In this project we will design a network solution that is suitable for a small business. Our business is located in an office park in one floor of a new office building. Our office has all of the modern features of a contemporary workplace, including adequate, clean power, air conditioning and good lighting. We are fortunate in that our office was built with a secure computer room that already has a direct connection to a local Internet Service Provider’s regional network, and we will use this connection for our access to the Internet.
Our office will include cube space and office space for 18 workstations. Four of the workstations will be located in private offices for the company executives, and the remaining 14 workstations will be deployed into cubicles for the employees. The cubicles are located in a spacious, open cubicle area. Our computer room is directly adjacent to our cubicle area, and it has power and cooling that is adequate for server needs. Our computer room has been built with appropriate physical security, so we have controlled access to our servers. All workstations and servers in all offices, cubicles and other areas are all easily within 30 meters of each other, so no cable run will exceed 30 meters.
For basic security reasons, we have been tasked with producing a network design that separates any servers that must be accessible from the Internet in an area that is logically separate from a private internal area where our internal servers and workstations will reside. Regardless of where they may reside, our servers and workstations must be protected from attack! We are required to describe how we will logically separate our network into the area that is accessible from the Internet from the internal area, how we will secure our network, and how we will secure the servers and workstations in our network. We are admonished to pay particular attention to the security of the servers that must be accessible from the Internet. So, our design will include at a minimum two logically different areas in our network; one area will be accessible from the Internet, and a second internal area for our workstations and internal servers which will not be directly accessible from the Internet.
In our internal area we have several requirements. In our internal area we are expected to provide wireless service to our employees. We have been cautioned to make sure that our wireless access point is secure and to prevent any unauthorized personnel from connecting to our internal network through our wireless access point. Additionally, our Management is particularly concerned that employees not abuse their access to websites while they are at work. So, we are going to control employee access to websites. All attempts that originate from within our internal area to visit any website will be required to use to a proxy server.
We will have a few servers in our internal area. All workstations in our internal area shall be DHCP clients, so we must have a DHCP server to manage their IP address requests. Other servers in our internal area will include a Database server and a Proxy server. We will also have two network printers in our internal area. In our internal area the IP addresses of the wireless access point, the IP addresses of all servers, and the IP addresses both network printers shall be static addresses. Only the workstations in our internal area shall have DHCP delivered IP addresses.
In our Internet accessible area we shall deploy a Web server and a Mail server. These servers must be publicly accessible as they will host our company website and our company email. We will also have a Bastion host in our Internet accessible area. The Bastion host will exist to provide inbound Secure Shell access to our network so that our Administrators can maintain our network and nodes from other locations when they are not physically present in the office. As such, the Bastion host shall provide a Secure Shell server that is accessible from the Internet.
And, all servers in all areas must be hardened.
- Wireless Access Point – Not directly connected to the Internet
- DHCP Server
- Database Server
- Proxy Server
- 2 Network Printers
- 18 Workstations
Internet Accessible Area
- Web Server
- Mail Server
- Secure Shell Server – Bastion Host
- Router(s) – As needed for our design
- Switch(s) – As needed for our design
- Firewall(s) – As needed for our design
- Network Intrusion Detection System / Network Intrusion Protection System – As needed for our design
Our solution must be delivered in a document that will include:
- Management Summary – Our document will begin with a summary description of our design. The summary shall be suitable for consumption by Management.
- Inventory – Our document shall include an inventory of all nodes, including servers, workstations, printers, router(s), switch(s) and other components. Our inventory shall describe the logical deployment of all nodes and components, their purpose and function in our network, and any special features or requirements that each node or component may have.
- Network Diagram – The network diagram must use industry standard symbols that describe the logical deployment of our nodes and components. The network diagram shall complement our inventory.
- Security – The security discussion will describe the security considerations that we will take to protect all nodes and components that are deployed on our network. Our security discussion must address all nodes and components individually. For example, the security requirements for a Mail server will be different from the security requirements of a Workstation.
The final document shall be delivered in standard .doc or .docx format. The network diagram shall be imbedded in the document. The network diagram can be produced using Microsoft Office tools, Microsoft Visio, or freely available tools like LibreOffice (https://www.libreoffice.org/).