Network Infrastructure Best Practises Audit
Upcoming SlideShare
Loading in...5
×
 

Network Infrastructure Best Practises Audit

on

  • 3,110 views

 

Statistics

Views

Total Views
3,110
Views on SlideShare
3,110
Embed Views
0

Actions

Likes
0
Downloads
200
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Network Infrastructure Best Practises Audit Network Infrastructure Best Practises Audit Document Transcript

  • Network Infrastructure Best Practises Audit for YourCo Presented to: Chief Information Officer, Infrastructure Manager Author(s): Principal Consultant, The Full Circle Audit date: May 2005
  • Network Infrastructure Best Practises Audit Company confidential Version History Version Date Author Notes 0.A 13th May 2005 Principal Report framework Consultant previewed/agreed 0.B 1st June 2005 Principal Audit tool output additions Consultant Infrastructure Inventory agreed 1.0 23rd June 2005 Principal First release to client Consultant Customer Details Customer Name YourCo Customer Address Corporate Tower Corporation Road Corporate County ABC 123 Telephone Number +44 (0) 234 567 890 Fax Number +44 (0) 234 567 891 Contacts Chief Information Officer [cio@YourCo.org] +44 (0) 234 567 890 Infrastructure Manager [infrmgr@YourCo.org] +44 (0) 234 567 890 Project Name Network Infrastructure Best Practises Audit The Full Circle Consultant(s) Principal Consultant [consultant@thefullcircle.com] Principal Consultant +44 (0) 7000 123456 * The Full Circle wishes to acknowledge all trademarks and, or copyrights used within this document. ©2005 Full Circle Technology Limited Page 2 of 13
  • Network Infrastructure Best Practises Audit Company confidential Table of contents Table of contents......................................................................................................................... 3 Management summary ............................................................................................................... 4 Scope of work .............................................................................................................................. 5 Audit approach and deliverables............................................................................................... 6 Appraisal and Recommendations ............................................................................................. 7 Appendices – links to detailed audit results .......................................................................... 13 Appendix A1 ......................................................................................................................... 13 Appendix A2 ......................................................................................................................... 13 ©2005 Full Circle Technology Limited Page 3 of 13
  • Network Infrastructure Best Practises Audit Company confidential Management summary Full Circle Technology Limited – the full circle - has been asked by YourCo to carry out a ‘Network Infrastructure Best Practises Audit’ of the back-end IT infrastructure estate (Network & Servers). Whilst the scope of the audit includes the environment world-wide, it is mostly focused on systems housed at the head office at Thames Tower, Hammersmith (UK) and the hosting facility? in… A scoping exercise was carried out on Wednesday 13th April 2005 to determine the background for the request also to understand and agree what deliverables are required. Full Circle Technology Limited - the full circle - will carry out a five day audit of YourCo’s head office Network & Server Infrastructure, with the provision of an additional day (gratis) if needed to deliver upon objectives and budget. The audit will cover core IT services (e.g. File & Print, Email, Database), core Network services (e.g. LAN/WAN infrastructure, network addressing, VPN, Firewall), Server hardware devices (e.g. processor, memory, storage) and, to a lesser extent, Internet domain names, external IP presentation (e.g. port availability, etc.) and other ‘offsite functions’ that are required to deliver service to the user base. Attention Required Index = (Maximum Outage Hours) + Service SPF + Degree of Fault Tolerance + Inter-dependency + Health Rating + Backup Confidence ©2005 Full Circle Technology Limited Page 4 of 13
  • Network Infrastructure Best Practises Audit Company confidential Scope of work • Network Topology Diagrams • Network Infrastructure Devices • Network Security Assessment • Server Inventory • Server Patching Assessment • Server Health Assessment • Inventory of all software installed on all servers/workstations including operational software such as Anti Virus, Backup, File utilities and Firewall, as well as Application Software including version(s), release, date installed and date last accessed. If issues are identified with the systems that require action, the proposed action will be documented in the Observations & recommendations section within the report. ©2005 Full Circle Technology Limited Page 5 of 13
  • Network Infrastructure Best Practises Audit Company confidential Audit approach and deliverables Tools and processes, and personnel to be used will include: • Internal & External Network Discovery/Mapping • DNS Reporting • Internet Mail Relay testing • External port analysis • Intrusion testing • Vulnerability assessment • Bandwidth usage/monitoring • Hardware inventory (server & network) The processes used will be capture, collate, observation, recommendation in the form of a written report. The Technical Architect responsible for carrying out this Audit is Reuben Cook who has worked in world-wide, world-class network environments for several years. He has network design, implementation and support experience with Cisco networking solutions from small office installations through to building complex Internet Data Centre (ISP/IDC) core networks across Europe. Reuben has attained Microsoft MCP+I, MCSE, Cisco CCNA & CCNP certifications. ©2005 Full Circle Technology Limited Page 6 of 13
  • Network Infrastructure Best Practises Audit Company confidential Appraisal and Recommendations Subject Area Current Situation Appraisal Recommendations Network See Appendix A1 • Some of the Cisco router • Where appropriate, upgrades Infrastructure – Cisco ‘show- infrastructure is old (no longer should be considered either devices (Cisco tech’ output and supported) and running old versions updating whole platform, or memory routers, and core Cisco Output of Cisco IOS software which has (RAM & Flash) switch) Interpreter results been superseded, however memory • Standardisation on a given IOS Servers limitations would prevent use of level should be considered to most recent software levels. maximise security, features and • Memory limitations would appear to supportability. impacting router performance (e.g. • Security lockdown to established BTA) Cisco ‘best practise’ should be • Software levels are inconsistent. implemented (autosecure available • Security implementation is basic from IOS 12.3 onwards – care (e.g. clear text passwords stored in needed!) configs) although RADIUS is used • Investigate use of configuration (and to control administrator access image) management system e.g. • Configurations are not maintained CiscoWorks (Resource Manager and distributed centrally. Essentials) • A manual process of copying the • Implement a change log to record latest configuration to a TFTP changes and maintain file level server exists although limited/no version history e.g. config-yymmdd versioning in place. • Investigate and implement • There are a number of Single Points automatic failover at both the of Failure (SPF) in terms of core hardware and link level (e.g. use of network devices. the 2Mbps xDSL service at TH) • Thames Tower is in the process of • Identify maintenance gaps vs. migrating Internet access from a availability needs and address Cisco IOS firewall router to a shortfall (e.g. on-site spares, hot- dedicated Cisco PIX firewall standby, vendor maintenance however this is a single point failure agreements - Cisco SmartNet) device without automatic failover or • Perform detailed analysis of the any vendor maintenance in place Cisco Output Interpreter output and • Thames Tower data connectivity extend analysis to rest of Cisco resilience is in place via New York estate (TFC) although this would not be a • More detailed network diagrams seamless transition and service (both logical and physical) should would be severely impacted due to be produced to assist capacity disparity (2Mbps vs troubleshooting and further network 6Mpbs) engineering • Core switch is overloaded? • Limited network topology documentation in place ©2005 Full Circle Technology Limited Page 7 of 13
  • Network Infrastructure Best Practises Audit Company confidential Wireless Common Wi-Fi • WEP encryption technology is • In light of usage, probably sufficient Networking access in all hub known to be weak, although dual although improvements should be locations and WEP is being used (1 key for considered… (cost justified). most of Thames transmit, 1 for receive) • Opportunity to upgrade to higher Tower • 11Mbps generation 1 (single radio, bandwidth with greater coverage - 802.11b (11Mbps) single antenna) Access Points are new purchases should be dual technology unsuitable for some applications speed with multiple antennas 128-bit WEP due to bandwidth and latency • Consider reviewing the encryption encryption (delay, queuing) limitations technology New ‘diner’ area • Configuration and software to be provisioned management should be controlled with guest access as per routers and switches (segmented from corporate network with lower security) Network Security See Appendix A2 • • – Security Audits, external penetration tests, TT 2nd floor internal vulnerability assessment ©2005 Full Circle Technology Limited Page 8 of 13
  • Network Infrastructure Best Practises Audit Company confidential Internet presence See Appendix A3 • The primary corporate Email • Consider adding YourCo.com to (security) – DNS & Email domain is YourCo.org this has in- also use the MessageLabs assessment bound antivirus scanning via infrstructure MessageLabs (part of Star • Contact any blacklist registrars to Internet?) and as such has a very establish the history and nature of strong infrastructure (multiple the entry and seek removal – clusters, etc.). Once mail is scanned Blacklists are dangerous! They are it is forwarded to the TT & NY the number #1 cause for Email external IP? delivery problems. • Outbound mail is also scanned by • Regularly check blacklist status or MessageLabs by pointing the local subscribe to a monitoring service mail servers at the their servers (by such as www.blacklistmonitor.com - using a ‘smarthost’) In addition to commercial damage, • Only 1 Mail eXchanger (MX) record appearance on blacklists suggests exists for both YourCo.com and compromised systems bta.org Only having 1 MX record is considered bad practise as it can present a single point of failure (even for a load balanced service) as MX corruption could result in mail delivery (in-bound) issues • YourCo.com is primarily used for marketing activities but it can and does accept mail, it is not clear this also has the same level of antivirus defence as the .org domain. • The outbound IP for the TT firewall (62.189.60.30) is listed on some Internet blacklist servers: dnsbl.sorbs.net spammers.v6net.org block.blars.org • ©2005 Full Circle Technology Limited Page 9 of 13
  • Network Infrastructure Best Practises Audit Company confidential Local Area See Appendix A3 • Multiple single points of failure • Implement a resilient backbone Networking – HQ Network without provision for outages (e.g. • Additional redundancy for key Topology switches, hubs) services • Topology needs a review (Gigabit backbone) Wide Area Out of scope Potential cost saving opportunities TBC Networking Need to get some More details required to assess VoIP idea of the global topology even though out of scope – will be useful in determining future design and in suggesting means to cut costs Network Services Only TCP/IP • Private address – positive, but • Conduct a IP & VLAN subnet protocol used subnets not used appropriately? planning exercise Private • DHCP delivered through a single • Implement a split-scope DHCP addressing server (scope), without any failover service scheme (10.x.x.x) ability • Implement custom SNMP strings I • Default SNMP settings are a major • Implement VLAN segmentation security threat • Move mail clients to either full MAPI • The network is one large broadcast clients (can be via https) or Outlook domain therefore it does not restrict Web Access the propagation of viruses and other security threats. • POP3 (Post Office Protocol) does not fully support the collaborative features of Outlook & Exchange ©2005 Full Circle Technology Limited Page 10 of 13
  • Network Infrastructure Best Practises Audit Company confidential Servers See Appendix Ax • Location of some servers needs • See section 5: – Infrastructure reviewing Inventory • Lack of strategic server architecture There are significant issues with the server infrastructure, these are • Degree of interdependence highlighted in the Infrastructure • Lack of patching Inventory document. • Inconsistent monitoring • Low degree of component fault tolerance in most servers • Lack of service continuity (failover) provisions for critical servers • Mixture of backup/restore methods leading to over complexity • Assortment of server vendors and server classes/components Server Patching See Appendix Ax • – Infrastructure Inventory ©2005 Full Circle Technology Limited Page 11 of 13
  • Network Infrastructure Best Practises Audit Company confidential Environment Secure Comms. • Trailing cables on comms. room • Tidy up the server room! Room floor risk being damaged/pulled etc. • Change door access codes if they Pass code access causing outages are widely known • Door security seems adequate • Use racking appropriately • Air-con seems adequate (however • this has not been assessed) • Use of racks is positive however doors are left open (sub-optimum cooling) and no evidence of cable management which complicates maintenance. • Some equipment not in racks and therefore prone to cooling/dust issues • Patching / colour coding inconsistently applied. • Server room needs a general tidy up (seems to be used as a spare parts store) • • ©2005 Full Circle Technology Limited Page 12 of 13
  • Network Infrastructure Best Practises Audit Company confidential Appendices – links to detailed audit results Appendix A1 Cisco Output Interpreter analysis of key routers, switch and PIX firewall Cisco Output Analysis - BTA Cisco Output Analysis - Copenhagen Cisco Output Analysis - DublinData Cisco Output Analysis - DublinVoice Cisco Output Analysis - Firewall Cisco Output Analysis - Gigabit_Switch Cisco Output Analysis - MPLS Cisco Output Analysis - VBFirewall Appendix A2 Security Audits AdvSecAudit-62.189.60.16-31 AdvSecAudit-63.96.231.64-79 AdvSecAudit-193.128.174.32-63 InternalSecAudit-10.6.0.0 Appendix A3 DNS and Email Assessment DNS Report for YourCo.org (primary corporate Email domain) DNS Report for YourCo.com (used mostly for marketing activities) DNS Report for bta.org (discontinued, points to corporate/.org) Mail relay testing - mail.YourCo.org (unable to be tested for relay – closed) Mail relay testing - mail.YourCo.com Email Tester results for YourCo.org Email Tester results for YourCo.com Email Tester results for bta.org ©2005 Full Circle Technology Limited Page 13 of 13