his
project we will design a network solution that is suitable for a small
business. Our business is located in an office park in one floor of a new
office building. Our office has all of the modern features of a
contemporary workplace, including adequate, clean power, air conditioning and
good lighting. We are fortunate in that our office was built with a
secure computer room that already has a direct connection to a local Internet
Service Provider’s regional network, and we will use this connection for our
access to the Internet.
Our
office will include cube space and office space for 18 workstations. Four
of the workstations will be located in private offices for the company
executives, and the remaining 14 workstations will be deployed into cubicles
for the employees. The cubicles are located in a spacious, open cubicle
area. Our computer room is directly adjacent to our cubicle area, and it
has power and cooling that is adequate for server needs. Our computer
room has been built with appropriate physical security, so we have controlled
access to our servers. All workstations and servers in all offices,
cubicles and other areas are all easily within 30 meters of each other, so no
cable run will exceed 30 meters.
For
basic security reasons, we have been tasked with producing a network design
that separates any servers that must be accessible from the Internet in an area
that is logically separate from a private internal area where our internal
servers and workstations will reside. Regardless of where they may
reside, our servers and workstations must be protected from attack! We
are required to describe how we will logically separate our network into the
area that is accessible from the Internet from the internal area, how we will
secure our network, and how we will secure the servers and workstations in our
network. We are admonished to pay particular attention to the security of
the servers that must be accessible from the Internet. So, our design
will include at a minimum two logically different areas in our network; one
area will be accessible from the Internet, and a second internal area for our
workstations and internal servers which will not be directly accessible from
the Internet.
In
our internal area we have several requirements. In our internal area we
are expected to provide wireless service to our employees. We have been
cautioned to make sure that our wireless access point is secure and to prevent
any unauthorized personnel from connecting to our internal network through our
wireless access point. Additionally, our Management is particularly
concerned that employees not abuse their access to websites while they are at
work. So, we are going to control employee access to
websites. All attempts that originate from within our internal area to
visit any website will be required to use to a proxy server.
We
will have a few servers in our internal area. All workstations in our
internal area shall be DHCP clients, so we must have a DHCP server to manage
their IP address requests. Other servers in our internal area will
include a Database server and a Proxy server. We will also have two
network printers in our internal area. In our internal area the IP
addresses of the wireless access point, the IP addresses of all servers, and the
IP addresses both network printers shall be static addresses. Only the
workstations in our internal area shall have DHCP delivered IP addresses.
In
our Internet accessible area we shall deploy a Web server and a Mail
server. These servers must be publicly accessible as they will host our
company website and our company email. We will also have a Bastion host
in our Internet accessible area. The Bastion host will exist to provide
inbound Secure Shell access to our network so that our Administrators can
maintain our network and nodes from other locations when they are not
physically present in the office. As such, the Bastion host shall provide
a Secure Shell server that is accessible from the Internet.
And,
all servers in all areas must be hardened.
Internal Area
·
Wireless
Access Point – Not directly connected to the Internet
·
DHCP
Server
·
Database
Server
·
Proxy
Server
·
2
Network Printers
·
18
Workstations
Internet Accessible Area
·
Web
Server
·
Mail
Server
·
Secure
Shell Server – Bastion Host
Network Components
·
Router(s)
– As needed for our design
·
Switch(s)
– As needed for our design
·
Firewall(s)
– As needed for our design
·
Network
Intrusion Detection System / Network Intrusion Protection System – As needed
for our design
Our
solution must be delivered in a document that will include:
·
Management
Summary – Our document will begin with a summary description of our
design. The summary shall be suitable for consumption by Management.
·
Inventory
– Our document shall include an inventory of all nodes, including servers,
workstations, printers, router(s), switch(s) and other components. Our
inventory shall describe the logical deployment of all nodes and components,
their purpose and function in our network, and any special features or
requirements that each node or component may have.
·
Network
Diagram – The network diagram must use industry standard symbols that describe
the logical deployment of our nodes and components. The network diagram
shall complement our inventory.
·
Security
– The security discussion will describe the security considerations that we
will take to protect all nodes and components that are deployed on our
network. Our security discussion must address all nodes and components
individually. For example, the security requirements for a Mail server
will be different from the security requirements of a Workstation.
The final document shall be delivered in
standard .doc or .docx format. The network diagram shall be imbedded in
the document. The network diagram can be produced using Microsoft Office
tools, Microsoft Visio, or freely available tools like LibreOffice (https://www.libreoffice.org/).
