Exam Assignment Systeembeheer

Frederik Geutjens, 3TX5

August 15, 2015

Contents
1 Introduction
2 Talking Points
2.1 General Network Infrastructure . .
2.1.1 Proposed Solution . . . . .
2.2 Acquisitions . . . . . . . . . . . . .
2.2.1 Proposed Solution . . . . .
2.3 Training Room . . . . . . . . . . .
2.3.1 Proposed Solution . . . . .
2.4 Per-floor Separation . . . . . . . .
2.4.1 Proposed Solution . . . . .
2.5 Mobile Employees . . . . . . . . .
2.5.1 Proposed Solution . . . . .
2.6 Email and Electronic Agenda . . .
2.6.1 Proposed Solution . . . . .
2.7 VoIP . . . . . . . . . . . . . . . . .
2.7.1 Proposed Solution . . . . .
2.8 Restriction of Internet Usage . . .
2.8.1 Proposed Solution . . . . .
2.9 Protecting Confidential Data . . .
2.9.1 Proposed Solution . . . . .
2.10 Helpdesk . . . . . . . . . . . . . .
2.10.1 Proposed Solution . . . . .
2.11 Centralization and Virtualization .
2.11.1 Proposed Solution . . . . .
2.12 Website . . . . . . . . . . . . . . .
2.12.1 Proposed Solution . . . . .
2.13 ISDN Lines . . . . . . . . . . . . .
2.13.1 Proposed Solution . . . . .
2.14 Restriction of Software Installation
2.14.1 Proposed Solution . . . . .
2.15 Server Access and Monitoring . . .
2.15.1 Proposed Solution . . . . .
2.16 Backups . . . . . . . . . . . . . . .
2.16.1 Proposed Solution . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

2
2
2
4
4
4
4
5
5
5
5
5
5
6
6
6
6
6
6
7
7
7
7
8
8
8
8
8
8
9
9
9
9

Introduction

When planning the development of the ICT infrastructure of a multinational company youre
asked for advice. This advisory must contain both technical aspects of the required hardware
and software and also possible policy aspects.
The Belgian multinational Stark Industries has 7 branches. The headquarters are in Brussels,
with offices in Milan, Edinburgh, Madrid, M
unchen, San Francisco and Tokyo. From conversations with those involved the following points emerged:

2
2.1

Talking Points
General Network Infrastructure

Stark Industries has approximately 1500 employees. Three quarters of the staff is spread over
the different branches and use desktop computers. Thousand employees are working in Brussels,
while the other branches each employ about one hundred staff members. The remaining fourth
of the staff is mobile, and uses a company laptop. Occasionally staff members work at their
office, thus the internal network must also be made accessible wirelessly. So they are able to
print and access file servers. However these features are not intended for any visitors, for them
only wireless Internet access is provided. It should not be possible to access the internal network
or the Internet anonymously. Proper user authentication and accounting is required. Connecting
non company hardware to the wired network should be made impossible.
2.1.1

Proposed Solution

Since a large part of the staff will be working in-house in Brussels, a robust network setup there
will be required. I would propose an internal network setup with two trunked core routers (for
redundancy) connected through an internal firewall to the Demilitarized Zone (DMZ), containing
services such as a web server and file server. The DMZ in turn is connected to the internet
through another external firewall. Site2site VPN connections can be configured on the firewalls
to provide connectivity between HQ and branch offices.
The core routers will be connected to access switches, at least one per floor of the building,
but more if needed. The wired workstations will then be connected to these access switches.
A wireless controller should also be set up, connected to a switch where the wireless access
points will be connected to. Multiple SSIDs will be set up within the network to ensure security
between the open visitor network, and the secured employee network, which can use WPA2
authentication. The guest users should be required to obtain a temporary user/password login
to access the open visitor network.
Careful placement of the wireless access points is recommended to ensure optimal coverage of
the site. For this careful planning is necessary and surveys should be conducted, possibly using
the AP-on-a-stick method.
Active directory can be used for user authentication and accounting. AD can be integrated
with 802.1x to provide security on the internal network. In other words, this would prevent
unknown hardware to access the network.
All the hardware for the internal network should be heavily secured in a room only accessible
to relevant IT staffers, to prevent the connection of non-company hardware to the network.
For added security, a policy could be enforced which allows only company-approved devices
such as company laptops on the employee wireless network.
See figure 1: Proposed network topology
This topology could be scaled down and applied to the internal networks of the international
branches. It can be modified as needed. For example, these branches probably wont need their
own web servers, but they will need a VPN setup.
2

Figure 1: Proposed network topology

2.2

Acquisitions

Several acquisitions are planned. One of the first steps after an acquisition is interconnecting
company networks to provide access to resources like fileservers and intranet websites. This also
allows building a trust relationship between Active Directory domains/forests. Interconnection
at the network layer is fairly simple and straightforward, however the different dns domains could
cause problems. It is your task to prepare this thoroughly, both network/DNS and application
coupling.
2.2.1

Proposed Solution

As said before, we will be using Site2site to provide connectivity between branches to company
resources like fileservers and intranet websites.
As for the DNS domains, we will assume the company acquires a zone such as starkindustries.be for example. Now we should set up a DNS server that has a nameserver record (ns A
record) and different CNAME records (domains) for each required application, such as:
www
files
webmail
etc . . .
When an acquisition occurs, their zones will have to be merged into out existing ones.
To provide mobile employees access to these services, a single application platform should
be used which can be accessed through a browser client (Using Citrix for example, but other,
cheaper options are also viable).
As for authentication, I would suggest one of two options. Either we use a standard login
system to the application platform, which would be cheaper but less secure, or we provide
employee devices with certificates for authentication, which might be more expensive but is also
more secure.
Considering we are also using Active Directory, LDAP authentication based on the AD user
identity would possibly be an even better solution.

2.3

Training Room

The company headquarters in Brussels has a well-equipped training room which is used both for
internal training, for staff members as well as for external individuals. Fifteen computers with
Internet access are available. Internet access should be regulated so it cant be monopolized by
a single person. Staff members should be able to read their email and access their les and folders
in a secure way. Since most of them deal with confidential information it should be prevented
that outsiders can read along. It should not be possible to spoof an email address to prevent
maliciously sending email on behalf of someone else. More and more customers want to save on
relocation expenses and choose the courses to be held in their own premises. There should be
sought for a simple solution which provides access to training materials on an external location.
E.g. a rack full of Cisco gear.
2.3.1

Proposed Solution

First of all, it might be feasible to provide such a room with its own separate internet connection
for training purposes. However, seeing as this access still needs to be regulated, a router with
QOS support should be chosen so we can enforce fair usage of this connection for all users
involved.
4

On such a device, separate queues can be set up to allow for more traffic usage for certain
training-specific applications.
In a physical sense, the room should be set up in such a way that each user can privately use
their own terminal. For this purpose each terminal should be enclosed as much as possible to
prevent possible external individuals from reading along.
In a networking sense, email encryption solutions (e.g. Cisco IronPort) can be used to ensure
information integrity for the mailing system. An SPF record should also be set up to prevent
mail address spoofing. Using this method would allow only the hosts specified in A records to
use our domain for email.
For users who wish to take training in their own premises, online training courses should be
made available. A good example of such a course would be the Cisco CCNA on-line courses. A
stock of required training materials would have to be made available and configured if needed
by the Stark IT staff, since I would imagine it is likely that a training device such as a router or
laptop would need to be used for many different training purposes.

2.4

Per-floor Separation

All network connections come together on each floor in a data room. These data rooms are
connected to a central server room in the basement.
2.4.1

Proposed Solution

The network infrastructure for such a setup is already present in the topology presented in the
first talking point. The core routers, wireless controller, servers and firewalls can be housed in
the server room in the basement. The data rooms will then contain the switches needed for each
floor.

2.5

Mobile Employees

Mobile employees need external access to files on company servers. However this should not
compromise the security of the internal systems. Secure remote access is necessary.
2.5.1

Proposed Solution

Again, VPN connections are the way to go. Using the Mobile User VPN combined with IPSec
and a user-friendly web interface, we can provide access to company files from anywhere in a
secure fashion.
The file server located in the DMZ should be used, by policy if necessary, to exchange files
between employees. Because this file server is located in the DMZ, it is secluded from the internal
network and thus it remains secure.

2.6

Email and Electronic Agenda

All employees should receive a company email address and an electronic agenda. Both should
be accessible from any location at all times.
2.6.1

Proposed Solution

An enterprise mail server should be set up. Many solutions for this exist, some more expensive
than others. One of the most used but also more expensive options is Microsoft Exchange.
Alternatively, open source software such as Postfix could be used.
Employee devices can then be configured with Microsoft Outlook, with which they could
access their email anywhere, any time.
5

2.7

VoIP

There are frequent meetings between staff members of different sites. To save costs the company
wants to switch to IP telephony and video conferencing. The company IT specialists warn that
security and quality of service might become an issue when moving towards a VoIP solution.
2.7.1

Proposed Solution

Depending on the strength of the internal network, it could be possible to merge the VoIP
network into the existing data network. However, certain things need to be taken into account,
such as if the network has enough bandwidth and if the firewalls used can allow for VoIP traffic.
VoIP needs a very stable connection to work properly. To provide adequate quality of service,
there can be virtually not latency or packet loss on the connection used. As such, it might be
necessary to upgrade to an infrastructure that allows for more bandwidth, with all costs involved.
To provide a secure VoIP service to employees, several things need to be taken into account.
Calls can be intercepted but usually only by someone with access to the physical network, so
the physical security measures stipulated in earlier talking points should suffice. VoIP can also
fall victim to Theft of Service. This can be prevented by employing the authentication features
of VoIP protocols and by encryption.

2.8

Restriction of Internet Usage

The management wants employees to keep focus in their work and not able to use the Internet
freely. On the other hand they do not want to act too strict. All suggestions are welcome.
2.8.1

Proposed Solution

I would suggest setting up a proxy server between the company network and the internet which
forwards traffic. By using filters on this proxy server, web traffic can be monitored (in large
quantities in accordance with privacy laws) and regulated so certain unwanted websites (social media, streaming services, pornography, etc...) are not available to employees within the
company network.
An added benefit of using a proxy server is caching, which allows for often-visited websites
to be cached in case it needs to be accessed again. This speeds up web traffic for the employees
a considerable amount.
Advanced products such as Microsofts Internet Security and Acceleration Server (ISA) are
also available but of course come at a price.

2.9

Protecting Confidential Data

The IT staff are worried about the leaking of confidential data when company laptops or smartphones are lost or stolen. They want to take measures to prevent losing equipment and mitigate
the impact when it does happen. USB storage devices and the like are not trusted. They need
some advice on how to best deal with them.
2.9.1

Proposed Solution

Securing data to someone who has physical access to a device is very difficult, but some measures
can still be taken. Obviously, standard logins to the machines help somewhat, but can sometimes
still be circumvented.
I would suggest adding a clause to the company regulations which states that employees are
not allowed to use their own USB storage devices, and that only company issued storage devices
are allowed, and only for work-related purposes.

A policy which states that employees should attempt to use company file servers for data
storage as much as possible could also be an option. This way, the devices themselves would not
contain as much confidential data.
In extreme cases, data encryption could also be used. However, this could possibly slow down
performance on these machines that use it. A seperate encrypted partition would be created (on
a laptop for example) which is used for data storage only.

2.10

Helpdesk

A helpdesk is provided for the staff, but the management wants to add support for all offices
from the main location in Brussels. This means that helpdesk staff should be able to take
over company computers remotely. This process should be simple and straightforward, both for
the helpdesk and the staff member needing assistance. Employees working at the helpdesk are
allowed to work at home 2 days a week. Therefore the above should also be possible from their
home location. Secondly the IT staff should be able to diagnose and solve system and network
problems remotely. And of course all with security in mind.
2.10.1

Proposed Solution

To facilitate remote access, helpdesk staff can use the built-in Windows Remote Assistance
features. Within the internal company network, this would be fairly straightforward as the
helpdesk employee would only need to ask the name of the machine the other person is working
on. These names could be printed on a sticker and pasted on the machines themselves, so the
employee needing assistance can tell the helpdesk staffer their machine name.
If the helpdesk staffer is working from home, he should first make a VPN connection to the
company network, and go from there as described before.
To solve network problems remotely, a remote network monitoring software package should
be installed such as Nagios. This, in combination with systems to remotely provide access to
the network such as TACACS or Radius, can allow helpdesk staff to achieve this goal.

2.11

Centralization and Virtualization

They also want to centralize their IT infrastructure as much as possible in Brussels, but without
any reduced performance or reliability for the smaller offices. Its up to you to determine which
equipment is eligible for centralization. In addition one also thinks about consolidating the
servers. Propose a suitable visualization solution and determine which servers can be virtualized
and which should remain physical. Obviously one does not want to lose on performance. The
main reasons for the above are simplified administration, reduced power consumption and raising
the company image concerning green IT. Other environment related suggestions are welcome.
2.11.1

Proposed Solution

The proposed network topology already allows for a lot of centralization in Brussels. All the
servers such as a the file, web and mail servers can be kept there.
It is also possible to provide branch offices with only thin clients and a mobile user VPN
setup on the firewall. That way, all the other equipment can be kept in Brussels.
Virtualization is definitely possible for most of the servers. They could be consolidated on
one server running different virtual machines for different purposes. The file server I wouldnt
recommend virtualizing however, since it required large amounts of storage space, which is best
kept physical to ensure smooth operation.

2.12

Website

Stark Industries attaches great importance to its website because this represents the company on
the Internet. Moreover a significant part of the sales runs through this website and availability
and reliability should be guaranteed at all times. Unfortunately there are often problems due
to high load on the web server and database. The IT staff wonders if a second web server can
be set up with some form of load balancing between them. To minimize the impact of network
problems at one location they believe it is best to place the second website at another site.
2.12.1

Proposed Solution

While a second server in another branch might seem contradictory to the centralization proposed
earlier, I would suggest using two redundant load balancers placed in the core network in Brussels,
one active and a backup in case the primary fails. These would then communicate with the web
server in Brussels, and a second one placed in either San Francisco or Tokyo (to ensure maximum
proximity to potential users of the web site).
By using geographic load balancing, the decision on where a request from a user should go
can be made on the county he lives in (which can be determined by the users IP address). This
isnt full proof however, since the users IP address might be coming from a proxy for example,
in which case he would appear to be located in a different country than he actually resides in.
A feature could be added to the website which asks to user to indicate on a map which
continent (Europe West, Europe East, America, Asia, etc...) he or she resides in.

2.13

ISDN Lines

Currently all branches with headquarters are connected by a number of ISDN lines. Given the
high cost and limited bandwidth they want to upgrade these links to better and possibly cheaper
alternatives. While not compromising on the safety and reliability of the interconnections.
2.13.1

Proposed Solution

While ISDN lines are an option for long distance connections, they provide relatively low bandwidth. Once again, by using VPN services, physical lines between branches are not necessary,
and they are relatively cheap to employ and maintain.
Alternatively, it is possible, although quite expensive, to replace the ISDN lines with Fibre
Optic lines. These provide much more bandwidth.

2.14

Restriction of Software Installation

Users cannot install their own software on company computers. Installed software must be
kept up-to-date on servers and all client computers. This cumbersome process must be as easy
and straightforward as possible. The IT staff wants to spend as little time as possible on the
management of computers and software installation.
2.14.1

Proposed Solution

Users can be prevented from installing software on computers by adjusting their rights accordingly in Active Directory.
To keep software up-to-date, I would suggest setting up a Systems Management Server such
as Microsoft SCCM or Dell Kace. Software packaging specialists will be needed to provide
customized silent installers for specific software, either from the IT staff at Stark or external
consultants. Software can then be installed and updated without almost any interference in the
users work.

While all of this can be quite costly, they can provide great reduction in costs in work needed
to maintain software without them.

2.15

Server Access and Monitoring

Most servers should only be accessible from the inside. The only exceptions are the mail and
web servers. Traffic between servers should be monitored strictly. Everything should be setup
with security in mind.
2.15.1

Proposed Solution

Servers that should be accessible from the outside should be placed in the DMZ. That is to
say, between the internal and external firewalls. In my opinion, the file server should be placed
in the DMZ, because it would be nice to have it accessible to employees outside of the internal
network, and in the DMZ it is protected from the internal network thanks to the internal firewall.
If preferable, we can always set up a second file server within the internal network as well.
For monitoring, an Intrustion Detection System (IDS) or even IPS (Prevention) can be set
up to allow system administrators to keep tabs on traffic going in and out of company servers.
This can be especially useful for security as it allows for detection of possible hacking attempts
or virus traffic. Most commercial IDS/IPS are expensive however, but open source options are
also available such as Snort & BASE.

2.16

Backups

Obviously backups of all data should be taken at regular intervals, preferably at an off site
location. The company also needs tested disaster recovery procedures which allow e.g. easy bare
metal recovery of a crashed server.
2.16.1

Proposed Solution

Several options for backup strategies exist. In our case, I would suggest a combination of these
options, taking into account the available budget.
A NAS (Network Attached Storage) could be set up in the internal network of HQ (and
branch offices if desired) to which data can be written. To provide redundancy, a second
(or more) NAS can be set up at one of the branch offices which is then synchronized with
the primary one.
Disaster protected storage is also available, at a price. These devices can withstand disaster
situations such as fire for a short while.
Finally, online storage solutions can also be used. By uploading data to a third party or
private cloud service, it is protected even more.
For disaster recovery, one of the most used procedures is to take disk images of servers using
a disk imaging application such as dd for linux or Wbadmin for Windows which allows recovery
of the affected system to a new physical device or virtual machine.