IIS_Project_Proposal_Final
advertisement
BUSINESS PROPOSAL INTELLIGENT IMAGING SOLUTIONS Jorge Sanchez Justin Baughman Amie Tidwell Bruce Boydston TABLE OF CONTENTS 1. EXECUTIVE SUMMARY .......................................................................................................... 2 1.1. 1.2. 1.3. 1.4. 1.5. 2. 3. Project Overview..........................................................................................................................................3 Project Description .......................................................................................................................................3 Alternatives Considered ...............................................................................................................................3 Recommended Solution ...............................................................................................................................4 Risks .............................................................................................................................................................4 PROJECT ORGANIZATION AND EXECUTION ............................................................ 5 PROJECT DESCRIPTION .......................................................................................................... 6 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. Project Background and Opportunity ...........................................................................................................6 Business Needs ............................................................................................................................................7 Project Objectives ........................................................................................................................................7 Organizational Benefits ................................................................................................................................8 Project Scope................................................................................................................................................9 Out of Scope............................................................................................................................................... 10 4. SOLUTION DESCRIPTION ..................................................................................................... 11 4.1. WAN Solution............................................................................................................................................ 11 4.2. VoIP Solution ............................................................................................................................................. 11 4.3. Security Solution ........................................................................................................................................ 18 4.4. Remote Access Solution ............................................................................................................................ 20 4.5. LAN and WAN Topology and Cost Analysis ............................................................................................ 26 Facility LAN Overview ....................................................................................................................................... 26 Prototype Manufacturing Department ................................................................................................................. 26 Warehouse ........................................................................................................................................................... 26 Call Center ........................................................................................................................................................... 27 Information Technology Department .................................................................................................................. 27 Other Departments ............................................................................................................................................... 27 Common access areas .......................................................................................................................................... 27 Appendix A ................................................................................................................................... 28 6. APPROVALS ........................................................................................................................ 32 7. REFERENCES ....................................................................................................................... 33 1 1. EXECUTIVE SUMMARY Intelligent Imaging Solutions (IIS) is a public corporation headquartered in Dallas, Texas. IIS competes globally in its commercial division with their consumer navigation system. IIS was the first to integrate graphic information systems (GIS) and real time imagery data with proprietary algorithms to create the "Thinking Navigator" (TN) product line. The TN-1 model has achieved market dominance in the two years since its induction. Not only does IIS have a commercial division but they also have a defense division in Fairfax, Virginia. The defense division works with a team from the Military Security Agency (MSA) and other defense contractors to design and produce highly sophisticated algorithms and models. IIS currently has 2,334 full time employees worldwide with buildings in Dallas, Shanghai, London and Fairfax. The Dallas location currently holds 1,103 total employees which consists of three separate office buildings with 785 employees, a warehouse prototype manufacturing facility with 285 employees, multiple at home sales offices with 33 employees, this branch also has a call center which is currently outsourced. The Fairfax, Virginia branch employs a total of 225 people. This branch consists of one branch office with 217 employees and an at home sales office with eight employees. Shanghai, China employs a total of 846 people. This branch consists of a branch office with 352 employees, a manufacturing facility with 486 employees and a home sales office with eight employees. Lastly the London, UK branch employs a total of 160 people. This branch consists of 96 branch office employees, a warehouse facility with 36 employees, 28 at home sales employees and a currently outsourced call center. IIS wants to build a new headquarters that will be located in Dallas, Texas. This new facility will consolidate the separate facilities currently located in Dallas and become the main headquarters. The new headquarters again will relocate and consolidate the prototype manufacturing facility, the warehouse and all three office buildings into one main headquarters. 2 1.1. Project Overview IIS has tasked JJAB Technology Solutions to redesign a new corporate headquarters that will be located in Dallas, Texas. The purpose of the new corporate headquarters is to relocate and consolidate the prototype manufacturing facility, the warehouse and all three office buildings currently located in Dallas into one main headquarters. A new network infrastructure will need to be put in place using current technologies. A main concern of IIS is to future proof their new network as much as possible. There are concerns within the defense division of a secure network which will also need to be taken into consideration. IIS management would also like employees to be able to access corporate resources using multiple access methods, i.e. company LAN, home, and travel. They also are in need of a common communication infrastructure for all corporate facilities to the extent possible. 1.2. Project Description This project will provide IIS with a global network infrastructure that will position the company in a better position to keep its strategic advantage. The new network infrastructure will consolidate three buildings in the Dallas area, which will provide the new building with a state of the art LAN. IIS will be provided with a global network infrastructure that will provide high data bandwidth, availability and performance. A state of the art remote access solution that will allow easy connectivity between home offices, mobile workers and the enterprise network will form part of this project. To satisfy IIS’s telecommunication needs, a modern VoIP solution that supports both hard and soft phones will be implemented, allowing IIS to incorporate voice service with data applications to create a converged network. Security will be provided by a combination of intrusion detection systems and firewalls using the added security offered by DMZs. 1.3. Alternatives Considered Our team identified a wide variety of solutions that would satisfy IIS’s requirements. All possible solutions were analyzed taking into consideration the technical, financial and operational requirements of our client. In addition to our recommended solution, an all Cisco solution was considered. The Cisco solution satisfied all technical and operational requirements of our client. However, this solution was considerably more expensive 3 than our recommended solution. Although an all Cisco solution would reduce the risks associated with multivendor incompatibility issues, this was not deemed beneficial when considering the costs. 1.4. Recommended Solution The recommended solution will connect all four corporate buildings creating a global enterprise network that will provide a high degree of performance, security and integration. IIS will possess the infrastructure needed to provide connectivity to all their employees to access network resources data from the global network. To achieve a low cost, high quality voice communication solution, a hybrid VoIP solution of Bria and Cisco hardware will be implemented. This solution will utilize a mix of IP phones and soft phones, while using the power and versatility of Cisco Unified Communication Manger. A robust and secure SSL VPN solution using Barracuda VPN gateways is recommended to provide remote access services to connect home offices and mobile users to IIS’s global network. This VPN solution takes advantage of the high level of security offered by SSL VPNs, relative low cost, and the simplicity of its implementation. To boost the security of VPN connections, an authentication token system powered by RSA SecurID is recommended to add an extra layer of security. IIS requires a state of the art security solution capable of repelling the most sophisticated attacks. To achieve a highly secure environment, our team recommends a Cisco-Tripwire solution that will implement a DMZ infrastructure with a combination of hardware based firewalls and software based intrusion detection systems. 1.5. Risks The complexity and scope of this project are factors that augment the risks associated to the project. From a financial perspective, the main risk is going over budget. IIS has established a $2,000,000 budget that must cover all hardware, configuration, support, operation and service expenses associated to this project over a 3 year period. IIS greatly depends on the success of this project, which is seen as a great opportunity to increase productivity, reduce costs and increase profits. In addition to financial risks associated to this project, there is the possibility of not meeting the set completion time of the project. Any delays will add extra expenses that can greatly affect the financial viability of this project. Expenses associated to delays in the project are not limited to labor costs alone. Project completion delays can also create financial problems associated to loss of 4 productivity, which in turn, can tarnish IIS’s reputation in a highly competitive market that requires a high degree of service availability, quality and integrity. This project is based in the deployment of multi-vendor solutions selected through a rigorous financial and performance scrutiny. Although this solution has been selected as the best balance of performance, security and cost, the risks of deploying a multi-vendor solution raises the possibility of compatibility issues. Incompatibility issues might not arise at the time of installation, but can appear during operational phases when hardware is updated or upgraded. Any compatibility issues, although improbable, can lead to severe problems if present. The ever present problem caused by unforeseen events also increase the risks of delays and over-budget issues, this is a problem that can’t be eliminated. In order to minimize the impacts of unforeseen events such as natural disasters, it is necessary to create a contingency plan that will help us reduce the negative effects of catastrophic events. 2. PROJECT ORGANIZATION AND EXECUTION JJAB Technology Solutions will team up with IIS project stake holder to determine the business and technological needs of IIS. Our network engineers, project managers and network technicians will work along with IIS managerial staff, network administrators and project managers to ensure that this project is completed in a timely manner, within IIS budget requirements, and based on financial, strategic and technical needs. In order to ensure a successful project completion, appropriate communication channels and protocols must be established to guarantee effective transfer of information between JJAB and IIS personnel. Planning Stage During the planning stage, JJAB personnel will help IIS determine its technical needs and financial requirements. To achieve this, our personnel will analyze IIS’s current network utilization, and forecasted network requirements. This will provide our personnel with concrete data that will help us determine the appropriate solution. Once concrete data is obtained the planning stage of the project will commence. Execution Stage Once a network solution has been identified and approved by both JJAB and IIS, our team will start the physical installation of the network. JJAB has identified the network installation at the new Dallas building as the longest project task, therefore the installation of the network at this site must be finished before we connect all four 5 global sites with the new WAN infrastructure. Once the network installation is completed at the new Dallas site, the new leased T1 lines will be connected to each site. Once the new Dallas local network and the new WAN infrastructure are operational, the old sites and WAN infrastructure will be shut-down. This will reduce cutover impact on IIS’s operations, enabling a fully functional network. Training Our network solution will include IIS’s employees training, including device configuration and network maintenance. JJAB personnel will provide training during the network installation task, ensuring training completion before project delivery. Our staff will also provide network security training to educate users about safe network and web utilization practices. Project Conditions This proposal outlines JJAB’s possible solution for IIS, based on telecommunication and financial requirements provided by IIS. This proposal doesn’t imply an obligation between JJAB and IIS that would bind both parties to the completion of any project. The information furnished in this document only provides how a possible agreement between IIS and JJAB would be executed. Once a deal is signed between both parties, they will be bound to fulfill all agreements as long as they are within the project’s scope. JJAB Team Description The following individuals comprise the business case analysis team. They are responsible for the analysis and creation of the IIS Project business case. Role Description Name/Title Project Manager WAN/Remote Access Jorge Sanchez Project Manager VoIP/ Project Scope Justin Baughman Project Manager Security/Cost Benefit Analysis Amie Tidwell Project Manager Building Layout/WAN Bruce Boydston 3. PROJECT DESCRIPTION 3.1. Project Background and Opportunity 6 Intelligent Imaging Solutions (IIS) competes in the global market for consumer-oriented navigation systems (GPS) and in the military defense industry. A new headquarters building is to be constructed that will consolidate the three current buildings, warehouse and prototype manufacturing facility. It is a threefloor building with 150,000 square feet of space. This building will contain, in addition to staff, IIS computer and communication center, a manufacturing facility and the warehouse. IIS will consolidate all Dallas employees and facilities into its new corporate headquarters and existing Dallas offices will be closed. The infrastructure from the facilities being closed will be brought and implemented into the new facility. Additions will need to be made and some technologies modified in order to future proof the system. Other locations include Fairfax, Shanghai, and London, these buildings will be maintained in their current locations but it is a possibility that their networking and communications infrastructure will require upgrading to properly communicate with the Dallas HQ. 3.2. Business Needs As technology progresses at such a rapid pace IIS would like to future proof this new installation as much as possible. The goal is to ensure that the level of service availability delivered in all services is matched to or exceeds the current and future needs of the business, in a cost-effective manner. The current business need of IIS include: completely designed building and infrastructure, remote users having the ability to access corporate resources, common communication infrastructure for all locations and a future proof HQ. 3.3. Project Objectives In order to achieve its strategic goals, Intelligent Imaging Solutions (IIS) is redesigning their telecommunication and network infrastructure. They are asking JJAB Technology Solutions to design a 150,000 sq. foot three floor corporate headquarters with a secure, functional, extensible and future-proof network. This will consolidate the currently dispersed office in Dallas into one functional building. The timeframe for completion is eight weeks and IIS has an approved $2 million budget for a successful completion. The upgrade on the network infrastructure would need to be able to keep pace with a complex growing global business that needs to stay at the forefront of technology innovation. The techniques to improve will be scalability, speed, reliability, security and manageability. 7 3.4. Organizational Benefits Tangible benefits for the organization: • Increased services/customers • End user productivity gains • Saves time, faster information • Savings from optimized information • Reduced errors • Cost avoidance – reductions of operating costs in the future • Cost saving • Improvement of product quality • Scalable and flexible • Puts users in control of their data Intangible benefits to the organization: • Better customer and staff satisfaction • Increased knowledge of technologies, resulting in improved staff efficiency • Improved efficiency • Enhanced ability for the customer to meet their business goals • Faster adoption of technology • Improved quality of information and decision-support capabilities • Improved staff morale • Improved communications • Communications improvements • Work flow changes • Improved decision making • Empowered users 8 • Improved quality of life at work • Improved productivity 3.5. Project Scope Project Objective To redesign the network infrastructure for Intelligent Imaging Solutions and consolidate the Dallas operation into one corporate headquarters with a common communication infrastructure within one year at a cost not to exceed $2,000,000. Deliverables • Common Communication Infrastructure • Remote Access between headquarters and branch sites • Future Proof/extensible facility • Secure connections and facilities • Functional layout of facilities Milestones 1. Work approved- March 25 2. Design completed- May 1 3. Wiring completed- July1 4. Infrastructure completed- September 1 5. Systems configured- December 1 6. Final testing- March 1 Technical Requirements 1. Fiber Backbone. 2. Secure VPNs. 3. Must be sure all equipment is compatible. 9 4. Applications that transmit sensitive information including passwords over the network must encrypt the data to protect it from being intercepted. 5. Applications must run on all currently supported desktop configurations. 6. Server software must support one of the standard server platforms. 7. IT teams need to follow the IT development guidelines for internally developed and purchased vendor products. 8. RSA SecureID must be implemented for Fairfax defense division. 9. Appropriate amount of bandwidth must be configured. Limits and Exclusions 1. The building and infrastructure will be built to the specifications and design of the original blueprint and network diagram provided by the customer. 2. Contractor responsible for subcontracted work. 3. Contractor reserves the right to contract out services. 4. Work on site limited to Monday through Friday, 8:00 A.M. to 5:00 P.M. unless contractor designates otherwise. Customer Review Intelligent Imaging Solutions 3.6. Out of Scope • Building construction • Moving equipment from old facilities to new facility • Hiring other contractors other than ones approved by JJAB • EPA Regulations • Additional Resources • Permit Appeal Process • Mandated Public Participation Requirements • Permits Involving Enforcement Action • Public Hearing Process/Officer 10 4. SOLUTION DESCRIPTION 4.1. WAN Solution We have determined that in order to connect all international sites, the best solution is the utilization of private lines leased lines using MPLS technology. The benefits of using private lease lines include higher security and guaranteed bandwidth. Three leased T1 lines will be connected to the Dallas Headquarter building in a star topology, providing a permanent connection between all sites. This solution will use Cisco 2811 Routers as main gateways, which are designed to support T1 data bandwidths and support up to E1 speeds. The 2811 Routers will incorporate with no problems to current and future security infrastructure and systems, thus fulfilling security requirements set by IIS. The utilization of leased lines will also add extra security to IIS’s network, since data will not travel through insecure path in the internet to reach their destination. This solution will use MPLS technology to provide connectivity between all sites. MPLS is a powerful technology that allows the utilization of a multi-protocol environment and supports QoS (quality of service), FRR (Fast Reroute), MPLS VPNs, and allows flexibility when designing traffic paths (Teare, 2008). MPLS also provides a fast network response environment that provides low latency, making it ideal for VoIP and other time sensitive applications. This solution will have a price tag of $153,450, including hardware, set up fees and monthly leased line prices for three years. 4.2. VoIP Solution For the common communications infrastructure JJAB chose to use VoIP technology through the use of hard phone IP phones and soft phones. The reason VoIP can benefit IIS is that it is much cheaper than using a traditional communication system. VoIP sends and receives the communications over internet instead of physical phone lines, so its costs are very low compared to the traditional means of communication using the copper wire phone network (Smart VoIP guide (n.d). Retrieved from http://www.smart-voipsolution.com/business-voip-solution.html/). That savings in costs will be passed on to IIS. The great savings in costs is the reason that large corporations and small businesses all over the world are transferring their business communication systems over to VoIP. There are three major ways to use VoIP. An analog telephone adaptor (ATA) could be connected to the LAN for use with a touch-tone telephone. An IP telephone could be 11 connected directly into the LAN without the need for an ATA. Lastly, one could make use of the microphone and speakers on a computer connected to the LAN. Analog Telephone Adaptor This method is the most common with the major VoIP service providers. Somewhere connected within the customers LAN needs to be an ATA. This required piece of hardware is an analog-to-digital converter. A touch-tone telephone will also need to be connected to the ATA device. For the customer to continue using a touch-tone telephone, the analog signal from the telephone will need to be converted into a digital signal. The digital signal is then able to be transmitted anywhere over the internet. IP Telephone IP telephones are able to connect directly into a LAN via Ethernet connection. These telephones are designed to convert analog to digital themselves. Think of them like a touch-tone telephone and an ATA combined into one device. Just like every other network device, every IP phone connected to the network will have its own IP address. Computer microphone and speakers The majority of computers these days are equipped with a microphone and speakers. This will be implemented in our call center solutions. We will buy a headset to plug into the computer for a small price. There are many software companies offering VoIP applications that make use of the computer’s ability to input and output sound and we will make use of the Bria software. This way, the analog to digital conversion is handled by the computer. Hardware/Software Before one is able to make use of a VoIP service, there needs to be a few other things in place. First off would be to have some type of broadband Ethernet connection. VoIP could work with a dialup internet connection, but really, what would be the point? Depending on where the customer lives, there are three common broadband services to choose from, DSL, Cable, and Satellite. Either DSL or Cable services are offered in most cities and suburbs these days, but if the customer lives in the country, satellite might be the only option. Any of the three types of services will provide the customer with an IP address which is required to communicate using VoIP. 12 Elements of an IP phone 1. Hardware 2. DNS client 3. DHCP client 4. Signaling stack (SIP, H323) 5. RTP Stack 6. Codec’s (Audio codec’s such as G.711, G.729, G.722, etc. Video codecs such as H.263, H.263+ and H.264) 7. User interface For wireless IP phones 1. Battery 2. Wireless network interface controller VoIP Protocols In addition to packet transmission, there are several VoIP protocols which allow packets to flow between communicating devices. There must be an agreed upon payload format for the contents of the VoIP packets. The majority of VoIP systems use Real-time Transport Protocol (RTP) to transmit VoIP traffic. RTP ensures consistent delivery order of voice data packets in an IP network. The services provided by RTP include: • Payload-type Identification • Sequence Numbering • Time Stamping • Delivery Monitoring The most widely used signaling VoIP protocol is H.323. H.323 was originally created for local area networks (LANs) but has rapidly evolved to address VoIP networks. H.323 provides specifications for real-time, interactive videoconferencing, data sharing and audio applications such as IP telephony. Session Initiation Protocol (SIP) is an alternative to H.323 developed specifically for IP telephony. SIP is smaller and more efficient than H.323, and it takes advantage of existing protocols to handle certain parts of the process. 13 Codec’s A codec (coder/decoder) handles the conversion of analog signals to digital form, and back again. VoIP systems may use any of a wide variety of codec’s for voice, video, or both. In VoIP, the codec used is often referred to as the encoding method or the payload type for the RTP packet. Codec designers seek to optimize among three primary factors: the speed of the encoding/decoding operations the quality and fidelity of sound and/or video signal, and the size of the resulting encoded data stream., note that the data rate in Table 1.1 column refers to the compressed data, while the bandwidth column describes the uncompressed audio data equivalent delivered by the codec (VoIP (n.d). Retrieved from http://www.wildpackets.com/resources/compendium/voip#wp1014365/). Table 1.1 Codec Data Rate Packetization Delay Bandwidth G.711u 64.0 Kbps 1.0 msec 87.2 kbps G.711a 64.0 Kbps 1.0 msec 187.2 kbps G.726 32.0 Kbps 1.0 msec 55.2 kbps G.729 8.0 Kbps 25.0 msec 31.2 kbps G.723.1 MPMLQ 6.3 Kbps 67.5 msec 21.9 kbps G.723.1 ACLEP 5.3 Kbps 67.5 msec 20.8 kbps * From "Taking Charge of Your VoIP Project," Cisco Press 2004 Advantages of VoIP Solutions • With VoIP a business is able to use an integrated voice and data network at a lower cost than the separate parts. In other words, all of your communication needs are met in a single package and at a lower cost. • With a VoIP system even a small business has the same capability in communication as a large company. • A single VoIP phone connection can have a number of extensions when needed without any extra expenditure. 14 • When a business expands its presence in other locations by opening branches, it can establish its presence by using virtual numbers. This saves on the cost of creating additional physical infrastructure. Moreover the business location can be changed without changing the existing phone numbers which have already been given to employees, suppliers and contacts. • Use of VoIP solution gives a business an ability to enhance the productivity of its employees. No matter where an employee is located he can interact with the business office quickly and this rapid interaction leads to increased productivity of the business. • With a VoIP system the business can have advanced VoIP features which are not possible with the conventional phone systems. (Smart VoIP guide (n.d). Retrieved from http://www.smart-voipsolution.com/business-voip-solution.html/) Here are the proposed numbers and costs of what it will take to implement this type of solution. Starting with the soft phones these will be used in the call center only in both the Dallas and London locations. Bria 3 is a carrier-grade next generation soft phone application that enables you to manage your communications easily and efficiently – all from your computer desktop. Replacing or complementing your hard phone, the Bria soft phone allows you to make VoIP and Video calls over IP, see when your contacts are available, send Instant Messages and transfer files with ease and efficiency. Call Center The new Call Center will utilize the Bria software for its daily operations. Bria is built on SIP and open standards, Bria is proven interoperable with many of the industry’s standard platforms and devices. It now also includes features specifically designed for business and enterprise users and can be deployed within an enterprise environment either by manual configuration via the soft phone Graphical User Interface (GUI) or by using a provisioning server (CounterPath (n.d.). Retrieved from http://www.counterpath.com/bria.html). There are a total of 40 call center employees and they are split into three shifts 24 hours a day 7 days a week with seven employees during first and second shift and 6 for third shift. We will order 50 headsets for the better pricing at a cost of $45.00 for all 50. The subscription per month for the Bria software is $16 dollars a month which will have a yearly cost of $192. 15 Warehouse The warehouse will utilize wireless access point and a system known as VoWiFi. VoWiFi or Voice over Wireless Fidelity are phones that operate like cell phones, only they use VoIP technology and are wireless, operating in various hotspots. VoWiFi phones are very inexpensive to use. It is much cheaper to send audio as data packets over the Internet and it uses considerably less bandwidth. This is a reason why VoIP technology is gaining in strength and momentum. There is no need to worry about losing connection while using a VoWiFi phone in the warehouse either. VoWiFi phones connect to wireless access points. As a user moves around the building, the phone will change connections from one AP to another, a process known as roaming. The benefits of VoWiFi include: • Reduced mobile cellular minutes • Improved productivity • Decreased installation and maintenance cost • Better separation of personal and work calls • Increased coverage area (Wireless Solutions (n.d.). Retrieved from http://www.xirrus.com/cdn/pdf/Xirrus_VoWiFi_SB_100511). VoIP System The hard phones take advantage of Cisco and its call manager to control and route calls and manage the VoIP system. With Cisco Unified Communications Manager, you get an enterprise-class IP communications processing system for up to 40,000 users and even 80,000 users with a "mega cluster." In addition to traditional telephony features, it provides advanced capabilities, such as video, mobility, presence, preference, and fullfeatured conferencing services. This powerful call processing solution can help: • Extend video capabilities to your employees through a single, unified communications infrastructure from the desktop to TelePresence rooms. 16 • Simplify voice systems with unified communications to cut costs and dramatically streamline provisioning and maintenance. • Build productivity with comprehensive unified communications to help workers communicate and work more effectively. • Enable mobility with embedded unified mobility software capabilities to keep workers productive wherever they are, with any content type, on any device, providing a rich and consistent experience. • Improve collaboration: Click to begin an IM session, initiate a phone call, or easily start a videoconferencing call. • Improve flexibility with a choice of deployment models: public cloud, private cloud, on-premises, remote, or hybrid. Cisco Unified Communications Manager creates a unified workspace that supports a full range of communications features and applications. This solution is highly: • Scalable: Support up to 40,000 users with each Cisco Unified Communications Manager cluster. • Distributable: Get scalability, redundancy, and load balancing. • Available: Maintain business continuity and collaboration with a high-availability foundation for server redundancy. (Cisco Systems Inc. (n.d.). Retrieved from http://www.cisco.com/en/US/products/sw/voicesw/ps556/index.html) The cost to implement the hard phone solution is that we will need 300 IP Phone 6900 Series, 6941 Unified IP Phone for management purposes in all locations bring the cost of the IP hard phones to $45,000 to replace all phones. This is a onetime cost which will bring the company closer to a unified communications infrastructure. The call manager will be able to handle all the calls easily. Total solution Cost The total cost of the VoIP and VoWiFi system which includes the hardware, software, phones, servers and training will run $74,350 for the initial installation. After that the only costs that will be incurred are the maintenance of the system and replacement phones if needed. 17 4.3. Security Solution The recommended security solution is to incorporate the use of a host-based Intrusion Detection System and Prevention System with the use of Cisco firewalls. Additionally, Institute the implementation of OpenNMS for the network management system. With host based systems the programs are directly installed on the server instead of being placed on a switch or a router. A major benefit of using a host based system is that they have the ability to “preform intrusion detection in a network where traffic is usually encrypted” (Holden, 2004.) Another benefit of using host-based IDS is it requires no additional hardware installed. The type of IDS we chose is software called Tripwire. Benefits of using Tripwire Intelligence: Allows for the prioritizing of data and risks. Once prioritized, Tripwire will organize the data and assess risks. Hardening: “It minimizes network security vulnerabilities, reduces the attack surface, and helps your organization avoid becoming a victim of zero-day exploits and attacks.”( Tripwire.com) Continuous monitoring: Continuous monitoring allows for someone to detect threats and areas that are vulnerable to attacks. Incident detection: Incident detection notifies the user if there was an intrusion, if there is a misconfiguration of security files, or there were errors made by contractors or employees. Operationalize security: Allows IIS to automate and configure the security to meet IIS needs. Forensics: It allows for IIS to see how the hackers entered the network. Also it allows for IIS to conduct investigations and track exploits and vulnerabilities. However, to help reduce the risk of port attacks, the plan is to set up a duel firewall DMZ. The job of a firewall is to act like a security guard. It only lets traffic in and out based on the access lists. A duel firewall DMZ consists of a firewall on the outer edge and one attached to the inner part of the LAN attached to a router. Then place certain servers on the inside of the inside of the DMZ we plan to place several servers such as the email, FTP, and the web server. There are several benefits to implementing a duel firewall DMZ. Examples of the benefits that two firewalls in a DMZ provide are the following; Added layers of security, Blocks any outside 18 traffic from gaining access to the interior network, it can relegate visitors to a certain part of the network, No single points of failure and Ensures data integrity. Hostbased IDS risks The only drawback is it susceptible to port scanning and port based attacks. Risks of Dual firewall DMZ Added cost of extra equipment More to go wrong if we have network troubles Network may need to be redesigned Routing tables must be defined The Open NMS is a network management system. The job of a Network management system is to act as a regulating body for the network, and it helps control the network flow. Some of the key functions OpenNMS provides are polling, collecting performance data and event notification. This is beneficial to IIS because it helps detect where the network is the most congested. It then alerts the Network System Administrators to possible issues contained on the network and allows for them to fix the issues. Benefit of using Open NMS Near perfect up time Ability to monitor many devices Open source No licensing fees Able to bend and twist application to fit the needs of the company. Linux based Risks of using Open NMS Support and training is not included To address the Risks of implementing OpenNMS, JJAB is fully prepared to offer the training and support needed to keep IIS’s network operating fully. JJAB has trained Consultants, who will travel to IIS and train the employees. Additionally, JJAB offers refresher courses to keep IIS employees up to date. By Choosing JJAB, IIS would receive their own training and support consultant. Also, JJAB technicians will Come to IIS and install 19 and configure the management system. Network Network Network Network Hardware / Software Line Costs Maintenance Contracts $ Training Web / On Site Support Equipment Investment $ Labor Labor for existing Build Licences Licences $ 6,600.00 To ta l Ye ar 3 Ye ar 2 Ye ar 1 In Ty pe Ty pe 2 iti al c os t Cost benefit analysis $ 6,600.00 $ 6,600.00 $ 6,600.00 $ 26,400.00 $ 30,000.00 $ 30,000.00 $ 30,000.00 $ 90,000.00 $ 29,995.00 $ 29,995.00 $ 29,995.00 $ 89,985.00 48,377.29 $ 48,377.29 1,984.00 $ 1,984.00 $ 15,960.00 $ 15,960.00 $ 15,960.00 $ 15,960.00 $ 64,674.99 4.4. Remote Access Solution This project requires the creation of a reliable, secure and highly available remote access solution. IIS requires a solution that can connect remote home offices and users regardless of their location, while allowing them to access corporate resources that are normally available in-site. IIS also requires an easy to use solution that is fast and provides a high degree of data integrity and security. Based on IIS’s requirements a SSL VPN Solution has been identified as the most balanced solution that incorporates ease of use, security, and a wide variety of network access features. SSL VPN technology will allow IIS employees to connect to the corporate network from any web enabled device with an active internet connection, without the need of specialized network devices or installation of software on the host device. 20 This VPN solution will allow seamless connection to corporate resources with any device connected to the internet, providing IIS’s employees the ability to connect with any device using a supported web browser. IIS requires connectivity for remote users and home offices close to its corporate buildings located in Dallas, London, Fairfax and Shanghai. This will require the creation of a network infrastructure that can support SSL VPN access at each location. To achieve this, SSL VPN Gateways will be installed at each location, providing each branch with an in-house solution that can easily be managed and serviced. Placing SSL VPN Appliance in each corporate site will also decrease the distance between users and VPN gateways, providing a high quality connection. VPN Appliance Overview Our proposed solution will employ a Barracuda SSL VPN 680 appliance at each site. The appliance will be placed in the DMZ of each corporate site network infrastructure. The Barracuda SSL VPN 680 provides 21 highly secured VPN sessions using a SSL tunnel in the internet to connect remote users and offices to corporate intranets, web based applications, databases, remote desktop access and SSH sessions. Additionally, administrative features allow the creation of user control settings based on user’s privileges with a high degree of granularity. The Barracuda 680 also provides extra protection with its built in virus scanning service, which scans downloaded files in all VPN sessions for virus infections. Barracuda 6800 Features Supports up to 500 concurrent users. Small factor light weight appliance that is easy to mount on racks. Supports Ethernet Gigabit. Supports access to network files and Windows Explorer Mapped Drives. Supports a wide variety of web apps. Built in antivirus service. Easy integration to Active Directory and LDAP. Supports RADIUS Authentication. SSL Installation and Configuration The versatile Barracuda 6800 VPN appliance requires minimal installation requirements, and can be easily deployed on virtually any network set up. Installation can be done without interrupting normal network services and is done in minutes. Installing a VPN appliance in each location can be done without incurring high expenses while ensuring normal network operation. The initial configuration of the appliance is done through a web interface, which simplify the process and ensures ease of configuration in the future. Administration of the device can be achieved using both remote and local access. In local access mode, administrators can physically connect a terminal to the device in order to change settings, or can remotely configure the device using a web browser. This solution will also allow seamless integration with current Active Directory implementations, which provides a straight forward solution that can be administered without the need of expensive training of existent personnel. 22 Benefits Placing VPN gateways in each corporate site will provide employees with the ability to connect to the corporate network from any internet connected device. This capability will allow employees to work from home or other location without physically being in the corporate building. IIS will have the option of having a large portion of its employees working from home, increasing the potential of higher productivity and the reduction of costs associated with office operations. Providing total remote access of network resources can provide road warriors with the needed tools to perform their tasks efficiently while away from the office, allowing them to provide a better service to customers. Business partners and suppliers can also benefit from this SSL VPN solution, allowing them to access resources based on particular access privileges, in a secure high performance environment. Security Barracuda SSL VPN gateways provide a wide variety of security services that ensure data integrity and security, while allowing access to corporate network resources. Network administrators will have a wide variety of tools to assign resource access based on users or groups, all through an easy to use web interface. Additionally, all VPN connections will have secure communication tunnels using a wide variety of network protocols, and data encryption using symmetric or asymmetric keys algorithms. This will provide a high level of security which is required by IIS. Barracuda VPN gateways can also be integrated to other security and authentication systems, giving IIS a wide variety of options. In addition to native security features offered by Barracuda VPN gateways, the utilization of authentication tokens will be added to increase security. SRA SecurID Authenticators combined with security features offered by the Barracuda SSL VPN 680 gateway will create a very strong security system that will ensure that only authorized users have access to corporate network resources. RSA SecurID tokens provide a two factor authentication method, where any authorized users will be required to enter their own authentication credentials combined with a unique pin that is generated by the SecurID Token. Pins generated by the authentication tokens are generated every 60 seconds, reducing the danger of unauthorized users guessing the pin. This scheme will provide extra security by requiring both user authentication information and possession of the authentication token. An authentication server running RSA SecurID software will be in constant synchronization with each token using encrypted 23 communications, thus ensuring that pins are not used by potential intruders. The RSA SecureID will require the deployment of a SecurID Appliance at the Dallas Headquarter site, where it will be able to synchronize with the SecurID Tokens. Costs Deploying this Barracuda based VPN solution will require 4 appliances at a cost of $8,549.00 each. Additionally, each device must be accompanied with a 3 Year Barracuda Energize Update license priced at $5,794 each. This updates will provide each appliance with updated security features and virus definitions. The installation and configuration of each appliance is approximately 2 hours at a price of $100 for each installation. Each device will also require a 3 year Barracuda Premium Service Support at a cost of $4844.05 per unit. The token authentication system will require 250 SecurID tokens with a 3 year license at a cost of $15,499, and a SecurID Appliance priced at $2,498. The installation cost of the SecurID solution will take approximately 2 hours at an estimated cost of $100. The SecurID Appliance comes with a standard 1 year warranty that includes support. To cover two more additional years of support and warranty, a 2 year SecurID Advanced Hardware Replacement and Support Renewal at a cost of $917 must be purchased. Remote Access Total Cost Item Quantity Unit Price Total Price Barracuda 680 VPN Gateway 4 $8,549.00 $ 34,196.00 Barracuda Energize Update 4 $5,794 $ 23,176.00 Barracuda 3 Year Support 4 $4,844.05 $ 19,376.20 RSA SecurID 250 Tokens Bundle 1 $15,499 $ 15,499.00 RSA SecurID Appliance 1 $2,498 $ 2,498.00 RSA Support Renewal 1 $917 $ 917.00 Labor $ 500.00 Total Cost $ 96,162.20 24 Barracuda SSL VPN 680 Network Deployment The Barracuda SSL VPN 680 Gateway is a flexible device that can be easily deployed in a multivendor environment with minimal compatibility issues. This ease of deployment makes the Barracuda 680 a versatile unit that can be easily deployed in virtually any network environment. The recommended deployment in this particular project is placement of the VPN Gateway in the DMZ of each corporate site. Using a DMZ will provide an extra layer of security for the network by providing a buffer zone between the outside network and the internal services and applications within each corporate site. Although this configuration requires additional firewalls, its added security outweighs the additional cost. Although placement of the VPN gateway in the DMZ is recommended, there are other options that can be implemented. For example, the VPN gateway can be placed between the inside network and an outside firewall. In a DMZ placement configuration, the VPN gateway works as a proxy server, which adds extra security to the network by determining the validity of network requests before accessing internal servers and applications. This extra layer of security is very important for IIS due to its sensitive military information. 25 4.5. LAN and WAN Topology and Cost Analysis Facility LAN Overview The network solution for the new Dallas facility is designed to meet security, access, and future expansion need of IIS. To meet IIS need for future proofing, the network is design is built around a fiber optic vertical and horizontal backbone pushed out to each department, where module Cisco 6503-E switches connects the fiber backbone to the Cat6a network cable that runs to the individual workstation locations. In addition to providing for future expansion need without the need to replace the primary network links, the module design of the department switches allow to future expansion without the need to replace and entire switch when more ports are needed. Expansion can be accomplished through the addition or exchange of a module. To provide for network management and security, the network is logically divided into virtual local area networks (vLAN), with each department existing on their individual vLAN. Prototype Manufacturing Department The network for the Prototype Manufacturing Department uses wired connections and is designed to be expanded or reconfigured easily utilizing a modular Cisco 6503-E switch. The department’s current configuration is designed to provide sixteen personnel with terminal and VoIP phone connectivity at their stations. Warehouse The warehouse facility is designed with both wired and wireless connectivity to accommodate the both a more stationary office environment and a dynamic inventory tracking system requiring a high degree of mobility. The warehouse offices solution is designed to allow for expansion and reconfiguration with a modular Cisco 6503-E switch. The solution is currently for sixteen office personnel. It provides wired connectivity at the desktop for a terminal and VoIP phone at each desk. Additionally, two separate network connection for peripheral office equipment. The warehouse solution is designed with wireless connectivity for inventory tracking. The wireless connectivity is provided by three Cisco Aironet 3600E wireless access points allowing for up to 450 Mbps data transfer rates to accommodate current and future performance demands. Security of the wireless network is provided through encryption and authentication protocols to ensure only authorized connections are allowed. 26 Call Center The call center is designed with wired connectivity and is located on the second floor of the new Dallas facility. The call center is designed to allow for expansion and reconfiguration with a modular Cisco 6503-E switch. In its current configuration the call center is designed to support up to twelve agents handling calls simultaneously. The call center design provides each agent with connectivity for a terminal and VoIP phone at their station. Call monitoring and supervision is provided through a supervisor management interface, which allows the call center supervisor to monitor calls in real time, from their station, as well as the ability to take over calls if needed via the call center software. Information Technology Department Other Departments Research and Development Marketing Sales Executive Accounting Human Recourse Common access areas Lunch room Reception Area 27 Appendix A Dallas Logical LAN with Department vLAN s New Dallas Facility 384 port Human 216 Resource port Vlan 10.1.0.0/16 Accounting 216 port Vlan 10.2.0.0/16 Executive Offices Network Core 384 port 3rd Floor 10 port 8 port Vlan 10.3.0.0/16 GYM Vlan 10.4.0.0/16 240 port Sales Vlan 10.4.0.0/16 Home Workers Temp Desks Vlan 10.6.0.0/16 IT department Vlan 10.7.0.0/16 Call Center Vlan 10.8.0.0/16 Marketing Vlan 10.9.0.0/16 2nd Floor 144 port 24 port 24 port Server Farm 10.20.0.0/16 24 port 144 port Warehouse Office Vlan 10.10.0.0/16 Prototype Manufacturing Vlan 10.11.0.0/16 R&D Vlan 10.12.0.0/16 32 port 1st Floor 34 port 72 port 72 port 72 port Lunch Room Public Access Vlan 10.13.0.0/16 Warehouse Wireless Connection Vlan 10.14.0.0/16 28 Wide Area Network Connection 29 LAN Installation at Dallas Location Total Cost Item Quantity Unit Price Total Price Cat 6a Solid Core STP Network Cable 159,000 ft. $149.95 / 1000 ft. $ 39,742.05 Cat 6a gold plated RJ-45 Connectors 900 ea. $95.00 / 500 ct. $ 190.00 93 ea. $38.34 ea. $ 3,564.62 7,000 ft. $198.74 / 1000ft. $ 1391.18 60 ea. $160.99 $ 9659.40 32 ea. $4,195 $ 134,240.00 8 ea. $2,256 $ 18,048.00 2 ea. $148,582 724 man hrs. $50 24 port Cat 6 Patch Panels 600 MHZ Multimode Fiber Cisco AcpGLC-ZX-SM-AO 1000base-ZX Gigabit Ethernet Fiber Port Cisco Catalyst 48port POE Switch Model WS-C3750X-48PF-3-RF Cisco Catalyst 24port POE Switch Model WS-C3750X-24PF-3-RF Cisco Catalyst 6500 Series Managed Switch Model 5609-E Labor Total Cost $ 297,164.00 $ 36,200.00 $ 540,199.25 WAN Installation Cost Analysis Item Quantity Unit Price Total Price One time Setup Service Charge 3 $2,500.00 $7,500.00 Backbone MPLS T-1 Circuit Path 3 $1,250.00/Month $3,750.00 Cisco Router 2811 3 $3,650.00 $10,950 Total Cost $22,200 30 5. FINANCIAL ANALYSIS This financial analysis is based on NPV and IRR functions. The inflows used in this analysis are based on the current annual network expenses of IIS, which amount $420,000 per year. Although this analysis yielded an unfavorable result in the NVP analysis (negative number), it is important to note that only direct savings were considered. Once other financial benefits such as increased productivity and other operational savings are considered the financial analysis will yield better results. Cost of Investment $74,350 540,199 153,450 96,162 64,675 $928,836 VoIP Solution LAN Solution WAN Solution Remote Access Solution Security Solution Total cost for 3 years Yearly Inflows/ Outflows Current Annual Cost New Solution Cost Operational Savings/Initial Investment (Negative Number) ($745,956) Year 1 $420,000 (60,960) Year 2 $420,000 (60,960) Year 3 $420,000 (60,960) $359,040 $359,040 $359,040 IRR and NPV 15% ($109,066.85) Cost of capital Net present value 21% Internal Rate of Return 31 6. APPROVALS The signature of the person below indicates an understanding in the purpose and content of this document by those signing it. By signing this document you indicate that you approve of the proposed project outlined in this business case and that the next steps may be taken to create a formal project in accordance with the details outlined herein. Approver Name Title Daniel Munger Chief Executive Officer Signature 32 Date 7. REFERENCES Barracuda Networks Inc. (n.d.) The Barracuda SSL VPN Advantage. Retrieved from http://www.barracudanetworks.com/ns/downloads/White_Papers/Barracuda_SSLVPN_WP_Advantage.pdf BarraGuard, (n.d.) Barracuda Networks SSL VPN 680.Retrieved from http://www.barraguard.com/SSL-VPN680.asp?gclid=COnP4-ic7q4CFUXc4Aod-jN8KQ Balog, T. (n.d.). Keeping a Watchful Eye with OpenNMS. Retrieved from http://www.linux-mag.com/id/ 4171/ Cisco Press. (2012). Distributed Multilink Point-to-Point Protocol for Cisco 7500 Series Routers. Retrieved from http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/multippp.html Cisco Systems Inc. (n.d.). Retrieved from http://www.cisco.com/en/US/products/sw/voicesw/ps556/index.html CounterPath (n.d.). Retrieved from http://www.counterpath.com/bria.html excITingIP.com. (2010, May 02). Advantages of MPLS VPN over Point to Point Leased Lines for WAN Connectivity. Retrieved from http://www.excitingip.com/707/advantages-of-mpls-vpn-network-over-pointto-point-leased-lines-for-wan-connectivity/ Holden, G. (2004). Firewalls and network security intrusion detection and VPNs. Canada: Course Technology How_to_choose_a_network_management_system?taxonomyId=16&pageNumber=3 Kinka, Scott. (2009, April 09). The Next Generation of Business Networks. Retrieved from http://www.technewsworld.com/story/66750.html NDM (n.d) Barracuda SSL-VPN 3yr Premium Support. Retrieved from http://www.ndm.net/barracudastore/Barracuda-SSL-VPN-680/Barracuda-SSL-VPN-680-3yr-PremiumSupport-BVS680a-p3 Orloff, J. (2006, May 31). How to choose a network management system. Computer world. Retrieved from http://www.computerworld.com/s/article/9000849/ RSA Security Inc. (2007) RSA SecurID Appliance. Retrieved from http://www.tokenguard.com/datasheets/APPL_DS_0407.pdf RSA Security Inc. (2004) RSA Authentication Deployment Manager. Retrieved from http://www.tokenguard.com/datasheets/ADM_DS_0507.pdf Scarfone, K., & Hoffman, P. (2009). Guidelines on firewalls and firewall policy [Data file]. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf Smart VoIP guide (n.d). Retrieved from http://www.smart-voip-solution.com/business-voip-solution.html/ Teare, D. (2008)Authorized Self-Study Guide: Designing for Cisco Internetwork Solutions (DESGN). Cisco Press Second Edition. Indianapolis, IN TokenGuard. (n.d.). RSA SecurID Appliance and SecureID Bundles. Retrieved from http://www.tokenguard.com/RSA-SecurID-Appliance.asp 33 TokenGuard. (n.d.). RSA SecurID SID700 Authenticator Token. Retrieved from http://www.tokenguard.com/RSASecurID-SID700.asp?gclid=CMKYh9yw6q4CFQdN4AodbDRfIQ Tripwire inc. (2012). Tripwire security solution. Retrieved from www.tripwire.com/data-security/ VoIP (n.d). Retrieved from http://www.wildpackets.com/resources/compendium/voip#wp1014365/ Wireless Solutions (n.d.). Retrieved from http://www.xirrus.com/cdn/pdf/Xirrus_VoWiFi_SB_100511 34
