Kudler Fine Foods has established that they want to design a WAN to tie three different locations together and make the internal network in each store a Wireless Local Area Network. Then, they are requesting Voice Over Internet Protocol to each multi store network. Various protocols make all this happen. Transfer Control Protocol and Internet Protocol are the foundation of data transfer. TCP is the protocol that the internet, email and ftp highly rely on. Without TCP/IP there would be no internet, email or FTP. Two other protocols designed to process packets throughout the network are X.25 and Frame Relay. For this scenario Frame Relay will be used so I will not provide a brief description about X.25. Frame relay was based on the X.25 protocol and even though the option isn’t there to check an error, which is the end stations responsibility.
Frame relay does reduce the amount of overhead associated with data transmission, which allows for a faster packet switching method. As recommended this network will use a T1 line to reach the required bandwidth from node to node. This will give the customer the option to data burst the line. However, if the network traffic is heavily congested it will be controlled so everyone is satisfied. Frame relay uses a specific fast packet switching technology that allows overhead reduction.
Flow control and error correction determines the efficiency of the fast packet switch. Now what happens is the frame relay inside the network will detect the error and simply just drop the frame.The OSI model divides network communication into seven layers. Each layer describes the various protocols and function. Using Frame Relay you now get to exclude any layer 3 protocol because the operation is performed on the second OSI layer (data-link).When the company adapts a fully connected topology will be used. As for right now, the setup will resemble a Ring Topology.
Current Systems Analysis
There are three locations inside of Kudler Fine Foods. These locations are, Encinitas, La Jolla, and Del Mar store has a Point of Sales Server with four
Point of Sale terminals. La Jolla and Del Mar stores each have their own NT Server and a workstation for inventory accountability. Each of these stores connects through the internet using a 56Kbps dialup modem. All three locations use the Ethernet Bus topology network design. Each system is connected using a single cable that establishes the backbone of the network.
The configuration described offers minimal security and makes expansion much more difficult. This configuration is hindering this company and business from growth, income, and competition. With an Ethernet Bus topology and a 56kbps network speed it is extremely hard to establish any kind of recovery plan. Finding existing components for outdated hardware on this network will be a task in itself. The entire network will need to be redesigned to offer a much faster and appreciated growth, income, and competition for Kudler Fine Foods.
The hardware that should be requested for this task are: central server, two 802.11n wireless routers, and contract a bulk order of 802.11n usb’s for the company. The option of 802.11n network card is available. However, instead of upgrading all the cards I have decided to go with the thumb drives. The data exchange rate for this network will be a theoretical 600mbps. The data exchange frequency would operate on 5.75 and 2.4 GHz. The option to go with 802.11n does multiple things for the company as requested. The network can now expand because of the high bandwidth and the option to move out to 1200 feet. The company also has the option to use different wireless usb’s that is compatible with the 802.11n router, such as 802.11a, 802.11b, and 802.11g. There will be no drilling into walls because you do not need any cabling going to individual laptops. Finally, Kudler Fine Foods wants to incorporate Voice Over Internet Protocol inside their network.
The most reliable protocol is X.25. However, I am going with Frame Relay. Frame Relay does have some draw backs such as error checking packets. This can be a huge deal if there is a lot of traffic on the network because it will not detect corrupt packets. Which means individual packets could be lost when transmitted. Frame Relay relies on the end station to send the SYN/ACK back. If a SYN/ACK does not come back then the Frame Relay protocol will just drop the frame. From each individual router a T1 line will be used to help reach the desired bandwidth from server to a switch. From this point you will have to use leased lines which will affect the budget of the project. With the implemented plan, the goal was to keep the desired bandwidth and allow room for growth.
Latency, Jitter, Response Time
I also targeted the area of Latency. With all the users connected to the router and the router transmitting data to the switch and then so forth until it reaches its destination, there is going to be a degrade in Latency. Three variables that will keep this network maintained and keep the desired processing speed and bandwidth are Latency, Jitter, and Response Time. Latency has already been discussed however, Jitter can resemble Latency somewhat. Jitter will occur when packets pass through the network nodes with varying latencies. This usually occurs when the bandwidth is maxed out or is low and the network path needs to be manipulated. Response Time deals with the individual components and the amount of time it takes for them to respond giving the desired input.
Security Hardware and Software
The wireless network will be run using the WPA2 encryption standard. Special hardware will be implemented when using WPA2 to work properly. WPA2 has the option to use a pre-shared key inside the company and 802.1x or you have the option to use a dynamic key, which a dynamic key will be used. Each of the employee’s laptops will run Kaspersky Anti-Virus. Kaspersky runs the update program inside Kaspersky whenever there is an update to be made. These updates usually come in files around 800kbs which will not congest the network. Kaspersky comes with a built in firewall inside the software. To keep the cost down, a contract will be made with the Kaspersky Company so we can legally keep the software on our systems. F-Secure will be a software package available for Smart phones inside the company and will be mandatory for connecting to the wireless router.
Kaspersky includes a set of rules incorporated inside its software that allows you to set specific parameters inside specific software programs. You can create several permissions and block rules for each particular piece of software. Kaspersky will monitor specific IP octets to access specific programs and allow connections to be made on specific ports. If an attacker tries to connect to port 23, the firewall will not allow it because the Telnet session will be disabled. This will also leave a footprint behind allowing the network administrator to track the attackers IP address which will be saved in a log.
The network systems inside KFF are far from secure if an outside intrusion were to occur. A simple DoS attack could leave a dial-up modem crippled and could take hours if not days to fix. There are no hardware or software antivirus or malware protections inside of the company. There is only a single 56kbps internet connection, which could limit the way attacks could come inside the business. However, this is not the only way malware, viruses, or Trojans could come in. Employees using media at any workstation could cause damage to the business. There are no firewalls used inside of KFF which leaves the network completely vulnerable for intrusion.
Using multiple routers would create a higher sense of security inside the network. With the current setup of the network any employee is allowed to bring in media with Ethernet capable devices to connect to the network. Kudler Fine Foods have not designed any kind of policy for security. The supervisors need a reference point in which they can point their employees to the proper direction when it comes to network systems and the physical security of the building. There are no rules set in place about internet usage or the handling of components inside the network, which definitely need to be addressed. Offered below is a solution to the vulnerabilities described in this paragraph to bring Kudler Fine Foods up to date in the IT world and security.
Existing Security Inside the Company
The area of emphasis for me would be social engineering. I would hold monthly meetings with supervisors so they could talk with their employees about Social Engineering. I would give a descriptive definition of what Social Engineering was and what kind of outcome there would be if the attack proved successful. There will be no discussion of static IP octets or private subnet mask outside of the company and for job safety I would stay late once a week to switch the last octet in the IP address every week.
There will be no discussion of the WPA2 dynamic keys either. Inside these meetings would be a brief discussion about e-mail security also and what employees need to know about hypertext and vulnerabilities that lie inside an email. After the meeting with supervisors I would go around checking with employees about social engineering tactics and techniques. This would give me the advantage of getting to know everyone inside the company and establish a business relationship with others. Outcome will be great because you will get to pick your good apples from your bad apples and then monitor activity from the bad apples frequently.
Electronic and Physical Threats
There are many types of electronic attacks that can be made on the network. This is called penetrating a network with the use of a multiple array of tools. You can start at the more technical types of attacks which include buffer overflows that allow you to execute specific code inside the buffer. This would immediately give you root access to the network.After root has been obtained the hacker would create various users on the system with administrative rights that would appear that they would blend into the company but they actually do not. Monitoring authorized users in a network is a must. However, this does not stop the hacker when he has the capability of root. Now he can install key loggers and sniff passwords out from specific users. Obtaining a password to an engineer’s account could be devastating to the company. This is one of the few reasons why electronic security is so important to a company.
There are many other types of electronic attacks which include viruses, worms, Trojans, spyware, and Denial of Service (DOS). Denial of Service can be a major problem also while working inside a WLAN. By targeting the bandwidth, data rate transfer could be reduced which could affect sales. Maintaining a clean network and a clean computer system will help the functionality of the business. Physical threats to the network would be nature disasters such as fire, wind, hurricanes, tornados, and thunderstorms. It is absolutely crucial to backup data everyday on the server because of nature disasters or even electronic threats. If a tornado took out the building and all the hardware you would be in a huge loss situation but at least you have the data backup. Thunderstorms could have the same effect but not nearly as drastic. In a worst case scenario you would have to replace hardware in each individual system.
Explicit Enterprise Security Policies & Procedures
Specific Policies need to be implemented inside Kudler Fine Foods. Upon orientation after being hired I would like to sit down with every employee and go over specific Security Policies and Procedures. The internet can be a fun thing, and I do not want to keep the employees from that. However, setting boundaries on specific sites are needed and I will go over a list of sites that could bring vulnerabilities to the network. Also, no external devices will allowed on the network or connected to a workstation.
A brief overview and description of vulnerabilities will be given for Trojans, Worms, and Virus’s. Any information on the network about the company is confidential and no information is allowed to leave the building. Also, inside this policy there will be information about bandwidth usage and being monitored. If an employee is aware of any kind of breach or betrayal inside the network they are to report it immediately. Each laptop is to be shut down every night to extend the life of each laptop and for maintenance on the network whenever there is scheduled maintenance. Smartphone’s will be allowed on the network however the F-Secure package will be installed on each device. These phones are allowed for use by supervisors only.
Security Concerns – Wired/Wireless/Mobile
Security is top priority for the network and for the growth of the business. My biggest concern would be Mobile devices on the network. Smartphone’s are effectively small computers and face many of the same threats that personal computers or laptops risks for the business. Lowing productivity for the company cannot be allowed. Starting off very basic, if the phone got lost or stolen, I want to be sure that confidential company information cannot be misused by another party. Software that I would install for Mobile phones is F-Secure. F-Secure offers advanced antitheft features with a remote lock, remote swipe and theft control functionalities. Remote lock can be used to lock the device to protect confidential data with a simple SMS message to the device. The theft control feature activates when the SIM card is changed by locking the device and sending the new SIM information to the owner. In a worst case scenario the option to erase all data on the phone is possible.
As the system administrator I would have the accessibility to every Smartphone on the network. Updates download links, and service activation can be sent via SMS message. Each device will be monitored by a standard web browser. Wireless security will include WPA2 encryption. WPA2 uses advanced encryption standard (AES) as the encryption method. This technology is similar and more secure than TKIP, but requires special hardware for performing the encryption methods. WPA2 can use a pre-shared key and 802.1x or you have the option to use a dynamic key. A dynamic key will be used. The only wired devices on the network are the four routers, 3 backup servers, and the central server. Firewalls will be placed at each router and the central server.
Threat Detection and Protection Techniques
Good protection techniques can be very simple as updating windows updates or patching vulnerabilities inside the network. As a system administrator part of your job is to know which services are running on specific ports and researching vulnerabilities for those services that way exploits cannot be made on a specific service. Another good practice is Vulnerability-focused signatures. This technique is designed to look for exploitation of a specific vulnerability, and look for attempts that a potential exploit could have occurred.
This technique can trace test tools, known attacks, and obfuscated exploits. Vulnerability focused signatures have been known for picking up various Internet Explorer exploits and ActiveX exploits. There are a couple of disadvantages to Vulnerability focused detection. The signatures may not be able to identify exact exploits being used. A buffer overflow may not be detected on a specific attack. However, as a network administrator I would want additional insight on specific attacks being used against my network. Vulnerability focused signatures approach supports adding exploit specific signatures to identify known attacks.
Final Network Design
The final design offers many things inside of Kudler Fine Foods. The task for me was to implement a network that could offer growth inside of the company. This illustration will no doubt offer expansion for Kudler Fine Foods. Video Conference rooms were added for discussion in growth and income at each location. Which enables the higher echelon of employees to discuss business within each building, or they have the option to communicate with other corporations outside of the Kudler Fine Foods.
Cell phones are now part of this network. Sales and distribution can now be made inside the building at any given area, not just at the Laptop. Each Laptop is configured with an 802.11n wireless usb device and each router is 802.11n specific. Using Voice Over Internet Protocol and the desired Protocols for data packet/frames transfer this network offers speeds up to 600mbps using 802.11n wireless devices and a T1 line. Response time will be instant; there will be no Jitter because data transfers inside the company have very few options of travel.
As you can see in the image above there is a central server located at the Del Mar location. Packets will not be allowed to leave the network without exiting that server and all packets will come into the same server. Encinitas network has a single router that is distributing and managing packets. La Jolla, has the exact same configuration.Maintaining a network and security has to be a top priority for Network Administrator’s and by using this setup you now have access to see each individual packet, what ports or services are being requested at each destination. Inside of every wireless device connected to the network the IP address will change every month.
The entire address will not change, the last octet will. Manipulation of the subnet mask is something that I wish could be implemented inside this network. However, it will stay constant in this assignment. Finally at each location there will be a backup desktop with an 802.11n usb. Backups will be executed daily by the Network Administrators for security purposes. Losing sales information will not be tolerated in this network. Backups can be accessed at each location for CEO purposes only. He can now monitor sales inside his company, the desired input and output of his products. Finally, every device will be updated immediately through Kaspersky and each system will be brought down every night for maintenance. Every month there will be a stress test on each router to establish desired bandwidth within the facilities.
Designing this network is going to take some time since all the old technology is going to be replaced. However, while the new network is being configured and incorporated into each building the 56kbps will still be used until the new network is installed, and working properly. The new desired network should take four weeks. Each location has a week to configure IP octets, router installation, device installations (usb’s, Microsoft Windows 7, Kaspersky Antivirus, and F-Secure). Upon completion the last week will be spent stress testing the network. Exploits, Trojans, and viruses will be attempted and proper adjustments will be made if necessary. Ports will be configured and specific applications will be restricted. Assigned IP octets will be made with the subnet masks.
Kudler Fine Foods wanted to incorporate a WAN and tie a WLAN into each location. There were many routes that could have been taken for this assignment. Deciding on the most professional route, you have read what I have offered the company. The only drawback from this design is the amount of money being spent on the project. However, the processing speed on orders, traceability, stability, and security of this network is well worth the cost. The company wanted room to grow; this network offers growth and incorporates ideas that will allow more growth. The use of cell phones, and video conference rooms will not only allow supervisors, managers, and the CEO to communicate within each other, the network also allows business discussions and deals to be made anywhere inside of the buildings, conference meetings between Kudler Fine Foods and any corporation outside of their network can be made with the use of Network Communications.
This network was also designed on security. Security cannot be stressed enough inside Network Communications. There are so many ways to penetrate a system that protocols, guidelines, and policies need to be implemented in the network. By keeping everything up to date in this network, malicious activity will be kept at a minimum. Since each device will be brought down every day the systems administrator has the ability to view logs of data that the network systems have generated throughout the day, which also helps the maintenance of the network and hardware devices used inside this corporation/business. Closing off with the use of protocols, to the best of my ability, I have designed this network on TCP/IP and specific protocols that allow this network to run fluently with stability being top priority.