Final - AUX Paper
advertisement
1 Running Header: Auxilium.com Company Overview Auxilium.com Company Overview Florida State College Network Infrastructure Facilities Planning Group 2 Jordan Durity, Curtis Holton, Frank Mack, Steve Rawls, Jason Richardson, and Francisco Tobar March 23, 2016 2 Auxilium.com Company Overview Executive Summary [JR] Our mission is simple: make technology an asset for your business, not a problem. We at Auxilium.com (AUX) have developed our company around this simple principle: protecting your image by providing redundant, relevant, and reliable service. Technology should be easily adapted to the individual or broadened to the corporation. We span these requirements by developing and implementing simple security, service, infrastructure, and network policies. Auxilium.com (AUX) is a web based company that provides individuals and companies website design, search engine optimization (SEO), and limited storage. AUX also manages Facebook and Twitter pages for companies and individuals who need to protect their online presence, provide updates on services, and other company announcements. Infrastructure and Network [JR] Network Layout. The network is designed with a 50% growth taken into consideration. The use of VLSM and a private 10.10.0.0/16 give us at AUX an opportunity to separate and segregate all work groups, managers, teleworks and contractors, support staff and executives. Our companies work groups are separated by task or responsibility. At AUX we have team specifically allocated to Facebook, Twitter, Search Engine Optimization, and Web design, each on the same vlan, Vlan 20. Support services such as human resources, IT department, and sales and marketing are each on their own vlan to enhance the security of these individual departments. The Sales and Marketing Team is assigned to Vlan 10 and Human Recourses is assigned Vlan 50. The IT department is assigned Vlan 100 and has direct access to Vlan 200, which is reserved for the Data Center. The executives of the company have their own vlan, Vlan 60, with access to all other departmental vlans to ensure accountability within AUX. Our Data Center will have multiple servers that will primarily be used to operate a small web development division and search engine optimization (SEO) group. AUX team members will have access to a development system that will allow for quality assurance, testing, and development projects such as 3 Auxilium.com Company Overview mobile applications and new web services. AUX has also instituted a DMZ server for customer and public interaction. The DMZ, which has a static public IP address, provides us with one more layer of security. Lastly, the use of outside contractors who specialize in areas not always needed within the company will use a VPN client on a separate vlan, VLAN 40. This VPN, Cisco AnyConnect VPN Client software, will also be available for individuals who are on call in the IT department or select team members who would need access. (Cisco, Inc., 2014) [FM] Addressing. The addressing scheme, as previously stated, is a private 10.10.0.0/16 implemented with VLSM. Addressing the teams for easy expansion and routing was a priority during the design and plan phase of AUX. Static mapping of our DMZ server for outside web traffic and mail delivery allows for a lay of security the 10.10.10.1/30 private address is statically mapped to our public address of 209.16.55.6/29. Leaving 5 public addressing for NAT/PAT traffic. The Management network is assigned the 10.10.99.0/24 address space. The 10.10.99.0 network includes syslog servers and SNMP servers, switch and router management, and one management console which will be managed by the IT department. The Executives within the company are assigned the 10.10.5.32/27 network because theit need for expansion is limited. AUX support staff, beginning with the IT department has been given the 10.10.100.0/24. The Data Center is assigned the 10.10.200.0/25 network. Human Recourses has be issued the 10.10.5.0/27 again because the need for expansion is limited. AUX teams are segregated into two main workgroups, Workgroup 1 and 2. Workgroup 1 is comprised of one manager on the 10.10.1.0/27. The Team 1 Manger is responsible for the Sales and Marketing team, assigned the 10.10.1.32/27 network, the Search Engine Optimization team and the Web design team both assigned the 10.10.0/24 because their jobs are so closely related. Workgroup 2 is comprised of one manager on the 10.10.1.0/27 network as well. Team Manger 2 is responsible for the Facebook team and the Twitter team both assigned the 10.10.0.0/24, again because their jobs are 4 Auxilium.com Company Overview closely related. VPN traffic is assigned the 10.10.4.0/24 block for those needing outside access to include contactors, teleworkers, and on call personnel. AUX wireless controller will issue a 172.16.0.0/23 network range for all individuals within the facility to use the personal mobile devices, tablets, and computers to segregate the devices from the main network. Finally, the Routers and Firewall are all on the some network within the company and are assigned to the 10.10.200.128/25 network for easy management and if there is a need to add more security. [JD] Equipment. The equipment at AUX, consists of two Cisco 2811 routers. (Cisco, Inc., 2014) One will connect to a DMZ/Webserver and the other router will connect to an ISP cloud. These routers will be interconnected via Ethernet. The straight through cables will be used to connect the Cisco 3560 24-port switches. (Cisco, Inc., 2014) The small office home office (SOHO) will use a Samsung R780 – 17.3 laptop computers connected to a Cisco 1841 router. (Samgung, 2014) It will be connected back to the main office via a software based VPN. We deployed two 3560 Cisco switches and a WatchGuard Unified Threat Management firewall that will be connected to a Cisco 2960 switch linking the storage and data servers. (WatchGuard, 2014) There will be a total of 5 servers on this Cisco 2960 switch. (Cisco, Inc., 2014) The multiple servers are Intel® Server Board S4600LH2 and S4600LT2-based Systems. (Intel, 2014) The storage devices will be PROMISE Pegasus2 RAID store systems. (New Egg, Inc., 2014) The servers are defined as Production, Development, Storage 1, Storage 2 and Storage 3. The switches are Cisco 2960 switches trunked between each other, and carry both voice and data. Every work station will have an IP Cisco 7960 phone assigned to it. The first switch is configured for AUX IT department, which is assigned VLAN 100. (Cisco, Inc., July) AUX HR department which is assigned to VLAN 50 is also located on this switch. These departments will use ThinkCentre M73 SFF Desktops with ViewSonic - 27" LCD monitors. (Lenovo, 2014) The second switch will have VoIP Cisco 7960 phones assigned to VLAN30, data for the Sales and Marketing teams, Search Engine Optimization and the Web Design teams. These workstations are ThinkCentre M73 SFF Desktops with ViewSonic - 27" LCD monitors 5 Auxilium.com Company Overview and are assigned to VLAN 10. The third Cisco 2960 switch will connect the Cisco VoIP 7960 phones. The Facebook and Twitter Team use ThinkCentre M73 SFF Desktop workstations with ViewSonic - 27" LCD monitors and are assigned to VLAN 20. The final Cisco 2960 switch will connect four ThinkCentre M73 SFF Desktop workstations with ViewSonic - 27" LCD monitors for the CEO, VP, CFO and the CIO. These workstation will be assigned to VLAN 60. A list of equipment is attached. [CH] Topology. The network topology design at AUX was designed in a simple yet sophisticated manner using the Cisco three layer hierarchical model. The network is divided into three main layers of concentration including the core, distribution and access layer. The core layer; perhaps the most critical part of the network serves as the aggregator for all of the other network layers tying together the network. The distribution layer acts as a services and control boundary between the access and the core layer and controls the flow of data through the network. The access layer is home to all end users on the network and is where each of the AUX teams connects to the network. The core layer is comprised of two main Cisco 2811 Routers which connect to the DMZ/Web Server from Core Router 1 and ISP from Core Router 2. Core 1 will have a wireless controller built in to manage the Access Points that are throughout the facility. AUX’s outside contractors also connect with a VPN client to Core Router 2. A WatchGuard UTM firewall also lies between Core Router 1 and 2 connecting them to the distribution layer of the Topology. The Watch Guard firewall ensures all traffic coming in or out of the core layer is allowed and monitored. (WatchGuard, 2014) The distribution layer is comprised of two Cisco 3560 Layer 3 switches handling the job of routing and switching network traffic through the distribution layer and also double as secondary firewalls. From each of the 3560 switches is a connection to a Cisco 2960n switch providing access to the storage area of the network comprised of a production server, development server and 3 additional storage servers. The 3560 distribution switches also provide redundant links to each of our access layer switches providing connectivity for each of our AUX teams. The access layer is home to four Cisco 2960 Switches, each 6 Auxilium.com Company Overview dedicated to specific AUX teams. The four access switches are the IT/HR Access Switch, Executives Access Switch, Social Media Access Switch and the Development and Sales Access Switch. Each of which has redundant links to each other in case of a connectivity issue or failure. Each access switch provides connectivity to our AUX team end users and executives’ work stations and VoIP Cisco 7960 phones. Additional managers (2) also access the network, Manager 1 using the Social Media Access Switch and Manager 2 connecting through the Development and Sales Switch. [CH] AUX Teams. The AUX teams found in the access layer of the topology are as followed: IT Department, Human Resources, Sales and Marketing, Search Engine Optimization, Web Design, Facebook Team, Twitter Team and the company Executives. Each team has their own purpose, responsibilities and tasks in making AUX work for its clients. Each team member is highly skilled and has a specific role regarding optimizing the purposefulness of their particular team they are a part of. The IT Department is made up of four highly skilled individuals handling all of AUX’s network administration, information security and desktop administration. The IT department also handles all technical support issues from within. The roles found in this team are Network/Desktop Administrator, Security Specialist/Tier 3 Support, Tier 2 Support and Tier 1 Support. The Human Resources team is comprised of three roles including the HR Supervisor, HR Specialist and HR Recruiter. The HR Supervisor is responsible for managing the HR Team and making all final decisions being passed up from other HR team members. The HR Specialist deals with many other HR roles like pay roll, scheduling or HR related issues that may arise within the office. The HR recruiter is the head hunter for AUX, scouting for the very best new talent and finding individuals to meet the needs of expansion. The Sales and Marketing team is comprised of two Sales and Marketing Specialists and three representatives. The purpose of this team is to develop the best strategies and packages to attract customers, retain customers and seal the deal with new customers. The Specialist are the main 7 Auxilium.com Company Overview strategists for plans for marketing and sales. The Representatives deal with AUX’s customers and potential customers directly. The Search Engine Optimization (SEO) team is comprised of a SEO Engineer, SEO Admin and three SEO Technicians. The purpose of this team is to help effect the process of AUX’s customers’ pages and products being visible on the first search result page in Internet search engines. The SEO Engineer develops strategies for SEO while the Admin maintains the department and deploys the main SEO strategies. Our three SEO technicians work directly with AUX clients they may be using AUX for SEO or having technical issues with SEO. The Web Design team is comprised of two Senior Level Web Designers along with a Level 1 and Level 2 Designer. The Web Design team designs and build all websites, online and mobile apps and website as a service applications for AUX’s clients. AUX’s Web Design team specializes in the most commonly used web coding languages such as PHP, J Java, Java Script, Ruby, Python, HTML, CSS, and XML. The Level 1 and Level 2 developers write the majority of the code on most project and do quality assurance testing as well. However the most complicated projects will be handled by the Senior Web Designers. The Facebook (FB) team is comprised of a FB Team Supervisor, FB Designer and 3 FB Coordinators. The purpose of the Facebook team is to design and maintain Facebook accounts for all of AUX’s clients. This team handles everything from the design process to all of the post and updates and FB friends. The Team Supervisor is responsible for managing all work and ensuring that all FB SLA’s are met by the team. The Designer strictly handles designing AUX’s client Facebook accounts and the FB Coordinators are responsible for maintain the accounts through adding friends, updating statuses and creating posts. AUX’s Twitter team, similar to the Facebook team is responsible for handling all aspects of AUX’s clients’ Twitter accounts. This team is as important as the Facebook team creating easy social media 8 Auxilium.com Company Overview marketing for all AUX clients and keeping AUX’s clients’ customers on board with the companies or businesses they are following on Twitter or Facebook. The team is made up of a Supervisor, a Designer and 3 Coordinators. The roles are similar to those on the Facebook team only regarding clients’ Twitter accounts. The AUX Executives is a team of AUX’s top authoritative powers including AUX’s Chief Executive Officer (CEO), Vice President (VP), Chief Information Officer (CIO) and Chief Financial Officer CFO). The role of this team is to develop, design, implement and enforce all of AUX’s executive decisions. Each executive is responsible designing and implementing decisions involving the purpose of their executive role respectfully. [SR] Network Security Policy At AUX, we constantly monitor the flow of data into and out of the network. This gives us ultimate control of what accesses our network as well as what could possibly be taken from our network. We know what exits our network because we are constantly performing file auditing and this gives us a real time view of what enters and leaves our network. AUX security policy defines, contract employees, employees with telepresence, VPN traffic and related software. ASP states all traffic related to contract work and any service that AUX defines as proprietary must be encapsulated with IPSEC. Campus/Facility Security The AUX Security Policy (ASP) defines access controls to campus be controlled and managed by Siemens Access Control Systems. (Access) The ASP states that all personnel shall be issued an ID card upon hire. Employees, vendors and other ID Card Holding personnel must display their ID Cards on their outer-most garment of clothing at all times, and “piggy backing” into a building or secured area is not permitted. All new hire personnel are required to sign an agreement that covers all security concerns, behavior, internet etiquette, disclosure of proprietary company intellect. End-user Computing The AUX Security Policy (ASP) states that random forensics sweeps will be carried out monthly to consist of 20% of all assets. The ASP dictates the use of removable storage drives. 9 Auxilium.com Company Overview The removable drive policy ensures two things: it prohibits the use of removable media by anyone without the proper authority and it prohibits the use of unauthorized media device by a user who has permission to use such device. The use of unauthorized USB drives is prohibited on AUX campuses. Authorized USB devices fall into same forensics policy as stated above. VPN Policy When communicating over the network, our VPN provides a private network over a public network. This permits secured communications and access for users that are not directly connected to our network using IPSEC. ASP defines VPN software to be the Cisco AnyConnect VPN Client for any contract telepresence or remote user. Network Security The ASP states that network security will not be solely implemented at one single layer. AUX implements a multi-layered approach to prevent attacks to our network by combining antivirus, personal firewalls and intrusion detection as part of our multi-layered approach. The ASP calls for the use of a SysLog server to log level 4 messages to an independent machine that provides forensic details of all alerts. To prevent email attacks, our web servers use spam filters to minimize spam in our network by as much as 99.9%. AUX utilizes the following four steps to ensure an adaptive and continuous network policy: secure, monitor, test and improve. AUX IT managers constantly test the effectiveness of our policy by performing auditing and vulnerability scanning by using Nessus. Nessus uses high speed asset discovery, patching configuration auditing, asset profiling, sensitive data discovery, patch management configuration, multi-scanner controls and vulnerability analysis. (Nessus) Network Firewall Hardware AUX utilizes WatchGuard’s Next-Generation Firewall. This system uses Unified Threat Management (UTM) which provides enterprise-grade perimeter defense against viruses, spam and other unwanted traffic. The firewall works with comprehensive rule sets as well as static NAT mapping. Its intrusion prevention systems categorizes threats by severity and the signature database is updated as predetermined by our security team. The UTM provides us with options for 10 Auxilium.com Company Overview packet filtering, intrusion prevention service, application control, data loss prevention, advanced persistent threats and zero malware day protection all through a user friendly GUI. (WatchGuard, 2014) The AUX SAP also utilizes WatchGuard’s Secure Wireless e-Series or XTM 21access point. It is a full feature security device used within our WLAN ranges throughout AUX campuses. It provides us with easily configured network intrusion and allows end users to roam under our ASP protection. (WatchGuard , 2014) AUX allows our CIO to constantly update security policies and adapt our network to changing threats both physical and cyber related. This freedom allows for an adaptive approach that will suit our changing network, communication and service needs. [FM]Equipment List The equipment listed below is deployed throughout the AUX environment. 2 Cisco 3560 – 24PS Switches 2 Cisco 2811 – Routers 1 Cisco 1841 – Router (SOHO Network) 5 Cisco 2960 – Switches 2 Firewalls - WatchGuard Unified Threat Management (UTM) and e-Series or XTM 21 7 Servers - Intel® Server Board S4600LH2 and S4600LT2-based Systems 7 RAID Storage Devices - PROMISE Pegasus2 R8 P2R8HD24US RAID 0, 1, 5, 6, 10, 50, 60 8 x 3.5" Drive Bays 2 x Thunderbolt 2 24TB RAID System 40 Desktop Computers - ThinkCentre M73 SFF Desktop with ViewSonic - 27" LCD Monitors 10 Laptop Samsung R780 – 17.3 (SOHO) 60 Cisco 7960 phones 11 Auxilium.com Company Overview References Cisco, Inc. (2014, July 18). Cisco 2811 Integrated Services Router. Retrieved from http://www.cisco.com/c/en/us/products/routers/2811-integrated-services-routerisr/index.html Cisco, Inc. (2014, July 10). Cisco 2960 switch. Retrieved from http://www.cisco.com/c/en/us/products/switches/catalyst-2960-series-switches/index.html Cisco, Inc. (2014, July 9). Cisco Catalyst 3560 Series Switches. Retrieved from http://www.cisco.com/c/en/us/products/switches/catalyst-3560-series-switches/index.html Cisco, Inc. (2014, July 6). CiscoAnyconnect. Retrieved from http://www.cisto.com/c/en/us/support/security/anyconnect-vpn-client/tsd-products-supportseries-home.html Cisco, Inc. (July, 10). Cisco Unified IP Phone 7960G. . Retrieved from 2014: http://www.cisco.com/c/en/us/products/collaboration-endpoints/unified-ip-phone7960g/index.html Intel. (2014, July 8). Intel Server Board S4600LH2 and S4600LT2-based Systems. Retrieved from http://www.intel.com/content/www/us/en/server-systems/server-board-s4600lh-ltsystems.html Lenovo. (2014, July 28). Lenevo. Retrieved from http://shop.lenovo.com/us/en/desktops/thinkcentre/mseries-sff/m73-sff/ New Egg, Inc. (2014, July 28). PROMISE Pegasus2 R8 P2R8HD24US RAID. Retrieved from http://www.neweggbusiness.com/Product/Product.aspx Samgung. (2014, July 9). Samgung. Retrieved from http://www.samsung.com/ie/consumer/pcperipherals/notebook-computers/high-performance/NP-R780-JS03UK Siemens Technology. (2014, July 6). Access Control Systems. Retrieved from http://www.buildingtechnologies.seimens.com WatchGuard . (2014, July 18). Secure Wireless. Retrieved from http://www.watchguard.com/wgrdproducts/secure-wireless/overview WatchGuard. (2014, July 9). Unified Threat Management (UTM). Retrieved from http://www.watchguard.com/wgrd-products/utm/overview
