Authentic Assessment Project
Background Information for World-Wide Trading Company
World-Wide Trading Company (WWTC) is a large online broker firm in the Hong Kong. The trading company has a staff of 9,000 who are scattered around the globe. Due to aggressive growth in business, they want to establish a regional office in New York City. They leased the entire floor of a building on Wall Street. You were selected as a contractor (your group) to build a state of the art high availability, secure network. The President of the company asked you to set up the state of the art network by end of this year. He shared with you the organizational structure and a list of the 100 employees. The current floor of the new site is solid and gigabit network can be set up on existing network wiring. Also, the existing power supply will meet the client's current and future demand. The President has required these business goals:
Business and Technical Goals
- Increaserevenue from 10 billion to 40 billion in three to four years
- Reduce the operating cost from 30 to 15 percent in two to three years by using an automated system for buying and selling.
- Provide secure means of customer purchase and payment over Internet.
- Build a high availability, moderate confidentiality and moderate integrity unclassified network (based on The National Institute of Standards and Technology- NIST)
- Build a classified network with high confidentiality, moderate integrity, and moderate availability (based on NIST)
- Allow employee to attach their notebook computers to the WWTC network and wireless Internet services.
- Provide state of the art VoIP and Data Network
- Provide Active Directory, DNS, and DCHP services
- Provide faster Network services
- Provide fast and secure wireless services in the lobby, conference rooms (100x60), and the cubical areas.
On the basis of these business goals, your group is responsible for designing, configuring, and implementing fast, reliable and secure networks (classified and unclassified).
WWTC LAN/WLAN/VoIP
- Propose a secure network design that solves the network and security challenges, to meet business needs, and the other technical goals. You are also required to provide a modular and scalable network. Provide redundancy at building core layer, building distribution layer, and access layer to avoid single point of failure. For Building Access layer provide redundant uplinks connection.
- Select appropriate Cisco switch model for each part of your enterprise campus model design from the Cisco Products Link, and use the following assumptions in your selection process:
1. Selecting the Access layers' switches:
a. Provide one port to each device
b. Make provision for 100% growth
2. Server farm switches
a. Assume 6 NIC cards in each server and one NIC card uses one port of switch
b. Dual processors and dual power supply
- Propose an IP addressing redesign that optimizes IP addressing and IP routing (including the use of route summarization). Provide migration provision to IPv6 protocol in future.
- Propose a High Level security plans to secure key applications and servers but encryption of all application is not acceptable. Develop security policy to stop sniffing and man-in-the-middle attack. Your security plan must be based on current industry standards. Multilayer security or defense-in-depth.
- Integrate voice and data network to reduce cost. For dialing outside, the World-Wide Trading Company proposes a plan for 100% connectivity with a minimum number of outside lines. For telephone requirements, see the Organization Chart and Telephone Equipment Table.
- Provide state of the art VoIP and Data Network.
- Provide aggregate routing protocols with hierarchal IP scheme.
- Centralize all services and servers to make the network easier to manage and more cost-effective.
- Provide LAN speed minimum 100 MB and Internet speed minimum 54 MB.
- Provide wireless network access to network users and guest users with a minimum 54 Mbps of bandwidth. (You can assume that site survey is done and no sources of interference or RF were discovered.)
- Provide provisions for video conference and multicast services.
- Standardize on TCP/IP protocols for the network. Macintoshes will be accessible only on guest notebook but must use TCP/IP protocols or the Apple Talk Filling Protocol (AFP) running on top of TCP.
- Provide extra capacity at switches so authorized users can attach their notebook PCs to the network
- Configure DHCP on notebook PCs
- The World-Wide Trading Company will use the following applications/services:
- Microsoft Office 365 plan (Office 2016, Exchange, Active Directory, SharePoint, One Drive, and Skype for Business)
- Sending and receiving e-mail
- Accessing the library card-catalog
- File Server application.
- Adobe Pro
- Secure Zip
- Associate will use the following Custom Applications
- Market Tracking Application. This application will provide real-time status of stock and bond market to brokers and their clients.
- Stock and Bond Analytical Application. This application will provide analysis of stock and Bond to Brokers only.
- On Line Trading. The Company wishes to train new clients in online trading to attract new customer. The Company will sign up new client to receive streaming video and instructions
Assume any information (with proper justification) which you think is missing and critical to the development of the design.
WWTC Security
WWTC has strong security requirements to ensure strong authentication, data confidentiality and separations between internal protected server and public server.
Classified Network
In addition to the required unclassified network, WWTC is requiring a classified network:
1. The classified network must be physically separated from the unclassified network.
2. Only VPs and Department heads are allowed to access the classified network
3. Control should be put in place to prevent local users from accessing the classified network or removing data in any way. This includes removing media, AV recorders, pen and paper, and any form of printer.
4. All data transmitted on the classified network must be cryptographically protected throughout the network (Crypto devices are highly recommended).
5. All classified data must be centrally stored and secured in a physically separate area from the unclassified network.
6. The classified network is used for classified email only. WWTC needs to be able to send classified email from the NYC office to their HQ office.
7. No redundancy, AD, Wireless, or VoIP required for the classified network - just a simple network for classified email only.
Unclassified Network:
The security design must ensure:
• Confidentiality, Integrity, and Availability of the data
• Physical, Logical, and Administrative security controls
• Secure e-mail used to communicate business sensitive information.
• Confidential business information and public data are not connected to the same physical network.
• the use of two-factor authentication mechanism is enabled.
• Sensitive business information must not be transmitted in clear text between server and client.
Secure WAN Connectivity
In addition to the cryptographic protections of the data within the classified network, all data crossing wide-area links should undergo another layer of cryptographic protection such as IPSec/VPN/SSL.
Public Servers
All public servers must be configured HTTPS connections and accept all requests that are on valid IP addresses and pass through firewall. Server must ask some identity of the connecting party.
Site-to-site VPN tunnels
All devices must be mutually authenticated and cryptographic protection should be provided.
User Education
All users should undergo periodic user awareness security training program on network threats and good security practices.
Other Security Deliverables:
1. Determine the most important assets of the company, which must be protected
2. Determine general security architecture for the company
3. Develop a list of 12specific security policies that could be applied.
4. Write specific details along with the rationale for each policy
5. Integrate and write up the final version of the Security Policy Document for submittal
6. Develop a High availability secure design for this locations addressing above considerations and mitigating 4 primary networks attacks categories mentioned below.
Protect the Network from Four Primary Attack Categories:
1. Reconnaissance attacks: An intruder attempts to discover and map systems, services, and vulnerabilities.
2. Access attacks: An intruder attacks networks and systems to retrieve data, or gain access, or escalate access privileges
3. Denial of Service attacks: An intruder attacks your network in a way that damages or corrupts your computer system or denies you and others access to your networks, system, or services.
4. Worms, viruses, and Trojan horses: Malicious software is inserted onto a host in order to damage a system, corrupt a system, replicate itself, or deny services or access to networks, system or services.
Sample Security Policies:
1. Policies defining acceptable use
2. Policies governing connections to remote network
3. Polices outlining the sensitivity level of the various types of information held within an organization
4. Policies protecting the privacy of the network's user and any customer data
5. Policies defining security baselines to be met by devices before connecting them to the network.
6. Policies for incident response handling
WWTC Active Directory Design
WWTC office at New York is largely autonomous and few IT personnel to take care of day-to-day IT support activities such as password resets troubleshoot virus problems. You are concerned about sensitive data store in this location. You want to deploy a highly developed OU structure to implement security policies uniformly through GPO automatically at all domains, OU, and workstations.
At this location Windows Server 2012 R2is required providing the following 10 AD features:
1. Use BitLocker encryption technology for devices (server and Work station) disc space and volume.
2. Enables a BitLocker system on a wired network to automatically unlock the system volume during boot (on capable Windows Server 2012 R2 networks), reducing internal help desk call volumes for lost PINs.
3. Create group policies settings to enforce that either Used Disk Space Only or Full Encryption is used when BitLocker is enabled on a drive.
4. Enable BranchCache in Windows Server 2012for substantial performance, manageability, scalability, and availability improvements
5. Implement Cache Encryption to store encrypted data by default. This allows you to ensure data security without using drive encryption technologies.
6. Implement Failover cluster services
7. Implement File classification infrastructure feature to provide automatic classification process.
8. IP Address Management (IPAM) is an entirely new feature in Windows Server 2012 that provides highly customizable administrative and monitoring capabilities for the IP address infrastructure on a corporate network.
9. Smart cards and their associated personal identification numbers (PINs) are an increasingly popular, reliable, and cost-effective form of two-factor authentication. With the right controls in place, a user must have the smart card and know the PIN to gain access to network resources.
10. Implement Windows Deployment Services to enables you to remotely deploy Windows operating systems. You can use it to set up new computers by using a network-based installation.
Other AD Deliverables:
• Create Active directory infrastructure to include recommended features
• Create OU level for users and devices in their respective OU
• Create Global, Universal, Local group. Each global group will contain all users in the corresponding department. Membership in the universal group is restrictive and membership can be assigned on the basis of least privileged principle. (For design purpose, you can assume that WTC as a Single Forest with multiple domains).
• Create appropriate GPO and GPO policies and determine where they will be applied.
Reference:
WWTC Organization Chart
VP of Operation (CIO, CFO, CHRO)
Regional VPs: VP NW USA, VP SW USA, VP NE USA, VP SE USA, VP M USA.
Attachment:- Attachments.rar