Network Infrastructure Administration

profileMRyn28
michaelryan_it326_ip4.docx

Installation and Configuration

Michael F. Ryan Jr.

IT326-1403B-01 Network Infrastructure Administration

September-08-2014

Thomas McClain

Running head: INSTALATION AND CONFIGURATION

1

INSTALATION AND CONFIGURATION

2

Contents

Target Organization 3

Proposed Network Solution 4

Network Design 5

Installation and Configuration 7

Maintenance and Troubleshooting 11

Remote Access 12

Network Pro Prep Toolkit 13

Target Organization

The organization that has been selected for the individual project is the Department of Health. The purpose of the Department of Health is to serve the citizens of the Commonwealth by ensuring that they have constant access to health services and interconnect multiple agencies. Currently there are over 650 employees that work for the health department as well as annuitants and contractors. The main purpose behind the department’s network is to allow for secure reliable connections.

The Department of Health’s network configuration will be broken down into seven layers. Each layer that is listed will include specific physical elements and show how it will interact with other levels. The logical topology that is being utilized in DOH’s network is the bus topology along with a physical star topology for the office setup.

Proposed Network Solution

The design of the new DOH network will involve the use of DHCP, DNS and IP Routing. Each layer of the TCP/IP protocol stack function on its own thus making our network move. The DOH will be upgrading the server OS to Windows Server 2008

Equipment that is being used to update the network is Cisco 2911 routers and Cisco Catalyst 3560 switches. Current technology dictates that upgrades to the current equipment be completed within the six month time frame that has been set forth. The network will have less than ten listed static IP’s for firewall clearance and the rest of the host machines will all be set to DHCP so that their IP’s are automatically assigned.

Some protocols in use for the network are HTTPS because all traffic that is being exchanged is secured against unintended viewing since DOH handles all public records such as SSN, Name, Address and other pertinent information for treatment. SFTP implementation will ensure that the files such as for emails and video are delivered successfully and securely.

The email servers that are being implemented are using SMTP and IMAP. SMTP will be used between the other agency servers and the DOH as well as IMAP so that as a user may be teleworking or in a different location they can log into the server via their VPN account and pull their emails that way. The integrity of information and its security are of the utmost important factors in the network design for DOH. Below is a list of the TCP/IP layer protocols that are used for the Department of Health design.

Application: DNS (Host Name), DHCP (Host Configuration), SNMP (Network Management), SFTP (Files), SMTP and IMAP (Emails), HTTPS (Internet) and Telnet (Virtual Support)

Transport: TCP (Guaranteed Delivery)

Internet: IPv4 (Internet Protocol), ICMP (Ping Requests)

Network Interface: Cat5 (Ethernet Cabling), SLIP (Serial Line Interface), LAN/MAN/WAN (Hardware Drivers).

All of the listed protocols that are listed are the basic building blocks that are used when we design our network. The application layer shows how the network will give support to the host machines such as the automatically assigned IP addresses that are currently operating on the present subnet. The security of the network and the many facets of the protocols to choose from yielded what the secretary of health wanted when the design proposal was submitted. All elements such as the listed protocols cover all areas of the network for a base product and if decided upon later changes to the protocols and equipment can be revisited.

Network Design

Based upon the recommendations of the instructor I will be discussing services that are required for the day to day activity of the administrators of the Department of Health’s network team. The next topic that is being mentioned in discussion is how emails are encrypted. I will explain the two topics I have mentioned first and move from there to include the other aspects of my network.

Upon mention of the upgrades to all of the equipment the most important aspect will be the servers. Currently the DOH utilizes servers that do not have Microsoft Server 2008 in which case we must upgrade the OS to better utilize the latest technology. The administrative team will be responsible for monitoring all networks that are placed throughout Pennsylvania. Some daily tasks that are handled range from basic over the phone troubleshooting, site visitation to replace broken or older equipment and monitoring networks via Wireshark and Juniper. The admin staff will consist of two personnel back in the main office while the onsite technician will visit clinics and other agencies to work through problems. Daily trouble tickets are handled in the main office and the administrative team will monitor the Service Now ticket submission service to track what needs to be addressed.

After discussing the daily activities of my network section we can start to look at some basic components that are utilized. The network that I will explain possesses multiple elements which are DNS, DHCP, Certificate Services and IP Routing.

The DOH has been looking through different ideas about how to configure their network to work seamlessly. The overall structure of the network will allow for both access via a VPN account while the employees travel while on business or if they are accessing the server while teleworking. The first component of the network will be the server and how it is set up and then I will discuss the components from there.

The topology that is being included in the design of the network is the logical bus

topology that can be useful while disseminating information such as patches while we maintain a

physical start topology with network closets on all three floors in the IT building. There will be

multiple servers but one server will be designated as a DHCP server in which case host machines

will have access to the internet and the intranet while having IP’s assigned to the machines.

The network will possess Cisco 2911 series routers to operate the WAN for the virtual connections of employees operating outside of the office as well as communication among the LANs for all state agencies and clinics to communicate back and forth. The main component to the network access for employees who are out of the office will be the firewall instituted so that traffic will not access the servers that is not part of the rules in the firewall. All data going to and from the network must pass through the firewall and if it does not meet specifications it will be blocked.

The network will consist of a couple of topologies for the TCP/ IP suite and thus will be well defined to explain how each is implemented to work on the system. Telnet will be a protocol used for connection to hosts on the network for troubleshooting clinic sites and agencies freeing up the desktop team for troubleshooting.

At the application layer there are going to be multiple protocols utilized for daily activities. SMTP will be used when sending emails across the email servers throughout the agency while IMAP and POP3 are used for accessing the mail via Outlook. The protocol used for the internet will be HTTPS while browsing over the web due to the fact that some pages must transfer information securely.

The transmission of files whether via a cloud platform or directly on the servers themselves will implement FTP which will implement UDP for live video streams and TCP for when documents must be received and tracked for location. The two network protocols that are implemented will be SNMP and NTP. When implementing SNMP all networks will be informed of changes in the implementation and NTP will cover time synchronization for DOH’s network.

The remote access of the network will be used for VPN access whether through DSL, Dial-up and wireless. Telnet is implemented in the suggested network allowing the network, desktop and server teams to have access for troubleshooting. A common prompt that will appear on host machines will be like a DOS prompt for them to except the incoming connection for work to their systems.

The LAN will be set up via DHCP with the exception of certain static machines. The configuration of the actual layout of the network will be based on the three levels of the building and the location of the DEMARC which comes into the first floor network closet. The entire network will feature IPv4 with hosts utilizing the DNS and DHCP that have been configured in the DHCP server while some employees have an alternate configuration stored on their machines for taking their workstations to and from work.

The physical connection to the network will be done through CAT5 cables to the network jacks in each office and cubical on the facility. The WAN design will involve the use of a T1 connection giving it a speed of 1.544 Mbps for data transfer and voice transfer.

Department of Health Network Diagram

Installation and Configuration

· Provide detailed installation steps for each of the major components and protocols planned for the system.

· Discuss configuration considerations for installation of these components and protocols.

· Include configuration of the system for remote access.

Maintenance and Troubleshooting

· Describe the maintenance procedures planned for the proposed network, including a schedule of maintenance activities and the steps required for each activity.

· Identify the network operations that will be monitored, the information that will be gathered, and the meaning of the information as it relates to potential system problems.

· List at least 3 potential network problem scenarios, and identify the troubleshooting procedure that will be used if this scenario occurs.

The maintenance of my system will be done monthly. Some mandatory maintenance that must be completed is security patches, hardware replacements/upgrades, Re-configurations, Server reboots and fail-over testing (Microsoft.com, 2014).

The maintenance timeline will scheduled to take place from 17:00 to 2100 on a daily or monthly basis whichever is deemed necessary by the administrative team. If problems arise such as network connection issues then a member of our network team will stay after hours and even on weekends to complete the listed tasks(Microsoft.com, 2014).

Security Patches- With the portion of patch updates in my network maintenance window I will need to ensure that I follow the patch management process. The four main areas to focus on when managing patches are detect, assess, acquire, test, deploy and maintain. There are going to be three tools that are used in the patch management process and they are Microsoft Baseline Security Analyzer (MBSA), Latest Mssecure.cab and Microsoft Software Update Service (SUS) (Microsoft.com, 2014).

MBSA: The main role that MBSA is designed for scanning computers for vulnerable configurations and detect security updates that Microsoft has released. Some areas that are checked for by MBSA are Windows vulnerabilities, weak passwords, IIS vulnerabilities, SQL vulnerabilities and security updates(Microsoft.com, 2014).

Detect : The first step in detecting will be to utilize MBSA for missing patches. MBSA can be utilized in one of two ways either through GUI or through the command line. The command line method will have a schedule set to run every night at 20:00(Microsoft.com, 2014).

Steps that must be taken to run MBSA are listed below in order for the GUI (Microsoft.com, 2014).

1) Double click the desktop icon

2) Click scan computer (Select scan more than one computer and select the IP range you would like)

3) Clear every box but leave Check for security updates

4) Start scan

5) If needed find and download any missing updates

Steps for command line interface (Microsoft.com, 2014)

1) Type mbsacli /i 127.0.0.1 /n OS+IIS+SQL+PASSWORD

a) If you would like to specify the exact computer name type mbsacli /c domain\machinename /n OS+IIS+SQL+PASSWORD

b) Specifying the IP range type mbsacli /r 192.168.0.1 – 192.168.0.254 /n OS+IIS+SQL+PASSWORD

You have the option of scanning the domain but for this assignment I will not be listing how to.

Assessing : Once you have the missing patches identified by MBSA scan identify the vulnerabilities that pose a greater risk. Check Microsoft to see their security bulletin in which a detailed technical report helps in determining threat levels that your system may face (Microsoft.com, 2014).

Acquire : In order to get the needed patches you can do it several ways and they include using the MBSA report details, Windows Update and HotFix & Security Bulletin Search (Microsoft.com, 2014).

1) MBSA Report: In the report there is a link that is provided that will lead you to the bulletin that contains the patch or how to obtain the patch. From the link you can click on the link to download the patch and save it on your local network. Once you have the patch downloaded you can install it on one or multiple computers.

2) Windows Update: Use internet explorer to install updated on the server that you need updates installed on, go to Microsoft.com to select the required updates.

3) HotFix: MBSA has the knowledge Base ID number for the corresponding article for the security bulletin. Upon accessing the security bulletin site you can use the ID to find the matching bulleting describing how to get the patch for your network (Microsoft.com, 2014).

Testing : Before you fully implement the patch to your system verify that no negative changes occur and if a breaking change is to be expected determine how to work around it. There are two methods that can be utilized to test a security patch (Microsoft.com, 2014).

1) Test the patch against a test mirror of the live server configuration. The mirror testing method allows an offline method for you to see how your virtual server works with the changes without affecting your system.

2) The other affective way of ensuring that the patches are compatible with your network is to test them on a few systems on the network. When implementing this method it can be done so that if no other live network has your configuration. The network team will provide a backup of the system before the changes in the event that it degrades the performance (Microsoft.com, 2014).

Deploying : Upon selection of the patches for the DOH’s system there are two ways that we will deploy the patches. Options that we are using are Windows Server Update Services (WSUS) and Systems Management Server (SMS) (Microsoft.com, 2014).

1) WSUS will automatically deploy the critical updates to DOH’s systems on our network. Because all updates are automatically completed the network admin team will not have to visit each host machine and write script.

2) SMS is a tool that will deliver configurations and change management to the server and operating system of host machines (Microsoft.com, 2014).

Maintaining : In the final stage of the network the maintaining of the system is the most important. With the use of MBSA you regularly discover if your system is vulnerable and when these vulnerabilities are found you can go through the listed process of correcting them. There are two methods for maintaining your system and they are Performing security assessments and Using security notification services (Microsoft.com, 2014).

1) Performing security assessments uses MBSA to look for the security risks in your network and since it can be configured to run daily.

2) Using security notification services aids the administrator in our network to receive bulletins that Microsoft releases (Microsoft.com, 2014).

Failover Testing

The failover test allows DOH to ensure that backup system is functioning in the event of hardware failures and or service interruption. In the network diagram you can see two cores because a redundant system is set in place. Below are steps taken to conduct failover testing

1) Right-click the failovercluster manager and click manage cluster

Remote Access

 Remote Connectivity:

· Discuss the remote connectivity needs for the system.

· Identify the applications and hardware necessary to address the remote connectivity requirements.

· Address security, troubleshooting, and maintenance for the remote connectivity.

 Network Implementation Plan final version:

· Review the entire document for any changes and improvements that you would like to make.

· Ensure that this final version of the document is sufficiently detailed to allow the system project managers to effectively implement the network.

· Any previous instructor feedback should be addressed with appropriate changes .

Network Pro Prep Toolkit

Lab 0.0

Section 0.2.2

Section 0.2.4

Lab 1.0

Section 1.1

Section 1.2.3

Section 1.3.5

1.4.4

Section 1.5.6

4.1

7.1

7.2.5

7.2.6

References

How To: Implement Patch Management. (2014). Retrieved September 18, 2014, from http://msdn.microsoft.com/en-us/library/ff647981.aspx

Telnet. (2014, August 16). Wikipedia. Retrieved September 1, 2014, from http://en.wikipedia.org/wiki/Telnet