This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This Final Report illustrated how the project was completed. Pro-Connect LLC specializes in low-cost scalable network solutions for small to large enterprise network. The Fire and Rescue Contract was completed on time and met all of the contract requirements. The contract focused on closing the information gap between its Fire and Rescue Stations throughout the County. Now, that the project has been completed, all County employees have access to the Internet and to the County Intranet.
Pro-Connect connected five Fire and Rescue Stations and the Headquarters Element to the Country WAN with ten workstations and one printer per site. Each workstation gives the employee the ability to access the Internet, Employee Intranet, E-mail and HR resources. The Fire and Rescue Headquarters Element was moved from existing County Domain to the Fire-Rescue Domain at the County Headquarters Building utilizing their existing workstations. Each of the five Fire and Rescue Stations integrated into the County's existing infrastructure using a Verizon Static T-1 line which was completed on time and met the contract budget requirements. Pro-Connect "IT" Services looks forward to helping meet government IT solutions in the future.
Spotsylvania County Virginia has announced a request for proposal related to their Fire & Rescue Department. Currently, the County has five Fire and Rescue Stations and a small Headquarters Element that serve 120,000 people. The Spotsylvania County Fire Chief has requested to the County Board of Supervisors that each Fire Station be upgraded with Internet access and access to the County WAN. The five stations currently have out-dated standalone workstations not capable of LAN services. The County Board of Supervisor's have approved funds for the upgrade so that Fire & Rescue Employees can have access to the Internet, Employee Intranet, E-mail and HR resources. Each station will receive ten workstations, and one printer in which they will connect to the county WAN.
The primary business objective is to connect the Fire & Rescue Department with Internet and Intranet access. To provide a low cost scalable network to close the information gap within the various County Departments.
Access to Employee Intranet
Employees will have e-mail and file sharing capability
Access to web-based EMS training
Enhances first responders by giving them additional learning tools via web-based training.
Active Directory Architecture for the F&R project
Active Directory is the information hub for a Windows Server 2003/2008 Operating System Environment. Active Directory in a Windows Server 2003 Network is used to manage identities and broker relationships between distributed resources so they can work together. Pro-Connect installed an additional Domain under the County's existing Forest. The IT department assisted us in the integration of the new domain controller. The new Domain Controllers will be located at the County Headquarters Building within the existing County Datacenter.
The IT department previously had an established FQDC (Fully Qualified Domain Controller) co.spotsylvania.va.us. After reviewing the existing architecture we identified three existing domain controllers present. The existing domains are the following: Primary Domain/Forest: spotslyvania.va.us; Sheriff's Office: sheriff.spotylvania.va.us; Judicial System: courts.spotsylvania.va.us. The Fire & Rescue Domain was established utilizing two Domain Controllers (FRDC1 and FRDC2). The FQDN of fire-rescue.spotsylvania.va.us was assigned. Below is a graphical representation of the Forest.
Figure 1: County Forest
Two Domain Controllers were established to support the network's requirements. Both Domain Controllers were configured similar in every aspect to provide redundancy. Each DC was configured with Active Directory Services required to host the Fire and Rescue Domain. Other services installed include the following: DNS, DHCP, IIS7, and Windows File Sharing. The figure below shows a snapshot of the Server Manager on FRDC1 (Primary Domain Controller):
Figure 2: FRDC1 Server Manager
DNS (Domain Name Server)
DNS was installed on the both FRDC1 and the FRDC2 to provide redundancy. DNS is the name service that provides a standardized system for providing names to identify TCP/IP hosts and provides a way to look up the IP address of a host, given the host's DNS name. DNS allows you to access a website such as Google by using the DNS name www.google.com instead of the site's IP address.
DNS was installed on the both FRDC1 and the FRDC2 in to provide redundancy. DNS is the name service that provides a standardized system for providing names to identify TCP/IP hosts and provides a way to look up the IP address of a host, given the host's DNS name. DNS allows you to access a website such as Google by using the DNS name www.google.com instead of the site's IP address.
Figure 3: DNS Configuration
DHCP (Dynamic Host Control Protocol)
DHCP was configured on FRDC1 and FRDC2 to provide IP address to each client as the clients connects to the fire-rescue domain. DHCP allows a server to dynamically distribute IP addressing and configuration information to clients. The DHCP server provides the client with at least this basic information: IP Address, Subnet Mask and Default Gateway.
Due to multiple sites we created a DHCP scope to define IP ranges for each site. Thus, allowing DHCP service to specify configuration information for clients that have IP addresses which are within the particular scope. Scope information for each DHCP server is specific to that particular DHCP server only, and is not shared between DHCP servers. The assigned Scope name was FRScope with a lease time for DHCP clients of 8 days. DHCP reservation was configured to assigned static IP address for each printer at each station.
Figure 4: DHCP Address Pool
Figure 5: DHCP Printer Reservation
Managing network services: SNMP
Pro-Connect Network administrator configured SNMP to assist in the following duties:
â€¢ Viewing and changing parameters in the LAN Manager and MIB-II MIBs.
â€¢ Monitoring DHCP servers.
â€¢ Using System Monitor to monitor TCP/IP- related performance counters (Internet Control Message Protocol (ICMP), IP, Network Interface, TCP, UDP, DHCP, FTP, WINS, and IIS performance counters) (Managing DHCP, WINS, and Internet Authentication Service, 2007)
Active Directory Users, Groups, and Security
Every fire and rescue employee must have a user account. A user account enables employees to access the network and network resources. Without user accounts, all resources would be open to anyone who casually dropped by your network. When creating the account profiles, fifty new user accounts with basic account options were established. The County Network Administrator will be in charge of adding additional rights to users as needed.
Employees were created a domain account which gave them access to any computer at his/her stations. Also, the employees can access the domain from any other the five fire stations throughout the county. First time users would need to access the domain by entering in their first name, middle initial and last name. The password used to log on to the network for the first time will be ([email protected]). Once the user logs on for the first time they will be prompted to change their default password with a new one.
Due to the nature of the Fire and rescue mission the IT department has decided to give unrestricted login access to all FR employees. Because employees work on a rotating shifts there will not be a need to restrict logons to user accounts during certain times or days
Active Directory Schema
Each Fire and Rescue Site including the Headquarters Element have been assigned to a separate Organizational Unit (OU) for purposes of Management. Figure 6 below illustrated the Active Directory Structure on the left-hand side of the graphic.
Figure 6: Account Creation and Directory Structure
Group Policy and Security
Group Policy Objects were created to maintain User Account Rights and establish Workstation Security. The "All Users" GPO is the Default Domain Policy. This policy establishes Password and Security Requirements, Windows Update Settings, and Internet Explorer Settings that apply to all users. There is also a GPO created for Trainers, Privileged Users, and General Users. These GPOs correspond with similarly named Global Security Groups in which User Accounts are placed as required.
Figure 7: Group Policy Configuration
Disk Management and Fault tolerance
Below are the options implemented
Minimizing single points of failure
We have provided basic fault tolerance for the F&R project and Security deployment by deploying additional hardware configurations that duplicate the existing hardware configuration. In this way, if one path of data input/output (I/O) or the physical hardware components of a server (such as computer, network, and storage area network components) fail, the existing system Security deployment can continue to operate using the duplicate hardware. Redundant hardware options we consider included:
Dual power supplies
Dual network adapters
RAID 5 disk arrays
(Establishing a Backup Plan, 2007)
Using RAID configurations
By using RAID, you can increase the fault tolerance of your Security deployment. RAID stores identical data on multiple disks for redundancy, improved performance, and increased mean time between failures (MTBF). In a RAID configuration, part of the physical storage capacity contains redundant information about data stored on the hard disks. The redundant information is either parity information (in the case of a RAID-5 volume), or a complete, separate copy of the data (in the case of a RAID-1 volume). The redundant information enables data regeneration if one of the disks or the access path fails, or if a sector on the disk cannot be read.
To ensure that computers running Client Security continue to function properly in the event of a single-disk failure, we used RAID disk mirroring or disk striping with parity on the hard disks within the Security deployment. Disk mirroring and disk striping with parity creates redundant data for the data on the hard disks.
Using RAID configurations does not prevent damaged files or other file errors. For this reason, Pro-Connect did not use RAID configurations as a substitute for keeping current backups of important data on your servers.
You can also use RAID disk mirroring or disk striping with parity to prevent the loss of a single physical hard disk from causing a failure in your Client Security database. (Establishing a Backup Plan, 2007)
Figure 8: RAID 5 Concept
Using power backup
For servers that contain critical data, especially in large server deployments, it was necessary to use an uninterruptible power supply (UPS) and battery backup to increase fault tolerance in your Security deployment. UPS and battery backup provide protection against power surges and short power losses that can cause damage to your servers and the data they contain. For large data centers or critical applications, consider a large-scale UPS system and a backup generator to maintain power to UPS, air conditioning, and other critical systems during long outages. (Establishing a Backup Plan, 2007)
For security reasons the Fire and Rescue employees do not have remote access capability at this time. The County Network Administrator has decided to block any VPN connections into the County Intranet due to increased security risks. This option may be able in the near future.
Anti-Virus Service/ Network Security
The County already has a subscription contact with McAfee Security and Virus scan. For the new computers connected to the County WAN we had enough licenses to extend this software out to the 25 clients on the network. The need for virus protection is essential to securing client computers and in keeping the County network secure.
IIS 7.0 server was installed to establish a Fire and Rescue Intranet Site for all Fire and Rescue Users. Intranet access will include important links and web applications required for daily duties.
Figure 9: IIS 7 Configuration
Figure 10: Fire & Rescue Network (with future Server additions)
Figure 11: Fire & Rescue Station Sample Design
(Below is the basic security design for the County)
Patches and Updates
Router operating system is patched with up-to-date software.
Unused protocols and ports are blocked.
Ingress and egress filtering is implemented.
ICMP traffic is screened from the internal network.
TTL expired messages with values of 1 or 0 are blocked (route tracing is disabled).
Directed broadcast traffic is not forwarded.
Large ping packets are screened.
Routing Information Protocol (RIP) packets, if used, are blocked at the outermost router.
Unused management interfaces on the router are disabled.
A strong administration password policy is enforced.
Static routing is used.
Web-facing administration is disabled.
Unused services are disabled (for example bootps and Finger).
Auditing and logging
Logging is enabled for all denied traffic.
Logs are centrally stored and secured.
Auditing against the logs for unusual patterns is in place.
IDS is in place to identify and notify of an active attack.
Patches and updates
Firewall software and OS are patched with latest security updates.
Packet filtering policy blocks all but required traffic in both directions.
Application-specific filters are in place to restrict unnecessary traffic.
Logging and auditing
All permitted traffic is logged.
Denied traffic is logged.
Logs are cycled with a frequency that allows quick data analysis.
All devices on the network are synchronized to a common time source.
Perimeter network is in place if multiple networks require access to servers.
Firewall is placed between untrusted networks.
Patches and updates
Latest security patches are tested and installed or the threat from known vulnerabilities is mitigated.
Make sure VLANs are not overused or overly trusted.
All factory passwords are changed.
Minimal administrative interfaces are available.
Access controls are configured to secure SNMP community strings.
Unused services are disabled.
Switched traffic is encrypted.
All clocks on devices with logging capabilities are synchronized.
Administrative access to the network
TACACS or RADIUS is used to authenticate administrative users.
The network is structured so ACLs can be placed on hosts and networks.
Below is a summary for the total costs of the networking system.
Total Costs for Hardware/Software/Installation/Miscellaneous Expenses
Total Computer Costs
Cost Analysis Complete Breakdown
The cost analysis includes all needed hardware, software, networking and miscellaneous expenses. The products were compared against other products to meet the needs of the County existing infrastructure. The pricing is a compilation of matching the best overall value from multiple distributors to finalize each itemized cost. The total amount needed to fulfill the needs of this project came to $97,430.25. There are other expenditures such as internet access, virus software, and intermittent consulting. Below is our final offer, we are very firm in our belief that that the final product will fulfill the needs of the business and that the pricing is below the $100,000 contract bid. Below is a complete itemized listing of network, hardware, and software expenditures.
An all wired network from a PC to switch/router would be wired using UTP cat 5e cabling, because it supports 10/100/1000 Base-T Ethernet. Allowing up to 100 Mbps data transfer rate between network PCs and also have much faster Ethernet gigabit uplinks from Cisco 1800 router series to county servers and to Cisco Catalyst 2960 series switch. Based on number of users, applications used, network protocols Cisco recommended at least T1 (1.5Mbps) connection to the Internet.
All five Fire and Rescue Stations were connected using T1 links through Verizon (ISP). All five sites have Cisco 1800 series router installed on each site and connected via T1 links. All routers at each of the Sites have 8 port 10/100 Base-T Ethernet module installed.
The Cisco 1800 Series Routers
Benefits and advantages- The Cisco 1800 Series fixed-configuration routers help enable a
network infrastructure for SMBs and enterprise small branch offices, providing access to the
Internet, corporate headquarters, or other remote offices, while securing and protecting critical
data with integrated Cisco IOS Software security features and capabilities. They also help
businesses reduce costs by enabling deployment of a single device to provide multiple services
(integrated router with redundant link, LAN switch, firewall, VPN, IPS, wireless technology, and
quality of service [QoS]) typically performed by separate devices. Cisco IOS Software allows
this flexibility, providing the industry's most robust, scalable, and feature-rich internetworking
support, using the accepted standard networking.
Security Features of the 1800 Series-
Cisco IOS Firewall
â€¢ State-full firewall with URL filtering
â€¢ Per-user authentication and authorization
â€¢ Real-time alerts
â€¢ Transparent firewall
â€¢ IPv6 firewall
â€¢ Advanced Encryption Standard (AES) 128, 192, and 256
â€¢ Triple Data Encryption Standard (3DES), and DES encryption
â€¢ Embedded hardware-based VPN acceleration on the motherboard
â€¢ Cisco Easy VPN remote and server support
â€¢ Dynamic Multipoint VPN (DMVPN)
â€¢ Group Encrypted Transport VPN (GET VPN)
Onboard USB Port
â€¢ USB 2.0 ports (2) (Cisco 1811 and 1812 models only)
â€¢ More than 700 IPS signatures supported in Cisco IOS Software, with the ability to load and enable
Selected IPS signatures
â€¢ Local URL filtering in Cisco IOS Software based on external server (Websense and N2H2)
â€¢ Stateful firewall contains URL filtering
â€¢ Cisco Router and Security Device Manager (SDM)
IOS Web VPN (SSL VPN)
â€¢ Secure remote access for mobile users without installing PC client software
â€¢ Integrated into the router-no separate appliance required
â€¢ Cisco 1801 and 1812 supports up to 10 users
â€¢ Requires IOS WebVPN feature license FL-WEBVPN-10
â€¢ Requires an IOS security feature set (IOS security feature set is included in all secure router bundles
Cisco 24 port Gigabit Ethernet Switch 2960
Fixed-configuration switches offering Fast Ethernet and Gigabit Ethernet connectivity with enhanced LAN services for mid-market and branch office networks. The Catalyst 2960 Series compact silent models are ideal for deployments in office workspaces, classrooms, and other space-constrained environments and enable intelligent services using enterprise-class features outside of the wiring closet.
At speeds of 1000 Mbps, Gigabit Ethernet provides the bandwidth to meet new and evolving network demands, alleviate bottlenecks, and boost performance while increasing the return on existing infrastructure investments. Today's workers are placing higher demands on networks by running multiple, concurrent applications. The Catalyst 2960Series provides a means to intelligently scale the network beyond 100 Mbps over existing Category 5 copper cabling.
Security is delivered through a wide range of authentication methods, data encryption
technologies, and Network Admission Control(NAC) based on users, ports, and MAC addresses.
Through these features, the Catalyst 2960 Series offers security to protect users and devices from
Ease of Management and Configuration
Cisco Network Assistant simplifies configuration, Cisco IOS Software updates, and
Troubleshooting. Smart ports enable fast and easy configuration of Cisco Catalyst intelligent
capabilities; Express setup is quick and easy using the Webpage interface. Enhanced
troubleshooting for link connectivity issues and cable diagnostics.
When choosing an ISP, the decision was not only based on price, but quality, reputation and history. We choose Verizon Business Internet Service for a variety of reasons. Verizon is a leader in the Telecommunications industry, offers an excellent product that correctly fit the needs of the County system. The Five Fire and Rescue Stations needed Internet access of 1.5 Mbps per station.
Verizon Internet Service, the need for a static T1 line, which is 1.5 Mbps was needed. Since, the county already has an existing Contract with Verizon it made since adding five new connections to the existing contract.
Other Hardware and Software
Windows 7 OS
OS for the additional desktop computers
Enhancement to the new servers
Enhancement to the servers
(Snapshot of a Secure Network, 2007)
Pro-Connect "IT" services attract's superior professionals from a wide variety of sectors. Within the Washington, D.C., Metro area, there are nearly 100 Pro-Connect IA professionals engaged with various clients including DOD and civilian government agencies, state governments, and commercial enterprises. Globally, Pro-Connect employ's 1,000 IA team members. Pro-Connect capabilities include a comprehensive portfolio of IA services, project management, network program development, system security engineering, and security services.
Pro-Connect staffed this project from existing full-time employees. The following table lists the key employees and the position that each person is to be assigned.
Government Advisory Spec Mgr.
Government Advisory Spec Mgr.
Access Manager Engineer
Government Advisory Spec Mgr.