Assessment Plan
Appendix Contents
Appendix A) LAN
1. LAN Naming Conventions and Devices
2. Hierarchical IP Scheme and VLAN
3. Link IP Addressing
4. High Level Network Diagram
5. High Level VOIP Diagram
6. High Level Wireless Diagram
7. VOIP Devices
8. VOIP Device Naming Conventions
9. VOIP Bandwidth
10. Wireless Network Placement Table
11. Wireless Equipment List
12. Wireless Infrastructure Device name and Placement
13. Wireless Device Addressing
Appendix B) Security
1. General Security Architecture
2. High Availability Security
3. High Level Security Diagram
Appendix C) Active Directory Design
1. Active Directory Forest
2. Active Forest Directory
3. Replication
4. Group Permissions
5. Group Lists
6. Default Domain Policy GPO
7. WWTC Company Policy GPO
Appendix D) Implementation
1. Employee Contact Information
2. LAN Implementation Task List
3. AD Implementation Task List
4. Security Implementation Task List
5. Router Configuration
6. Tools Required
7. Switch Configuration Template
8. Trunking Template
9. Port Security Template
10. VLAN Configuration Template
11. Security Technology Configuration Task List
12. DHCP Configuration Template
13. DNS Configuration Template
14. DNS Configuration Steps
15. Active Directory Configuration Steps
16. Active Directory GPO Implementation Steps
Appendix E) Miscellaneous
1. Project Timeline
Appendix A: LAN
1. LAN Naming Conventions and Devices
|
Device Type |
Device |
Device Configured Name |
Placement |
Connection |
Comments |
|
Redundant Core Switches |
Cisco 6509-E switch |
CoreSwitch1 CoreSwitch2 |
Data Center |
10G to Distribution |
Fault tolerant support for up to 534 devices, IP services
|
|
Distribution layer switches |
Cisco 4503-E switch |
DistSwitch1 DisSwitch2 |
Data Center |
10G to Core 1G to Access |
Fault tolerant full mesh distribution layer, IP services |
|
Access layer switches |
WS-C3850-48U-E |
Quad1-1 Quad1-2 Quad1-3 Quad1-4 Quad1-5 Quad2-1 Quad2-2 Quad2-3 Quad2-4 Quad2-5 Quad3-1 Quad3-2 Quad3-3 Quad3-4 Quad3-5 Quad3-6 Quad4-1 Quad4-2 Quad4-3 Quad4-4 Quad4-5 Quad4-6 |
Data Center |
1G to Distribution 1G to desktop |
UPoE support, 48 Gig ports per switch, IP services, stackable for fault tolerant performance, integrated wireless controller |
|
Firewall with IPS |
ASA 5508-X |
Firewall1 Firewall2 |
Data Center |
1G to LAN 100Mbps to WAN |
Redundant support for dual WAN link design Ingress/egress IPS security |
|
Redundant power supply for access switch |
PWR-C1-1100WAC |
|
Installed in CoreSwitch1 and CoreSwitch2 |
N/A |
Second power supply for each WS-C3850-48U-E |
|
Wireless AP |
Cisco Aironet 2600 |
|
Ceiling mount caddy corner half way to center |
1G to Access 802.11b/g/n to clients |
450Mbps data rate support, 802.11a/b/g/n, LAN integration, VLAN, 128 client session support |
|
Cisco 6500 switch supervisor |
Cisco VS-S2T-10G-XL |
|
Installed in CoreSwitch1 and CoreSwitch2 |
N/A |
Provides 10G redundant support at the core |
|
Cisco 6500 switch second power supply |
Cisco CAB-AC-2500W-US1 |
|
Installed in CoreSwitch1 and CoreSwitch2 |
N/A |
Provides redundant power supply support |
|
Cisco 4500 switch supervisor |
Cisco WS-X45-Sup 7L-E |
|
Installed in DistSwitch1 and DistSwitch2 |
N/A |
Provides 10G redundant distribution support |
|
Cisco 4500 series line card |
Cisco Catalyst 4500E UPOE Line Card |
|
Installed in DistSwitch1 and DistSwitch2 |
N/A |
Provides 1G redundant access support |
2. Hierarchical IP Scheme and VLAN
|
Location/Dept |
# of IP Addresses Required |
Future Growth |
Rounded Power of 2 |
Number of Host Bits |
Subnet Address Assigned |
|
OPR |
21 |
21 |
64 |
10 |
172.16.6.1-62/26 |
|
NW USA |
32 |
32 |
128 |
9 |
172.16.1.1-126/25 |
|
SW USA |
32 |
32 |
128 |
9 |
172.16.2.1-126/25 |
|
NE USA |
32 |
32 |
128 |
9 |
172.16.3.1-126/25 |
|
SE USA |
32 |
32 |
128 |
9 |
172.16.4.1-126/25 |
|
M USA |
32 |
32 |
128 |
9 |
172.16.5.1-126/25 |
|
Network IT |
50 |
50 |
128 |
9 |
172.16.0.1-126/25 |
|
VLAN Name |
Location/Dept |
VLAN Assignment |
|
Default VLAN |
Unused |
VLAN 1 |
|
Management VLAN |
President, Executive Assistant, VP NW, VP SW, VP NE, VP SE, CEO IT, CEO FIN, CEO HR |
VLAN 3 |
|
Staff VLAN |
Staff/Reception |
VLAN 5 |
|
Broker VLAN |
Broker |
VLAN 7 |
|
Black Hole VLAN |
Vacant/Future Growth |
VLAN 9 |
|
Voice VLAN (VOIP) |
All Departments |
VLAN 10 |
3. Link IP Addressing
|
Core Routing |
||||
|
Device A |
Device B |
Device A Address |
Device B Address |
Network Address |
|
FireWall1 |
CoreSwitch1 |
172.30.0.1 |
172.30.0.2 |
172.30.0.0 |
|
FireWall1 |
CoreSwitch2 |
172.30.0.5 |
172.30.0.6 |
172.30.0.4 |
|
FireWall2 |
CoreSwitch1 |
172.30.0.9 |
172.30.0.10 |
172.30.0.8 |
|
FireWall2 |
CoreSwitch2 |
172.30.0.13 |
172.30.0.14 |
172.30.0.12 |
|
CoreSwitch1 |
DistSwitch1 |
172.30.0.17 |
172.30.0.18 |
172.30.0.16 |
|
CoreSwitch1 |
DistSwitch2 |
172.30.0.21 |
172.30.0.22 |
172.30.0.20 |
|
CoreSwitch2 |
DistSwitch1 |
172.30.0.25 |
172.30.0.26 |
172.30.0.24 |
|
CoreSwitch2 |
DistSwitch2 |
172.30.0.29 |
172.30.0.30 |
172.30.0.28 |
|
Distribution Layer |
||||
|
Device A |
Device B |
Device A Address |
Device B Address |
Network Address |
|
DistSwitch1 |
Quad1-1 |
172.30.0.33 |
172.30.0.34 |
172.30.0.32 |
|
DistSwitch1 |
Quad1-2 |
172.30.0.37 |
172.30.0.38 |
172.30.0.36 |
|
DistSwitch1 |
Quad1-3 |
172.30.0.41 |
172.30.0.42 |
172.30.0.40 |
|
DistSwitch1 |
Quad1-4 |
172.30.0.45 |
172.30.0.46 |
172.30.0.44 |
|
DistSwitch1 |
Quad1-5 |
172.30.0.49 |
172.30.0.50 |
172.30.0.48 |
|
DistSwitch1 |
Quad2-1 |
172.30.0.53 |
172.30.0.54 |
172.30.0.52 |
|
DistSwitch1 |
Quad2-2 |
172.30.0.57 |
172.30.0.58 |
172.30.0.56 |
|
DistSwitch1 |
Quad2-3 |
172.30.0.61 |
172.30.0.62 |
172.30.0.60 |
|
DistSwitch1 |
Quad2-4 |
172.30.0.65 |
172.30.0.66 |
172.30.0.64 |
|
DistSwitch1 |
Quad2-5 |
172.30.0.69 |
172.30.0.70 |
172.30.0.68 |
|
DistSwitch1 |
Quad3-1 |
172.30.0.73 |
172.30.0.74 |
172.30.0.72 |
|
DistSwitch1 |
Quad3-2 |
172.30.0.77 |
172.30.0.78 |
172.30.0.76 |
|
DistSwitch1 |
Quad3-3 |
172.30.0.81 |
172.30.0.82 |
172.30.0.80 |
|
DistSwitch1 |
Quad3-4 |
172.30.0.85 |
172.30.0.86 |
172.30.0.84 |
|
DistSwitch1 |
Quad3-5 |
172.30.0.89 |
172.30.0.90 |
172.30.0.88 |
|
DistSwitch1 |
Quad3-6 |
172.30.0.93 |
172.30.0.94 |
172.30.0.92 |
|
DistSwitch1 |
Quad4-1 |
172.30.0.97 |
172.30.0.98 |
172.30.0.96 |
|
DistSwitch1 |
Quad4-2 |
172.30.0.101 |
172.30.0.102 |
172.30.0.100 |
|
DistSwitch1 |
Quad4-3 |
172.30.0.105 |
172.30.0.106 |
172.30.0.104 |
|
DistSwitch1 |
Quad4-4 |
172.30.0.109 |
172.30.0.110 |
172.30.0.108 |
|
DistSwitch1 |
Quad4-5 |
172.30.0.113 |
172.30.0.114 |
172.30.0.112 |
|
DistSwitch1 |
Quad4-6 |
172.30.0.117 |
172.30.0.118 |
172.30.0.116 |
|
DistSwitch2 |
Quad1-1 |
172.30.0.121 |
172.30.0.122 |
172.30.0.120 |
|
DistSwitch2 |
Quad1-2 |
172.30.0.125 |
172.30.0.126 |
172.30.0.124 |
|
DistSwitch2 |
Quad1-3 |
172.30.0.129 |
172.30.0.130 |
172.30.0.128 |
|
DistSwitch2 |
Quad1-4 |
172.30.0.133 |
172.30.0.134 |
172.30.0.132 |
|
DistSwitch2 |
Quad1-5 |
172.30.0.137 |
172.30.0.138 |
172.30.0.136 |
|
DistSwitch2 |
Quad2-1 |
172.30.0.141 |
172.30.0.142 |
172.30.0.140 |
|
DistSwitch2 |
Quad2-2 |
172.30.0.145 |
172.30.0.146 |
172.30.0.144 |
|
DistSwitch2 |
Quad2-3 |
172.30.0.149 |
172.30.0.150 |
172.30.0.148 |
|
DistSwitch2 |
Quad2-4 |
172.30.0.153 |
172.30.0.154 |
172.30.0.152 |
|
DistSwitch2 |
Quad2-5 |
172.30.0.157 |
172.30.0.158 |
172.30.0.156 |
|
DistSwitch2 |
Quad3-1 |
172.30.0.161 |
172.30.0.162 |
172.30.0.160 |
|
DistSwitch2 |
Quad3-2 |
172.30.0.165 |
172.30.0.166 |
172.30.0.164 |
|
DistSwitch2 |
Quad3-3 |
172.30.0.169 |
172.30.0.170 |
172.30.0.168 |
|
DistSwitch2 |
Quad3-4 |
172.30.0.173 |
172.30.0.174 |
172.30.0.172 |
|
DistSwitch2 |
Quad3-5 |
172.30.0.177 |
172.30.0.178 |
172.30.0.176 |
|
DistSwitch2 |
Quad3-6 |
172.30.0.181 |
172.30.0.182 |
172.30.0.180 |
|
DistSwitch2 |
Quad4-1 |
172.30.0.185 |
172.30.0.186 |
172.30.0.184 |
|
DistSwitch2 |
Quad4-2 |
172.30.0.189 |
172.30.0.190 |
172.30.0.188 |
|
DistSwitch2 |
Quad4-3 |
172.30.0.193 |
172.30.0.194 |
172.30.0.192 |
|
DistSwitch2 |
Quad4-4 |
172.30.0.197 |
172.30.0.198 |
172.30.0.196 |
|
DistSwitch2 |
Quad4-5 |
172.30.0.201 |
172.30.0.202 |
172.30.0.200 |
|
DistSwitch2 |
Quad4-6 |
172.30.0.205 |
172.30.0.206 |
172.30.0.204 |
|
Access Layer |
||||
|
Device A |
Device B |
Device A Address |
Device B Address |
Network Address |
|
Quad1-1 |
Quad1-2 |
172.30.0.209 |
172.30.0.210 |
172.30.0.208 |
|
Quad1-2 |
Quad1-3 |
172.30.0.213 |
172.30.0.214 |
172.30.0.212 |
|
Quad1-3 |
Quad1-4 |
172.30.0.217 |
172.30.0.218 |
172.30.0.216 |
|
Quad1-4 |
Quad1-5 |
172.30.0.221 |
172.30.0.222 |
172.30.0.220 |
|
Quad1-5 |
Quad1-1 |
172.30.0.225 |
172.30.0.226 |
172.30.0.224 |
|
Quad2-1 |
Quad2-2 |
172.30.0.229 |
172.30.0.230 |
172.30.0.228 |
|
Quad2-2 |
Quad2-3 |
172.30.0.233 |
172.30.0.234 |
172.30.0.232 |
|
Quad2-3 |
Quad2-4 |
172.30.0.237 |
172.30.0.238 |
172.30.0.236 |
|
Quad2-4 |
Quad2-5 |
172.30.0.241 |
172.30.0.242 |
172.30.0.240 |
|
Quad2-5 |
Quad2-1 |
172.30.0.245 |
172.30.0.246 |
172.30.0.244 |
|
Quad3-1 |
Quad3-2 |
172.30.0.249 |
172.30.0.250 |
172.30.0.248 |
|
Quad3-2 |
Quad3-3 |
172.30.0.253 |
172.30.0.254 |
172.30.0.252 |
|
Quad3-3 |
Quad3-4 |
172.30.1.1 |
172.30.1.2 |
172.30.1.0 |
|
Quad3-4 |
Quad3-5 |
172.30.1.5 |
172.30.1.6 |
172.30.1.4 |
|
Quad3-5 |
Quad3-6 |
172.30.1.9 |
172.30.1.10 |
172.30.1.8 |
|
Quad3-6 |
Quad3-1 |
172.30.1.13 |
172.30.1.14 |
172.30.1.12 |
|
Quad4-1 |
Quad4-2 |
172.30.1.17 |
172.30.1.18 |
172.30.1.16 |
|
Quad4-2 |
Quad4-3 |
172.30.1.21 |
172.30.1.22 |
172.30.1.20 |
|
Quad4-3 |
Quad4-4 |
172.30.1.25 |
172.30.1.26 |
172.30.1.24 |
|
Quad4-4 |
Quad4-5 |
172.30.1.29 |
172.30.1.30 |
172.30.1.28 |
|
Quad4-5 |
Quad4-6 |
172.30.1.33 |
172.30.1.34 |
172.30.1.32 |
|
Quad4-6 |
Quad4-1 |
172.30.1.37 |
172.30.1.38 |
172.30.1.36 |
|
Quad1-1 |
Quad1-3 |
172.30.1.41 |
172.30.1.42 |
172.30.1.40 |
|
Quad1-2 |
Quad1-4 |
172.30.1.45 |
172.30.1.46 |
172.30.1.44 |
|
Quad1-3 |
Quad1-5 |
172.30.1.49 |
172.30.1.50 |
172.30.1.48 |
|
Quad1-4 |
Quad1-1 |
172.30.1.53 |
172.30.1.54 |
172.30.1.52 |
|
Quad1-5 |
Quad1-2 |
172.30.1.57 |
172.30.1.58 |
172.30.1.56 |
|
Quad2-1 |
Quad2-3 |
172.30.1.61 |
172.30.1.62 |
172.30.1.60 |
|
Quad2-2 |
Quad2-4 |
172.30.1.65 |
172.30.1.66 |
172.30.1.64 |
|
Quad2-3 |
Quad2-5 |
172.30.1.69 |
172.30.1.70 |
172.30.1.68 |
|
Quad2-4 |
Quad2-1 |
172.30.1.73 |
172.30.1.74 |
172.30.1.72 |
|
Quad2-5 |
Quad2-2 |
172.30.1.77 |
172.30.1.78 |
172.30.1.76 |
|
Quad3-1 |
Quad3-3 |
172.30.1.81 |
172.30.1.82 |
172.30.1.80 |
|
Quad3-2 |
Quad3-4 |
172.30.1.85 |
172.30.1.86 |
172.30.1.84 |
|
Quad3-3 |
Quad3-5 |
172.30.1.89 |
172.30.1.90 |
172.30.1.88 |
|
Quad3-4 |
Quad3-6 |
172.30.1.93 |
172.30.1.94 |
172.30.1.92 |
|
Quad3-5 |
Quad3-1 |
172.30.1.97 |
172.30.1.98 |
172.30.1.96 |
|
Quad3-6 |
Quad3-2 |
172.30.1.101 |
172.30.1.102 |
172.30.1.100 |
|
Quad4-1 |
Quad4-3 |
172.30.1.105 |
172.30.1.106 |
172.30.1.104 |
|
Quad4-2 |
Quad4-4 |
172.30.1.109 |
172.30.1.110 |
172.30.1.108 |
|
Quad4-3 |
Quad4-5 |
172.30.1.113 |
172.30.1.114 |
172.30.1.112 |
|
Quad4-4 |
Quad4-6 |
172.30.1.117 |
172.30.1.118 |
172.30.1.116 |
|
Quad4-5 |
Quad4-1 |
172.30.1.121 |
172.30.1.122 |
172.30.1.120 |
|
Quad4-6 |
Quad4-2 |
172.30.1.125 |
172.30.1.126 |
172.30.1.124 |
|
VOIP Infrastructure |
||||
|
Device A |
Device B |
Device A Address |
Device B Address |
Network Address |
|
CUCM-1 |
DistSwitch1 |
172.30.1.129 |
172.30.1.130 |
172.30.1.128 |
|
CUCM-2 |
DistSwitch1 |
172.30.1.133 |
172.30.1.134 |
172.30.1.132 |
|
UNITY-1 |
DistSwitch1 |
172.30.1.137 |
172.30.1.138 |
172.30.1.136 |
|
UNITY-2 |
DistSwitch1 |
172.30.1.141 |
172.30.1.142 |
172.30.1.140 |
|
CUCM-1 |
DistSwitch2 |
172.30.1.145 |
172.30.1.146 |
172.30.1.144 |
|
CUCM-2 |
DistSwitch2 |
172.30.1.149 |
172.30.1.150 |
172.30.1.148 |
|
UNITY-1 |
DistSwitch2 |
172.30.1.153 |
172.30.1.154 |
172.30.1.152 |
|
UNITY-2 |
DistSwitch2 |
172.30.1.157 |
172.30.1.158 |
172.30.1.156 |
|
Wireless Infrastructure |
||||
|
Device A |
Device B |
Device A Address |
Device B Address |
Network Address |
|
DistSwitch1 |
WWTCwlan01 |
172.30.1.161 |
172.30.1.162 |
172.30.1.160 |
|
DistSwtich2 |
WWTCwlan02 |
172.30.1.165 |
172.30.1.166 |
172.30.1.164 |
|
DistSwitch1 |
WWTCwlan.access01 |
172.30.1.169 |
172.30.1.170 |
172.30.1.168 |
|
DistSwitch2 |
WWTCwlan.access02 |
172.30.1.173 |
172.30.1.174 |
172.30.1.172 |
4. High Level Network Diagram
5. High Level VOIP Diagram
6. High Level Wireless Diagram
7. VOIP Devices
|
Devices |
Needs |
IP Addressing |
VLAN |
|
Cisco IP Phones |
Minimum 105 addresses needed. Class C will provide 254 addresses for future VoIP expansion. |
172.20.0.0/24 |
10 |
8. VOIP Device Naming Conventions
|
Device Type |
Device |
Device Name |
Placement |
|
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
|
Server |
CUCM-1 |
Data Center |
|
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
|
Server |
CUCM-2 |
Data Center |
|
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
|
Server |
UNITY-1 |
Data Center |
|
HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz
|
Server |
UNITY-2 |
Data Center |
9. VOIP Bandwidth
|
IP Phone |
CODEC |
Rate |
Sample Time |
Payload |
Packets Per Second |
Bandwidth |
Frame Relay |
cRTP |
|
7942G, 7962G |
G.711 |
64 Kbps |
30 ms |
240 bytes |
33.3 |
79.4 Kbps |
76.2 Kbps |
66.6 Kbps |
|
Multiplied by 105 x 70% |
G.711 |
|
|
|
|
5,835.9 Kbps |
5,600 Kbps |
4,895 Kbps |
10. Wireless Network Placement Table
|
Wireless Network Placement Table |
||||
|
Office Location |
Access Point Requirements |
Wireless LAN Controller Requirements |
Total AP |
Total WLC |
|
Server Room |
|
2 |
|
2 |
|
Lobby |
6 |
|
6 |
|
|
Conference Room #1 |
4 |
|
4 |
|
|
Conference Room #2 |
4 |
|
4 |
|
|
Total |
|
|
14 |
2 |
11. Wireless Equipment List
|
Cisco Equipment List |
|||
|
Device |
Cisco Model# |
Quantity |
Comments |
|
Access Point (AP) |
Cisco Aironet 2700i Access Point AIR-CAP2702I-xK910 (10-pack) |
14 |
Supports 802.11ac/n, speeds up to 1.3 Gbps, guest access, BYOD, wIPS, IPv6, and 802.1X |
|
Wireless LAN Controller (WLC) |
Cisco 5520 Wireless Controller AIR-CT5520-K9 |
2 |
Supports 802.11ac/n, Bonjour services, guest access, BYOD, wIPS, IPv6, and 802.1X |
|
Access Layer Switch |
Cisco Catalyst 3850 Series Switch (24 Ports) WS-C3850-24P-S
|
2 |
Supports PoE, Gigabit speed, expansion of WLAN, and integration with wireless infrastructure |
12. Wireless Infrastructure Device Name and Placement
|
Wireless Infrastructure Device Name and Placement |
|||
|
Device |
Device Name |
Placement |
Connection |
|
Cisco Aironet 2700i Access Point
|
WWTCnyc001 WWTCnyc002 WWTCnyc003 WWTCnyc004 WWTCnyc005 WWTCnyc006 |
Lobby
|
Access Layer Switch vLAN 11 (Bonjour Services) |
|
Cisco Aironet 2700i Access Point
|
WWTCnyc007 WWTCnyc008 WWTCnyc009 WWTCnyc010
|
Conference Room #1
|
Access Layer Switch vLAN 11 (Bonjour Services) |
|
Cisco Aironet 2700i Access Point
|
WWTCnyc011 WWTCnyc012 WWTCnyc013 WWTCnyc014
|
Conference Room #2
|
Access Layer Switch vLAN 11 (Bonjour Services) |
|
Cisco 5520 Wireless Controller
|
WWTCwlan01 WWTCwlan02 |
Server Room |
Access Layer Switch vLAN 11 (Bonjour Services) Distribution Layer Switch |
|
Cisco Catalyst 3850 Series Switch (Access Layer) |
WWTCwlan.access01 WWTCwlan.access02 |
Server Room |
Access Points Wireless LAN Controller |
13. Wireless Device Addressing
|
Devices |
Needs |
IP Addressing |
VLAN |
|
Multiple Wireless Devices
|
Separate subnet will be provided for the WLAN with 200 IP address available for clients and 52 reserved for additional infrastructure devices (i.e. access points); vLAN will be needed for Bonjour Services (Apple Devices) |
172.16.10.0/24 200 – IP Addresses Available for Clients 54 - IP Addresses Reserved |
11 |
Appendix B: Security
1. General Security Architecture
WWTC IT Security Architecture Framework
Data/Information
Security
Identity and Access Management
Authorization
IT Security Policy
Implementation
Audit
Authentication
Application
Security
Infrastructure
Security
2. High Availability Security
Figure 1. Lukatsky, 2003
3. High Level Security Diagram
Appendix C: Active Directory Design
1. Active Directory Forest
Domain
WWTC.com
Domain container 2 and the 3rd container replication maybe present.
2. Active Forest Directory
3. Replication
4. Group Permissions
5. Group Lists
For the design of WWTC, we will be using the following Universal groups:
· President_U
· VPs_U
· CEOs_U
· Managers_U
· Brokers_U
· Staff_U
· ITSupport_U
· Operations_U
· IT_U
· Finance_U
· HR_U
· Workstations_U
· Printers_U
· Servers_U
We will create the following Global Groups:
· President
· VPs
· CEOs
· Managers
· Brokers
· Staff
· ITSupport
· Operations
· IT
· Finance
· HR
· Workstations
· Printers
· Servers
We will create the following Domain Local Groups:
· President_Resources
· VPs_Resources
· CEOs_Resources
· Managers_Resources
· Brokers_Resources
· Staff_Resources
· ITSupport_Resources
· Operations_Resources
· IT_Resources
· Finance_Resources
· HR_Resources
6. Default Domain Policy GPO
Password Policy GPO Settings
|
Enforce password history = 6 |
|
Maximum password age = 60 |
|
Minimum password age = 15 |
|
Minimum password length = 12 |
|
Password must meet complexity requirement |
|
Store passwords using reversible encryption for all users in the domain |
|
Account lockout duration = 15 |
|
Account lockout threshold = 3 |
|
Reset lockout counter after = 15 |
Account Audit GPO Settings
|
Audit account logon events = success / failure |
|
Audit account management = success / failure |
|
Audit directory service access = success / failure |
|
Audit logon events = success / failure |
|
Audit object access = success / failure |
|
Audit policy change = success / failure |
|
Audit privilege use = success / failure |
|
Audit process tracking = success / failure |
|
Audit system events = success / failure |
User Access Control (UAC) GPO Settings
|
User Account Control: Admin Approval Mode for the Built-in Administrator account = enabled |
|
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode = prompt for consent on the secure desktop |
|
User Account Control: Behavior of the elevation prompt for standard users = prompt for credentials |
|
User Account Control: Detect application installations and prompt for elevation = enabled |
|
User Account Control: Only elevate executables that are signed and validated = enabled |
|
User Account Control: Run all administrators in Admin Approval Mode = enabled |
|
User Account Control: Switch to the secure desktop when prompting for elevation = enabled |
|
User Account Control: Virtualize file and registry write failures to per-user locations = enabled |
7. WWTC Company Policy GPO
BitLocker Policy GPO Settings
|
Choose drive encryption method and cipher strength = enabled; AES 256-bit |
|
Allow enhanced PINs for startup = enabled |
|
Use enhanced Boot Configuration Data validation profile = enabled |
|
Choose how BitLocker-protected operating system drives can be recovered = enabled; store in AD DS |
|
Enforce drive encryption type on operating system drives = enabled; full disk encryption |
|
Require additional authentication at startup = enabled; TPM with Pin |
|
Allow network unlock at startup = enabled |
|
Configure minimum PIN length for startup = enabled; min. 6 characters |
|
Configure use of hardware-based encryption for operating system drives = enabled |
|
Allow Secure Boot for integrity validation = enabled |
|
Configure TPM platform validation profile for BIOS-based firmware configurations = enabled |
|
Configure TPM platform validation profile for native UEFI firmware configurations = enabled |
|
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing = enabled |
|
System cryptography: Force strong key protection for user keys stored on the computer = user is prompted when key is first used |
BranchCache GPO Settings
|
Turn on BranchCache = enabled |
|
Set percentage of disk space used for client computer cache = enabled; 15% |
|
Set BranchCache Hosted Cache mode = enabled |
|
Configure BranchCache for network files = enabled |
|
Enable Automatic Hosted Cache Discovery by Service Connection Point = enabled |
|
Configure Hosted Cache Servers = enabled |
|
Set age for segments in the data cache = enabled; 15 days |
|
Timeout for inactive BITS jobs = enabled |
|
Limit the maximum BITS job download time = enabled; 5 days |
|
Limit the maximum network bandwidth for BITS background transfers = enabled |
|
Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers = enabled |
|
Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers = enabled |
|
Allow BITS Peercaching = enabled |
|
Limit the age of files in the BITS Peercache = enabled; 10 days |
|
Limit the BITS Peercache size = enabled; 10% |
|
Limit the maximum network bandwidth used for Peercaching = enabled |
|
Set default download behavior for BITS jobs on costed networks = enabled |
|
Limit the maximum number of BITS jobs for this computer = enabled |
|
Limit the maximum number of BITS jobs for each user = enabled |
|
Limit the maximum number of files allowed in a BITS job = enabled |
|
Limit the maximum number of ranges that can be added to the file in a BITS job = enabled |
|
Hash Publication for BranchCache = enabled |
|
Hash Version support for BranchCache = enabled; value of 3 |
Offline (Cache) Encryption GPO Settings
|
Default cache size = enabled; 15% |
|
Allow or Disallow use of the Offline Files feature = enabled |
|
Encrypt the Offline Files cache = enabled |
|
Event logging level = enabled |
|
Files not cached = enabled |
|
Action on server disconnect = enabled; never go offline |
|
Prevent use of Offline Files folder = enabled |
|
Prohibit user configuration of Offline Files = enabled |
|
Remove "Make Available Offline" command = enabled |
|
Remove "Make Available Offline" for these files and folders = enabled |
|
At logoff delete local copy of user’s offline files = enabled |
|
Limit disk space used by Offline Files = enabled |
Smart Card GPO Settings
|
Interactive logon: Do not display last user name = enabled |
|
Interactive Logon: Display user information when session is locked = name only |
|
Interactive logon: Machine account lockout threshold = 3 attempts |
|
Interactive logon: Machine inactivity limit = 7 minutes |
|
Interactive logon: Message text for users attempting to logon = TBD |
|
Interactive logon: Message title for users attempting to logon = TBD |
|
Interactive logon: Number of previous logons to cache (in case domain controller is not available) = 1 logons |
|
Interactive logon: Prompt user to change password before expiration = 15 days |
|
Interactive logon: Require smart card = enabled |
|
Interactive logon: Smart card removal behavior = lock workstation |
|
Allow certificates with no extended key usage certificate attribute = enabled |
|
Filter duplicate logon certificates = enabled |
|
Allow signature keys valid for Logon = enabled |
|
Turn on certificate propagation from smart card = enabled |
|
Configure root certificate clean up = enabled |
|
Turn on root certificate propagation from smart card = enabled |
|
Display string when smart card is blocked = enabled |
|
Prevent plaintext PINs from being returned by Credential Manager = enabled |
|
Allow user name hint = enabled |
|
Turn on Smart Card Plug and Play service = enabled |
|
Notify user of successful smart card driver installation = enabled |
|
Allow ECC certificates to be used for logon and authentication = enabled |
File Classification GPO Settings
|
File Classification Infrastructure: Display Classification tab in File Explorer = enabled |
|
File Classification Infrastructure: Specify classification properties list = enabled |
|
Customize message for Access Denied errors = enabled |
|
Enable access-denied assistance on client for all file types = enabled |
(Microsoft, 2015)
Appendix D: Implementation
1. Employee Contact Information
|
Consultants |
WWTC Employee |
|
Project Engineering Lead: XXXXX Phone: O: (212) 555-1234 C: (212) 555-7845
|
Project Manager: Joe Schmo Phone: O: (212) 555-5678 C: (212) 555-2536 Email: [email protected] |
|
Network Engineer: XXXXX Phone: O: (212) 555-1234 C: (212) 555-9865 Email: [email protected]
|
Network Administrator: Bob Barker Phone: O: (212) 555-5678 C: (212) 555-5263 Email: [email protected]
|
|
Security Engineer: XXXX Phone: O: (212) 555-1234 C: (212) 555-1232 Email: [email protected]
|
Security Analyst: Alex Trebek Phone: O: (212) 555-5678 C: (212) 555-9685 Email: [email protected]
|
|
Systems Engineer: XXXXX Phone: O: (212) 555-1234 C: (212) 555-5478 Email: [email protected]
|
Systems Administrator: Pat Sajak Phone: O: (212) 555-5678 C: (212) 555-7485 Email: [email protected] |
|
Voice Engineer: XXXXX Phone: O: (212) 555-1234 C: (212) 555-9865 Email: [email protected] |
Voice Administrator: Drew Carey Phone: O: (212) 555-5678 C: (212) 555-4758 Email: [email protected] |
2. LAN Implementation Task List
|
Task Order |
Task |
|
1 |
Unbox and inventory all equipment and parts |
|
2 |
Install Core Routers |
|
3 |
Install Distribution Layer Switches |
|
4 |
Install Access Layer Switches |
|
5 |
Configure Core Routers |
|
6 |
Configure Distribution Layer Switches |
|
7 |
Configure Access Layer Switches |
|
8 |
Test All Access Layer Switches Connectivity |
|
9 |
Install Wireless LAN Controllers |
|
10 |
Configure Wireless LAN Controllers |
|
11 |
Install Wireless APs |
|
12 |
Test Wireless Connectivity |
|
13 |
Install VOIP Server Hardware |
|
14 |
Install VOIP Management Software |
|
15 |
Install VOIP Handsets |
|
16 |
Test VOIP Connectivity |
|
17 |
Install IP Video Conferencing endpoints |
|
18 |
Test Video Conferencing Connectivity |
|
19 |
Customer inspection and walkthrough of all systems |
|
20 |
Customer Independent Testing |
|
21 |
System handover documentation – LAN Implementation Complete |
3. AD Implementation Task List
|
Task |
Instructions |
|
1 |
Install and Configuring AD Domain Services – New Child Domain |
|
2 |
Configure DHCP and DNS Services |
|
3 |
Setup AD Forest Domain OUs |
|
4 |
Setup AD Groups |
|
5 |
Implement AD Group Policy GPOs |
4. Security Implementation Task List
|
Task Order |
Task |
|
1 |
Connect External Firewall Device to Edge Router (to WAN) and External IPS Device |
|
2 |
Connect External IPS Device to DMZ Switch |
|
3 |
Connect Internal Firewall Device to DMZ Switch and Internal IPS Device |
|
4 |
Connect Internal IPS Device to Core Routing Device |
|
5 |
Connect Email Security Appliance to DMZ Switch |
|
6 |
Connect Web Security Appliance to DMZ Switch and Internal Firewall |
|
7 |
Connect Adaptive Security Appliance to Core Routing Device |
|
8 |
Connect Central Security Management Device to DMZ Switch, Web Security Appliance, Email Security Appliance, and Email Security Appliance |
|
9 |
Power on all appliances and apply configuration to establish network connectivity and updated security definitions (appliances run in background, access to logs through the central management appliance) |
|
10 |
Enable built-in Firewall on all nodes on the Internal network |
|
11 |
Install and Apply Anti-Virus software on all nodes on the Internal network |
5. Router Configuration
|
Router Configuration Template |
First Router Configuration |
|
Router> enable |
Router> enable |
|
Router# configure terminal |
Router# config t |
|
Router(config)# hostname <devicename> |
Router(config)# hostname wwtcR1 |
|
devicename(config)# ip domainname us.wwtc.com |
wwtcr1(config)# ip domainname us.wwtc.com |
|
devicename(config)# enable secret <password> |
wwtcr1 (config)# enable secret Pa$$w0rd1 |
|
devicename(config)# username <username> secret <password> |
wwtcr1 (config)# username admin secret Pa$$w0rd1 |
|
devicename(config)# crypto key generate rsa |
wwtcr1 (config)# crypto key generate rsa |
|
devicename(config)# line con 0 |
wwtcr1(config)# line con 0 |
|
devicename(configline)# login local |
wwtcr1(configline)# login local |
|
devicename(configline)# exit |
wwtcr1(configline)# exit |
|
devicename(config)# line vty 0 4 |
wwtcr1(config)# line vty 0 4 |
|
devicename(configline)# login local |
wwtcr1(configline)# login local |
|
devicename(configline)# transport input ssh |
wwtcr1(configline)# transport input ssh |
|
devicename(configline)# exit |
wwtcr1(configline)# exit |
|
devicename(configline)# login |
wwtcr1(configline)# login |
|
devicename(configline)# exit |
wwtcr1(configline)# exit |
|
devicename(config)# copy run start |
wwtcr1(config)# copy run start |
6. Tools Required
|
Item Number |
Item |
|
1 |
Laptop with Putty or Terminal Emulator Installed |
|
2 |
Cisco Console Cable |
|
3 |
Spare Ethernet Cable |
|
4 |
Phillips Screwdriver |
7. Switch Configuration Template
Switch> Enable
Switch# config t
Switch(config)#hostname <enter switch name>
<switch name>(config)#enable secret <password>
<switch name>(config)#service password-encryption
<switch name>(config)#banner login % No Unauthorized Access Permitted!!! %
<switch name>(config)#no logging console
<switch name>(config)#no ip domain-lookup
<switch name>(config)#line console 0
<switch name>(config-line)#password <password>
<switch name>(config-line)#login
<switch name>(config-line)#exit
<switch name>(config)#line vty 0 4
<switch name>(config-line)#login local
<switch name>(config-line)#transport input telnet ssh
<switch name>(config-line)#username admin password <password>
<switch name>(config-line)#ip domain-name wwtc.com
<switch name>(config-line)#crypto key generate rsa
<switch name>(config-line)#exit
<switch name>(config)#copy run start
8. Trunking Template
<switch name>enable
<switch name>#config t
<switch name>(config)#interface range gigabitethernet 0/46 – 48
<switch name>(config-if-range)#switchport mode trunk
<switch name>(config-if-range)#end
<switch name>(config)#exit
<switch name>#copy run start
9. Port Security Template
<switch name>enable
<switch name>#config t
<switch name>(config)#interface range gigabitethernet 0/1 – 45
<switch name>(config-if-range)#switchport mode access
<switch name>(config-if-range)#switchport port-security
<switch name>(config-if-range)#switchport port-security maximum 1
<switch name>(config-if-range)#switchport port-security violation shutdown
<switch name>(config-if-range)#switchport port-security mac-address sticky
10. VLAN Configuration Template
<switch name>enable
<switch name>#config t
<switch name>(config)#vlan 3
<switch name>(config-vlan)#name Management
<switch name>(config-vlan)#exit
<switch name>(config)#vlan 5
<switch name>(config-vlan)#name Staff
<switch name>(config-vlan)#exit
<switch name>(config)#vlan 7
<switch name>(config-vlan)#name Broker
<switch name>(config-vlan)#exit
<switch name>(config)#vlan 9
<switch name>(config-vlan)#name BlackHole
<switch name>(config-vlan)#exit
<switch name>(config)#vlan 20
<switch name>(config-vlan)#name WirelessAppleTalk
<switch name>(config-vlan)#exit
<switch name>(config)#vlan 30
<switch name>(config-vlan)#name WirelessGuest
<switch name>(config-vlan)#exit
<switch name>(config)#vlan 40
<switch name>(config-vlan)#name WirelessNetwork
<switch name>(config-vlan)#exit
<switch name>(config)#vlan 10
<switch name>(config-vlan)#name Voice
<switch name>(config-vlan)#exit
<switch name>(config)#exit
<switch name>#copy run start
11. Security Technology Configuration Task List
|
Task Number |
Task |
|
1 |
Temporarily change your IP Address (see below, steps 2 – 8) |
|
2 |
Connect laptop to Management port using Ethernet cable |
|
3 |
Open Control Panel (on laptop, as for below steps) |
|
4 |
Open Network and Sharing Center |
|
5 |
Open Local Area Connections Properties |
|
6 |
Open Internet Protocol (TCP/IP) Properties |
|
7 |
Enter the following information manually: IP Address: 192.168.42.43 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.42.1 |
|
8 |
Accept all changes and close |
|
Task Number |
Task |
|
9 |
Access appliance via the Ethernet port (direct connection to laptop) by entering http://192.168.42.42:8080 (or other default access URL as defined with specific Cisco device) |
|
10 |
Enter default credentials to login (either “admin” and “ironport” or “admin” and “password” |
|
11 |
Run System Setup Wizard |
|
12 |
Accept End User License Agreement |
|
13 |
Install Configuration |
|
14 |
Check for Available Upgrades |
|
15 |
Configure Network Settings (security appliances must be able to listen to specific ports, as defined below) |
12. DHCP Configuration Template
router (config) # int ethernet0/0
router (config-if) # ip address 172.80.0.9
router (config-if) # no shut
router (config) # ip dhcp pool wwtcpool
router (dhcp-config) # network 172.80.0.0 /16
router (dhcp_config) # domain-name wwtc.com
router (dhcp_config) # dns-server 172.80.0.10
router (dhcp_config) # default-router 172.80.0.1
router (dhcp-config)# lease 7
router (dhcp-config) # exit
13. DNS Configuration Template
switch# config t
switch (config) # vrf context management
switch (config) # ip domain-name wwtc.com
switch (config) # ip name-server 172.80.0.10
switch (config) # ip domain-lookup
14. DNS Configuration Steps
After navigating to the Server Manager Dashboard, select “Add roles and features” to begin the wizard which walks you through the process, selecting “Role-based or feature based installation.”
Select the server you wish to apply the DNS Server role on, and then check DNS Server and click next to proceed through the wizard. After this step, select “Add Features” and click next.
Confirm the DNS server role by clicking next through the following screens and then click “Install.” This process should take less than 5 minutes.
15. Active Directory Configuration Steps
The following steps will be used to setup two servers, dc01.us.wwtc with AD Domain Service on two servers via server manager:
1. On Installation Type page, select the first option “Role-based or Feature-based Installation“.
1. On the “Server Selection” Page, select a server from the server pool and click next.
1. To install AD DS, select Active Directory Domain Services, other AD DS related tools will be added. Click on Add Features.
1. After clicking “Add Features” above, you will be able to click “Next”.
1. On the “Select Features” Page, Group Policy Management feature automatically installed during the promotion. Click “next”.
1. On the “Active Directory Domain Services” page, click “Next”.
1. On the “Confirmation” page, confirm configuration to continue. It will provide you an option to export the configuration settings and also if you want the server to be restarted automatically as required.
1. After clicking “Install” the selected role binaries will be installed on the server.
1. After “Active Directory Domain Services” role binaries have been installed, promote the server to a Domain Controller.
Now that AD DS has been installed, both servers will be promoted to domain controllers using the following steps via server manager (Microsoft, 2012):
1. Create a new child domain named “us” with parent name “wwtc.com”, select add a new domain to an existing forest. Click “Next”
Figure 1.
1. Set domain functional level to “Windows Server 2012 R2”. For the domain controller capabilities and site name select DNS, Global Catalog (GC), and Default-First-Site-Name. Set DSRM administrator password (Pa$$w0rd1), click “next”.
Figure 2.
1. Keep default DNS delegation settings, click “next”.
Figure 3.
1. Set the NetBIOS name “USdcxx”, click “next”.
Figure 4.
1. Specify the location of the AD related folders (use default locations) and then click “Next”.
Figure 5.
1. Summary of All Installation Options/Selections. Click “View Script”.
Figure 6.
1. Save PowerShell script for dcpromo, close Notepad and click “Next”.
Figure 7.
1. Review prerequisites check. If all prerequisite checks are passed successfully then click “Install”.
Figure 8.
After the promotion of the server to a DC, server will restart automatically (Microsoft, 2016).
16. Active Directory GPO Implementation Steps
During the installation of Active Directory Domain Service, the Group Policy Management feature was installed. The following steps are used to create a new GPO (Microsoft, 2003):
1. Open server manager and click on Tools
1. Select Group Policy Management
Figure A
1. Expand the Group Policy Management console tree until you see Group Policy Objects in the container domain for which you want to create a new GPO.
1. Right-click Group Policy Objects.
1. Click New.
1. In the New GPO dialog box, specify a name for the new GPO, and then click OK.
Figure B
To edit the WWTC GPO, right-click WWTC Company Policy and select Edit
Figure C
Figure D
Appendix E: Miscellaneous
1. Project Timeline
|
Date Completed |
Event |
|
25JAN2016 |
Business and Design Requirements submitted to WWTC |
|
30JAN2016 |
Business and Design Requirement modifications received |
|
1FEB2016 |
LAN Design submitted to WWTC |
|
7FEB2016 |
LAN Design Modifications received |
|
15FEB2016 |
Security Design and Policies submitted to WWTC |
|
18FEB2016 |
Security Design and Policies modifications received |
|
22FEB2016 |
Active Directory Design submitted to WWTC |
|
28FEB2016 |
Active Directory Design modifications received |
|
29FEB2016 |
Project Implementation Plan to be submitted |
|
3MAR2016 |
Project Implementation Plan modifications expected |
|
5MAR2016 |
Final Project Presentation for WWTC |
|
5MAR2016 |
Final Project Design to be submitted to WWTC |
|
TBD |
Final Project approval |
|
TBD |
Project Equipment Order placed with vendors |
|
TBD |
Project Equipment Order Received from vendors |
|
Week 1 |
LAN Deployment |
|
Week 2 |
Security Deployment |
|
Week 3 |
Active Directory Deployment |
|
Week 4 |
Infrastructure Testing, Penetration Testing and Security Audit |
|
TBD |
Handover of network to WWTC |
Lobby Conference Room #2 Conference Room #1 Server Room Wireless LAN Controller Access Layer Switch Layer 3 Switch Backend Server Access Points WWTCwlan01 WWTCwlan02 Access Points WWTCwlan.access01 WWTCnyc001 -006 WWTCnyc007 -010 WWTCnyc011 -014 WWTCwlan.access02
DeviceCisco Model#QuantityComments
Cisco Unified
Communications
Manager
UCM-7825-712Software
Cisco Unified IP
Phone
7942G112VoIP Telephone Sets/10 Spare
Cisco Unified IP
Phone
7962G4VoIP Telephone Sets/ 1 Spare(Reception)
Cisco Unified IP
Phone Expansion
Module
79153Expansion Module for 7962G (Reception)
Cisco Unity
Connection
UNITYV4-
300USR
1Voicemail Software
Linksys Edge 75
Video Conference
CTS-EDGE75-K92IP Video Conferencing Hardware
HP ProLiant 768638-0014Server Equipment
Sheet1
| Device | Cisco Model# | Quantity | Comments |
| Cisco Unified Communications Manager | UCM-7825-71 | 2 | Software |
| Cisco Unified IP Phone | 7942G | 112 | VoIP Telephone Sets/10 Spare |
| Cisco Unified IP Phone | 7962G | 4 | VoIP Telephone Sets/ 1 Spare(Reception) |
| Cisco Unified IP Phone Expansion Module | 7915 | 3 | Expansion Module for 7962G (Reception) |
| HP ProLiant DL320 G8 Intel Pentium G3240 3.10GHz | 768638-001 | 4 | Server Equipment |
| Cisco Unity Connection | UNITYV4-300USR | 1 | Voicemail Software |
| Linksys Edge 75 Video Conference | CTS-EDGE75-K9 | 2 | IP Video Conferencing Hardware |
Sheet2
Sheet3
Cisco 6500 Series
CORE
CUCM
Cluster
Unity Voicemail
ISP 1
ISP 2
PSTN
Teleconferencing
Teleconferencing
High Level VoIP Network Design
Cisco 6500 Series CORE
CUCM Cluster
Unity Voicemail
ISP 1
ISP 2
PSTN
Teleconferencing
Teleconferencing
High Level VoIP Network Design
Wireless LAN ControllerAccess Layer SwitchLayer 3 SwitchBackend ServerAccess PointsWWTCwlan01WWTCwlan02Access PointsWWTCwlan.access01WWTCnyc001 -006WWTCnyc007 -010WWTCnyc011 -014WWTCwlan.access02