 Compliant
41
Advanced Firewall Services
Stateful
Inspection
Firewall
Provides wide-range of perimeter network security services to prevent

unauthorized network access
Delivers robust stateful inspection firewall services which track the state of all
network communications
Provides flexible access-control capabilities for more than 100 predefined
applications, services, and protocols, with the ability to define custom
applications and services
Supports inbound/outbound ACLs for interfaces, time-based ACLs, and peruser/per-group policies for improved control over network and application
usage
Simplifies management of security policies by giving administrators the ability
to create re-usable network and service object groups that can be referenced
by multiple security policies, simplifying initial policy definition and ongoing
policy maintenance
Advanced
Application and
Protocol
Inspection
Integrates 30 specialized inspection engines that provide rich application

control and security services for protocols such as Hypertext Transfer Protocol
(HTTP), File Transfer Protocol (FTP), Extended Simple Mail Transfer Protocol
(ESMTP), Domain Name System (DNS), Simple Network Management
Protocol (SNMP), Internet Control Message Protocol (ICMP), SQL*Net,
Network File System (NFS), H.323 Versions 1-4, Session Initiation Protocol
(SIP), Cisco Skinny Client Control Protocol (SCCP), Real-Time Streaming
Protocol (RTSP), GPRS Tunneling Protocol (GTP), Internet Locator Service
(ILS), Sun Remote Procedure Call (RPC), and many more
Modular Policy
Framework
Provides a powerful, highly flexible framework for defining flow- or class-based

policies, enabling administrators to identify a network flow or class based on a
variety of conditions, and then apply a set of customizable services to each
flow/class
Improves control over applications by introducing ability to have flow- or classspecific firewall/inspection policies, QoS policies, connection limits, connection
timers, and more
Security Contexts
Enables creation of multiple security contexts (virtual firewalls) within a single

Cisco PIX Security Appliance, with each context having its own set of security
policies, logical interfaces, and administrative domain
Supports one licensed level of security contexts: 5 (maximum number of
security contexts supported based on model of Cisco PIX Security Appliance)
Provides businesses a convenient way of consolidating multiple firewalls into a
single physical appliance or failover pair, yet retaining the ability to manage
each of these virtual instances separately
Enables service providers to deliver resilient multi-tenant firewall services with
a pair of redundant appliances
Layer 2
Transparent
Firewall
Supports deployment of a Cisco PIX Security Appliance in a secure Layer 2

bridging mode, providing rich Layer 2-7 firewall security services for the
protected network while remaining "invisible" to devices on each side of it
Simplifies Cisco PIX Security Appliance deployments in existing network
environments by not requiring businesses to re-address the protected
networks
Supports creation of Layer 2 security perimeters by enforcing administrator
defined Ethertype-based access control policies for Layer 2 network traffic
42
Multi-Vector Attack
Protection
Provides wealth of advanced attack protection services to defend

businesses from many popular forms of attacks, including denial-ofservice (DoS) attacks, fragmented attacks, replay attacks, and
malformed packet attacks
Delivers advanced TCP stream reassembly and traffic normalization
services to assist in detecting hidden application and protocol layer
attacks
Integrates with Cisco Network Intrusion Prevention System (IPS)
solutions to identify and dynamically block or shun hostile network
nodes
Authentication,
Authorization,
and Accounting (AAA)
Support
Integrates with popular AAA services via TACACS+ and RADIUS, with
support for redundant servers for increased AAA services resiliency
Provides highly flexible user and administrator authentication services,
dynamic per-user/per-group policies, and administrator privilege
control through tight integration with Cisco Secure Access Control
Server (ACS)
Robust IPSec VPN Services
Cisco Easy VPN Server1
Cisco VPN Client
Delivers feature-rich remote access VPN concentrator services for up

to 2000 remote software- or hardware-based VPN clients
Pushes VPN policy dynamically to Cisco Easy VPN Remote-enabled
solutions (such as the Cisco VPN Client) upon connection, helping to
ensure that the latest corporate VPN security policies are used
Performs VPN client security posture checks when a VPN connection
attempt is received, including enforcing usage of authorized hostbased security products (such as the Cisco Security Agent) and
verifying its version number and status prior to letting the remote user
access the corporate network
Provides administrators precise control over what different types of
VPN clients (software client, router, VPN 3002, and PIX) are allowed to
connect based on type of client, operating system installed, and
version of VPN client software
Supports automatic software updates of Cisco VPN Clients and Cisco
3002 Hardware VPN Clients, with the ability to trigger updates when
VPN connections are established, or on-demand for currently
connected VPN clients
Extends VPN reach into environments using NAT or Port Address
Translation (PAT), via support of a variety of TCP and UDP-based
NAT traversal methods including the Internet Engineering Task Force
(IETF) draft standard
Includes a free unlimited license for the highly acclaimed, industryleading Cisco VPN Client
Available on wide-range of platforms including Microsoft Windows 98,
ME, NT, 2000, XP; Sun Solaris; Intel-based Linux distributions; and
Apple Macintosh OS X
Provides many innovative features including dynamic security policy
downloading from Cisco Easy VPN Server-enabled products,
automatic failover to backup Easy VPN Servers, administrator
customizable distributions, and more
Integrates with the award-winning Cisco Security Agent (CSA) for
comprehensive endpoint security
43
Native Integration
with Popular User
Authentication
Services
Provides convenient method for authenticating VPN users through native

integration with popular authentication services including Microsoft Active
Directory, Microsoft Windows Domains, Kerberos, LDAP, and RSA
SecurID (without requiring a separate RADIUS/TACACS+ server to act as
an intermediary)
X.509 Certificate and

CRL Support
Supports Simple Certificate Enrollment Protocol (SCEP)-based

enrollment and manual enrollment with leading X.509 solutions from
Baltimore, Cisco, Entrust, iPlanet/Netscape, Microsoft, RSA, and VeriSign
Interoperates with large-scale Public Key Infrastructure (PKI)
deployments through n-tiered certificate hierarchy support
Resilient Architecture
Active/Active and
Active/Standby
Stateful Failover
VPN Stateful Failover
Ensures resilient network protection for businesses through the awardwinning high availability services provided by certain models of Cisco PIX
515E Security Appliances
Supports Active/Standby failover services as a cost-effective high
availability solution, where one failover pair member operates in hotstandby mode acting as a complete redundant system that maintains
current session state information for the active unit
Delivers advanced Active/Active failover services where both Cisco PIX
Security Appliances in a failover pair actively pass network traffic
simultaneously and share state information bi-directionally, enabling
support for asymmetric routing environments and effectively doubling the
throughput of the failover pair for bursty network traffic conditions
Supports long-distance failover enabling geographic separation of failover
pair members, providing another layer of protection
Maximizes VPN connection uptime with new Active/Standby stateful
failover for VPN connections
Synchronizes all security association (SA) state information and session
key material between failover pair members, providing a highly resilient
VPN solution
This feature is available on Unrestricted (UR), Failover (FO), and
Failover-Active/Active (FO-AA) models only.
Zero-Downtime
Software Upgrades
Enables businesses to perform software maintenance release upgrades

on Cisco PIX Security Appliance failover pairs without impacting network
uptime or connections through the support of state-sharing between
mixed Cisco PIX Security Appliance Software versions (running version
7.0(1) or higher)
Intelligent Networking Services
VLAN-Based Virtual
Interfaces
Provides increased flexibility when defining security policies and eases

overall integration into switched network environments by supporting the
creation of logical interfaces based on IEEE 802.1q VLAN tags, and the
creation of security policies based on these virtual interfaces
Supports multiple virtual interfaces on a single physical interface through
VLAN trunking, with support for multiple VLAN trunks per Cisco PIX
Security Appliance
Supports up to 25 total VLANs on Cisco PIX 515E Security Appliances
QoS Services
Delivers per-flow, policy-based QoS services, with support for LLQ and
traffic policing for prioritizing latency-sensitive network traffic and limiting
bandwidth usage of administrator-specified applications
Enables businesses to have end-to-end QoS policies for their extended
network
44
OSPF Dynamic
Routing
Provides comprehensive OSPF dynamic routing services using

technology based on world-renowned Cisco IOS Software
Offers improved network reliability through fast route convergence and
secure, efficient route distribution
Delivers a secure routing solution in environments using NAT through
tight integration with Cisco PIX Security Appliance NAT services
Supports MD5-based OSPF authentication, in addition to plaintext OSPF
authentication, to prevent route spoofing and various routing-based DoS
attacks
Provides route redistribution between OSPF processes, including OSPF,
static, and connected routes
Supports load balancing across equal-cost multipath routes
Dynamic Host Control

Protocol (DHCP)
Client and Server
Obtains IP address for outside interface of appliance automatically from

service provider
Provides DHCP server services on one or more interfaces, allowing
devices to obtain IP addresses dynamically
Includes extensions for automated provisioning of Cisco IP phones and
Cisco SoftPhone IP telephony solutions
DHCP Relay
Forwards DHCP requests from internal devices to an administratorspecified DHCP server, enabling centralized distribution, tracking and
maintenance of IP addresses
NAT/PAT Support
Provides rich dynamic, static, and policy-based NAT, and PAT services
Flexible Management Solutions

CiscoWorks
VPN/Security
Management Solution
(VMS)
Provides a comprehensive management suite for large scale Cisco

security product deployments
Integrates policy management, software maintenance and security
monitoring in a single management console
Cisco Adaptive
Security Device
Manager (ASDM)
World-class Web-based GUI enables simple, secure remote management

of Cisco PIX Security Appliances
Provides a wide range of informative, real-time, and historical reports
which give critical insight into usage trends, performance baselines, and
security events
Auto Update
Provides "touchless" secure remote management of Cisco PIX Security

Appliance configuration and software images via a unique "push/pull"
management model
Next-generation secure Extensible Markup Language (XML) over HTTPS
management interface can be used by Cisco and third-party management
applications for remote Cisco PIX Security Appliance configuration
management, inventory, software image management/deployment and
monitoring
Integrates with CiscoWorks Management Center for Firewalls and Auto
Update Server for robust, scalable remote management of up to 1000
Cisco PIX Security Appliances (per management server)
Cisco PIX Command

Line Interface (CLI)
Allows customers to use existing Cisco IOS Software CLI knowledge for
easy installation and management without additional training
Supports improved ease-of-use with services such as command
completion, context-sensitive help, and command aliasing
Accessible through variety of methods including console port, Telnet, and
SSHv2
Command-Level
Authorization
Gives businesses the ability to create up to 16 customizable

administrative roles/profiles for managing a Cisco PIX Security Appliance
45
(monitoring only, read-only access to configuration, VPN administrator,

firewall/NAT administrator, etc.)
Uses either the internal administrator database or outside sources via
TACACS+, such as Cisco Secure ACS
SNMP and Syslog

Support
Provide remote monitoring and logging capabilities, with integration into

Cisco and third-party management applications
Supports Cisco IPSec Flow Monitoring SNMP MIB, providing a wealth of
VPN flow statistics including tunnel uptime, bytes/packets transferred, and
more
(source: CISCO PIX515E Security Appliance Data Sheet)

Notes
1. AnthaVPN Client v5.0 supports Cisco products, as confirmed by Worldnet21, supplier
and reseller for AnthaSoft.
46
Cisco VPN Client
Figure 6 - CISCO VPN Client logon screen

Server / Client
Software / Hardware
Purpose
Client
Software
VPN Client installed on laptops
Features
Description
Operating
System
Windows 98, Windows NT, Windows ME, Windows 2000, Windows XP
Connection
types
async serial PPP
Internet-attached Ethernet
Protocol
IP
Tunnel
protocol
IPSec
Windows NT
Feature
Description
Password
expiration
information
Password expiration information when authenticating through a RADIUS

server that references an NT user database. When you log in, the VPN
Concentrator sends a message that your password has expired and asks you
to enter a new one and then confirm it. On a Release 3.5 or higher VPN Client,
the prompt asks you to enter and verify a password.
Start before
logon
The ability to establish a VPN connection before logging on to a Windows NT

platform, which includes Windows NT 4.0, Windows 2000, and Windows XP
systems.
Automatic VPN
disconnect on
logoff
The ability to enable or disable automatic disconnect when logging off a

Windows NT platform. Disabling this feature allows for roaming profile
synchronization.
(Source: Cisco VPN Client User Guide.)
47
Check Point Express

Server / Client
Software / Hardware
Purpose
Server
Software
Internal network firewall software.
Checkpoint software package includes:

VPN-1 Express gateway
Protection for business communications over

the Internet using VPN technology.
VPN-1 SecureRemote
Protection for remote access VPN users.

This feature will not be used since Cisco VPN
client shall be used for clients.
Firewall 1
Market leading, enterprise-class security.

Firewall-1 supports more than 150 predefined applications, services and protocols.
SmartDefense
Integrated network and application levelattack protection.

Actively protects organizations from known
and unknown network and application-level
attacks, using Stateful Inspection and
Application IntelligenceTM.
SmartCenter
Centralized Management for all aspects of

security.
System requirements
Operating System
Supported on Windows 2000 Server.
Disk space
VPN-1 Express
SmartCenter Express
SmartDashBoard
SecurePlatform
VPN-1 Express
SmartCenter Express
SmartDashBoard
SecurePlatform
Memory
300 Mb
300 Mb
100 Mb
4G
128Mb
128Mb
128Mb
Recommended 512Mb
(source: Check Point Express Data Sheet)
48
AnthaVPN Client
Server / Client
Software / Hardware
Purpose
Client
Software
Client VPN software for PDAs.
An IPSec-based client designed for wireless devices with support for multiple VPN gateways.
IPSec. It supports current and legacy encryption algorithms and was designed to meet
government security.
PKI certificates are supported and it can run on Windows Pocket 2003, which will be installed
on the PDAs.
(source: AnthaSoft)
49
References and bibliography

1. Cisco Systems Inc. Website address: www.cisco.com.
2. Checkpoint Software Technologies Ltd. Website: www.checkpoint.com.
3. Failover Clustering Support. Source: Microsoft Developer Network. Web address:
msdn.microsoft.com.
4. Microsoft Windows 2000 Active Directory. Web address:
www.microsoft.com/windows2000/technologies/.
5. Teleworking Code of Practice for employees, written by Peter Skyte. European
Telework Online. Website: http://www.eto.org.uk/.
6. Information Technology Professionals Association (UK). Website: http://www.amicusitpa.org/.
7. Dell United Kingdom. Website address:
http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
8. IBM Corporation, United States. Website address: www.ibm.com.
9. The Virtual LAN Technology Report written by John Freeman, senior consultant at
Decisys Inc. Published 1996.
10. Di-ve.com. Web Portal. Website address: www.di-ve.com.
11. Times of Malta Online Edition. Website address: www.timesofmalta.com.
12. CNet.com web portal. Hardware reviews and evaluation software. Website address:
www.cnet.com.
13. Network World Fusion Web Portal. Website address: www.nwfusion.com.
14. Encyclopedia of Networking 2nd Edition written by Werner Feibel. Published by
Sybex 1996. ISBN: 0-7821-1829-1.
15. Vodafone, Malta. Mobile Operator. Website address: http://www.vodafone.com.mt.
16. Video On Line Ltd, Malta. Internet Service Provider. Website address:
http://www.onvol.net.
17. AnthaSoft, software development company, secured by Certicom Inc. Website
address: http://www.anthavpn.com/antha/en/index.html.
18. L2TP/IPSec Application Development. Source: Microsoft Developer Network. Web
address: msdn.microsoft.com.
19. Sendmail Ltd, United Kingdom. Website address: http://www.sendmail.com.
20. RFC 821 Simple Mail Transfer Protocol, written by Jonathan Postel in August 1982.
Internet FAQ Archives. Website address: http://www.faqs.org/rfcs.
21. IBM Corporation. Website: www.ibm.com.
22. Worldnet21 Technology Ltd., Ireland. Website: www.worldnet21.com.
23. International Engineering Consortium. Website: www.iec.org.
50

Remote Working System Project PDF

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Remote Working System Project PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Remote Working System Project

Written by Jonathan Camilleri

Written by Jonathan Camilleri

Written by Jonathan Camilleri

Database server hosting a MS SQL 2000

Electronic mail is stored centrally for all

This server is used as an Intranet server

Active Directory Server

This is currently the Windows Active

File / application server

This server hosts files for users to store files

Written by Jonathan Camilleri

Figure 1 Current Head Office network overview

Written by Jonathan Camilleri

Written by Jonathan Camilleri

Written by Jonathan Camilleri

Written by Jonathan Camilleri

Common security threats and the impact on the business

Packet sniffers. A packet sniffer is a legitimate management tool that can be

Network security breaches can be devastating, costing significant loss of revenue,

Loss of customer revenue. When a customer attempts to access resources the

Written by Jonathan Camilleri

Figure 2 - Remote connection overview

Written by Jonathan Camilleri

Benefits and weaknesses of telecommuting

Benefits for the company

Drawbacks for the company

Written by Jonathan Camilleri

2. Employer-employee relationship. Existing managers may resist moves towards

Benefits for employees

Drawbacks for employees

Written by Jonathan Camilleri

Trade Union Issues

Written by Jonathan Camilleri

Installation and configuration (including

Maintenance and support (10%)

Written by Jonathan Camilleri

ADSL Internet Connection

Installation and configuration

Written by Jonathan Camilleri

Budgeted expense with current sales force

Ethernet cabling and sockets

Installation and configuration

Written by Jonathan Camilleri

Budgeted expense with current sales force

ADSL Internet Connection

Installation and configuration

Written by Jonathan Camilleri

Budgeted expense with current sales force

ADSL Modem (provided by ISP)

Epson Powerlite S1 projectors

Cisco VPN 3000 Client Software - Laptops

Written by Jonathan Camilleri

AnthaVPN v5.0 VPN Client - PDAs

Installation and configuration

Written by Jonathan Camilleri

Budgeted expense with current sales force

Installation and configuration

Written by Jonathan Camilleri

Notes and assumptions

Connection charge (post-paid) is Lm 2 per Mb transferred.

Written by Jonathan Camilleri