1. Honeymoon Holidays
Course Title:
Business Information Systems with Cloud Computing
Lecturer Name:
Brian Hickey
Module/SubjectTitle:
B8IT045 – Network & Communications Management
Assignment Title:
Honeymoon Holidays Co. Case Study
Number of words
5,474 (Excluding TOC, Exec. Summary, Conclusion & Bibliography)
NETWORK
ASSESSMENT
AND
DESIGN
APRIL 2016
DUBLIN
BUSINESS
SCHOOL
www.dbs.ie
2. CONTENTS
Figures and Diagrams ..................................................................................................................... 2
Executive Summary........................................................................................................................ 4
Current Organizational Structure.................................................................................................... 5
Current Systems Review & network design ................................................................................... 6
Current System Architecture........................................................................................................... 8
1. Hardware .......................................................................................................................... 8
2. Software ........................................................................................................................... 8
Proposed Network and Systems Overview..................................................................................... 9
Business Case for Updating the Network and Systems ............................................................... 9
High Level Network Design (see attached visio diagram for detailed layout)............................. 10
System Architecture...................................................................................................................... 10
1. Hardware ........................................................................................................................ 10
Communications ........................................................................................................................... 15
Routers .......................................................................................................................................... 14
Switches ........................................................................................................................................ 14
Cabling.......................................................................................................................................... 15
Software ........................................................................................................................................ 18
Desktop and Office ....................................................................................................................... 19
Detailed Network Design.............................................................................................................. 21
Local Area Network .................................................................................................................. 21
1. Dublin............................................................................................................................. 21
Cork............................................................................................................................................... 27
Premium Travel ......................................................................................................................... 27
Wide Area Network................................................................................................................... 30
1. Inter-Office Communications ........................................................................................ 30
OSI Model ................................................................................................................................. 32
Data Transfer ............................................................................................................................. 33
Security ......................................................................................................................................... 35
1. Provided Measures ......................................................................................................... 35
2. Further Considerations ................................................................................................... 36
3. Proposed Wireless plan................................................................................................................. 37
Wireless AP ............................................................................................................................... 37
Indoor Enterprise WLAN Deployment ..................................................................................... 37
Planning Wi-Fi layout ............................................................................................................. 39
Implementation ............................................................................................................................. 42
Rollout Phases ........................................................................................................................... 42
Risk management.......................................................................................................................... 43
CONCLUSION..............................................................................Error! Bookmark not defined.
APPENDICES ...............................................................................Error! Bookmark not defined.
Appendix 1 – Vendor Selection................................................................................................. 47
Airwatch for mobile security ..................................................................................................... 52
Appendix 2 – Hardware Selection............................................................................................. 54
Appendix 3 – Software Selection .............................................................................................. 56
Appendix 4 – Business Requirements ....................................................................................... 58
Appendix 5 - Star Network explanation.................................................................................... 61
Appendix 6 – Costing................................................................................................................ 62
Bibliography.................................................................................................................................. 64
FIGURES AND DIAGRAMS
1 Current HR structure for Honeymoon Holidays .......................................................................... 5
2 Existing IT Infrastructure............................................................................................................. 6
3 Proposed Network Layout ......................................................................................................... 10
4 StoreFront Web API - Citrix Logon .......................................................................................... 12
5 Citrix logon screen presented to user......................................................................................... 13
6 VLAN pruning........................................................................................................................... 15
7 Proposed VLAN layout.............................................................................................................. 18
8 Network for Accounts Department............................................................................................ 21
9 VLAN layout for HR & Management Dublin ........................................................................... 23
10 VLAN layout for Sales team Dublin ....................................................................................... 24
11 VLAN layout for Administration Dublin ................................................................................ 25
4. 12 Access Switch MVRP Client ................................................................................................... 26
13 Access Switch MVRP Client ................................................................................................... 26
14 VLAN layout Cork Office, Switch 9 ....................................................................................... 27
15 VLAN layout Cork Office, Switch 10 ..................................................................................... 27
16 Printer Scanner Copier, Cork office......................................................................................... 28
17 QoS Strategy............................................................................................................................ 31
18 OS1 Layer model ..................................................................................................................... 32
19 OSI 7 layers.............................................................................................................................. 33
20 Data flow through the OSI model. ........................................................................................... 33
21 Data Encapsulation .................................................................................................................. 34
22 FortiAP Wireless AP................................................................................................................ 38
23 Channel Reuse for 2.5GHz band ............................................................................................. 39
24 Typical Wireless AP layout with Channels ............................................................................. 40
25 Multiple Access Points (roaming enabled) .............................................................................. 41
26 Risk Analysis 1 ........................................................................................................................ 43
27 Potential Risks for Honeymoon Holidays................................................................................ 44
28 Recommended Risk Control for Honeymoon Holidays .......................................................... 45
5. EXECUTIVE SUMMARY
Honeymoon Holidays proposes to upgrade its ‘IT Infrastructure’ by adding significant
functionality, incorporating complete review on how it does business today and new proposals
for future business needs and expansion. The proposal is to include a complete overview of the
current IT infrastructure in the Dublin and Cork offices including small satellite sites. The
current IT infrastructure in the Dublin and Cork offices is disjointed in design (no coherent
network between departments) preventing effective sharing of documentation, ideas,
communication and efficiency.
The proposed upgrade is to provide on-premises servers (including backup), laptops, mobile
phones and printers all running seamlessly over a purpose built network using Fortis
routers/switches which utilize the latest security concepts. Email infrastructure, office
documentation and VoIP will be a cloud based solution running on MS Azure platform. All
offices and employees will be network enabled, allowing them instant and reliable access to
databases, applications, business reports and ease of access to flight/hotel bookings menus.
All of the existing user hardware is outdated and will be replaced by laptops, tablets and mobile
phones where applicable. To reduce cost, the front desk of Sales, Administration, HR and
Trainees will be serviced by dumb terminals running secure Citrix XenDesktop for login. The
secure login will allow managed access to pertinent applications which can be easily secured by
Microsoft (active directory) and Citrix security policies.
HR, Accounts, Sales and Administration will run Sage Business software. Office 365, email
server 2016 and Skype for Business will be deployed and made available on site and mobile
phones. Sales personnel will have access to the network 24/7 either by logging in at the office or
remote via mobile phone over secure Securid authentication.
The Fortinet devices that are recommended are future proof for expansion within Honeymoon
Holiday. Both Fortigate model 100D and 90D allows Dublin and Cork offices to double in size.
As Fortinet is an all in one device box allows for future requirements such as SOC (Security
Operating Center), Database Security, LAN, Mobile, Cloud SAAS and remote users. Fortinet
also is the only provider that allow for trade in of old equipment that is at end of life and trade up
on devices, as well as the more you add on the cheaper it becomes.
7. CURRENT SYSTEMS REVIEW & NETWORK DESIGN
2 Existing IT Infrastructure
Currently Honeymoon Holidays System are not communicating with each other which is
resulting in disconnection between each department as there is no internal communications.
The MD is currently using usb/cd to transfer file which is not an effective or secure
method.
HR is still paper based which mean there is no backup of files should a fire or other
disaster occur.
Sales department have to contact the office at 5:30 each day to get updates on pricing
which is not effective as there are no real time updates.
There is no direct overview of Cork offices.
8. Accounts have no view of Sales, HR or Admin and not shared folder to see anything
from Finance.
9. CURRENT SYSTEM ARCHITECTURE
1. HARDWARE
Client-server with MS Workgroup is deprecated.
UNIX mini-computer is not fit for purpose based on the company’s requirements.
Desktops are dated and in need of replacement.
No details on telephony, assume standard phones.
Routers, some presence, likely dated ISDN modem/router
Switches, some presence, likely dated and in need of replacement
Cabling, some presence, likely dated and in need of replacement
Internet, outdated 1 line and 4 line ISDN connections
2. SOFTWARE
There is no security software in place to note
Known desktop software is out of support, dated and in need of replacement across the board.
10. PROPOSED NETWORK AND SYSTEMS OVERVIEW
BUSINESS CASE FOR UPDATING THE NETWORK AND SYSTEMS
Pros: In modern day of sharing and exchanging information quickly and instantly, it is
imperative that spread out organization (business with multi locations) have a well-connected
office network. This can only be achieved by making sure these locations are connected
(networked).
By networking all location and systems they will be able to feed or report and collection
information which will support the success of the business and delivery of projects.
The extensive availability and economies of scale of SAAS, PAAS and IAAS solutions means it
is more important than ever that all staff are connected, to each other, and to the internet.
A key benefit is on long term reduction of Total Cost of Ownership (TCO) of IT for the business,
the use of thin client end-user desktops running Virtual Desktop Images is a good example of
this giving economies of scale and reducing the need for expensive replacements of physical
hardware on such an ongoing basis. Ultimately, this could also be a candidate for cloud hosting
but at present our recommendation is local servers for Citrix and AD to ensure users always have
basic services and data available from their own offices.
Customer expectations in modern times is for a seamless, simple experience regardless of the
channel through which you are engaging with business, on this front it is imperative that
Honeymoon holidays has a simple, consistent approach to the services they provide. To achieve
this, they must have all satellite offices, Cork offices and “on-the-road” salespeople with access
to the same services available at their Dublin main office or hosted in the cloud through their
third party providers. Our network architecture below achieves this, putting the customer first in
ensuring quality delivery of simple services.
Cons: As with any implementation of the above there is a cost involved. First is hiring the
experts to implement it, then the capital to buy the hardware and then the running cost of ISP &
VOIP telephony. We can expect that there will be a need for ongoing IT support for the new
systems on top of the capital costs, and annual support and maintenance costs from the various
vendors. However, the risks of doing nothing will not allow the business to continue being
competitive when consumers have so many choices available to them to make holiday bookings
in the comfort of their own home, with quality after-service available.
11. HIGH LEVEL NETWORK DESIGN (SEE ATTACHED VISIO DIAGRAM FOR
DETAILED LAYOUT)
PSTN
VLAN 1
ADMINISRATION
VLAN 1
SALES
Major Airlines
Banking Provider
Cork Premium Travel
Dublin - 1st Floor
IP IP IP IP IP
VLAN 1
ACCOUNTS
HR
IP IP IP
MD
IP
Finance
IP
IP IP
Dublin – Ground Floor
IP IP IP IP
VLAN 1
HR + MANAGEMENT
IP IP IP IP IP
IP IP IP IP IP IP IP
Trunk Lines
Access Switch 3
(Layer 2) MVRP Client
Access Switch 2
(Layer 2) MVRP Client
Access Switch 4
(Layer 2) MVRP Client
Access Switch 7
(Layer 2) MVRP Client
Access Switch 5
(Layer 2) MVRP Client
Access Switch 6
(Layer 2) MVRP Client
Access Switch 8
(Layer 2) MVRP Client
VLAN 1
PREMIUM TRAVEL
IP IP IP IP IP
Trunk Lines
Dublin – Comms Room
Sage
CRM, HRMS,
Payroll
Office 365
+ Skype for Bus.
CE Dublin
Office Router
(Layer 3)
Dist. Switch 3
(Layer 3)
CE Cork
Office Router
(Layer 3) DCE
VLAN 2
WAP
WAP
WAP
Eircom MPLS
WAN /w VPN, SIP
Retail Offices (1-n)
VLAN 1
PE ISP Router
(Layer 3)
PE ISP Router
(Layer 3)
VLAN 2
VLAN 2
VLAN 2
Access Switch 1
(Layer 2) MVRP Client
Fortinet Firewall,
AV, VPN and Web
Filtering
Fortinet Firewall,
AV, VPN and Web
Filtering
Windows
AD + File
Server
VLAN 3
VLAN 2
VLAN 2
IP IP IP IP IP
VLAN 1
PREMIUM TRAVEL
IP
VOIP
Cloud (Eircom)
RSA – Soft-token
AirWatch
Honeymoon
Holidays
Web Hosting
PE ISP Router
(Layer 3)
VLAN 2
VLAN 4
VLAN 3
MFD
(Printer, Scanner, Copier)
PolyCon
/w Video
MFD
(Printer, Scanner, Copier)
VLAN 3
MFD
(Printer, Scanner, Copier)
Citrix
XenDeskt
op Server
(SSL V2.0)
SAGE
Server
Windows
AD + File
Server
VLAN 4
Citrix
XenDeskt
op Server
(SSL V2.0)
SAGE
Server
Access Switch 11
(Layer 2) MVRP Client
Access Switch 12
(Layer 2) MVRP Client
WAP
WAP
Dist. Switch 1
(Layer 3)
Dist. Switch 2
(Layer 3)
VLAN 3
CE Dublin
Office Router
(Layer 3) DCE
MFD
(Printer, Scanner, Copier)
Access Switch 10
(Layer 2)
Access Switch 9
(Layer 2)
VLAN 4
3 Proposed Network Layout
SYSTEM ARCHITECTURE
1. HARDWARE
SERVERS
The servers are Dell PowerEdge 13G R630 Rack Server running Windows Server 2012
DESKTOPS
Easy to use, common interface allows employee access to apps in Office and remote using
“CitrixReceive”. CitrixReceive connects to TCP port 443, and communicates with StoreFront
using via the StoreFront Service API (see Citrix Web loon image below). The applications
are run on virtual machines managed from the central Citrixserver providing the security and
authentication. The Citrix server is easily maintained, (software/hardware) upgraded and
backed up from central source. There is no requirement to deploy software patches, security
updates to remote VDIs, employee’s personal computers or BYOD. One of VDI’s main
12. benefits is that it’s easy to provision new instances and delete them when you’re done with
them. This also implies that different separate virtual domains can be easily built on the
server allowing even greater security between, sales, accounts, managers and employees.
Future expansion is effortless and seamless to implement
With VDI, the data is presented visually and the data traverses the network to the employee
device from a remote server. This makes VDI very attractive as a security concept as it
reduces the risk of data theft or loss. For some employees, just being able to access their
desktop from any location without having to use the same client device (designated desk)
every time is a big benefit. Employees moving between work locations can access the same
desktop environment with their applications and data.
Citrix XenDesktop offers a stable platform to run MS Office 365 Suite, Windows 10 and
integrates seamlessly with MS Active Directory, MS Exchange 2016 and integrated
VOIP/Skype for Business (S4B). By using RDSH VDI (XenDesktop) and Exchange
operating in cached mode the location of the Exchange server become irrelevant (in this case
in the cloud).
The main operations available through this API include:
• Authenticating users through a variety of methods: explicit forms, domain pass-
through, smart card, NetScaler Gateway Single Sign-On and post credentials.
• Enumerating applications/desktops.
• Enumerating available HDX sessions.
• Reconnecting, disconnecting and logging off HDX sessions.
• Launching applications/desktops.
• Powering off specific VDI desktops.
• Retrieving images and icons for applications/desktops.
• Subscribing to applications.
13. StoreFront Web API for secure login over Citrix
Receiver for Web is a component of Citrix StoreFront providing access to applications and
desktops using a Web browser over HTTPS, SSL2.0 and or TLS. It comprises a User
Interface tier and a StoreFront Services Web Proxy tier. This architecture is illustrated
below.
4 StoreFront Web API - Citrix Logon
CitrixReceiver configuration
The Web Proxy tier is a bridge between the UI tier and the StoreFront Services (namely the
Authentication Service and the Store Service). It provides a simplified API suitable for
consumption by a JavaScript/Ajax client running in a Web browser. HTTPS protocols is
used to secure data passing between server and StoreFront. HTTPS uses SSL and TLS
providing strong data encryption. However since StoreFront requires IIS to communicate
effectively with Active Directory it is advisable that the SSL 2.0 provided by IIS is used.
15. ROUTERS
We are recommending Juniper routers to fit in with the switch selections and ensure all
relevant protocols are supported across the network.
The MX series routers are affordable and provide the below requirements:
VPLS – Virtual Private LAN interface.
MPLS Label-Switched Path and Fast Reroute.
Bidirectional Forwarding Detection.
Hierarchical QoS.
Pay-as-you-grow capacity upgrades available.
SWITCHES
We are recommending Juniper switches that support the MVRP Layer 2 protocol, allowing
VLAN to VLAN traffic using the IEEE 802.1ak standard. This does not encapsulate frames,
but inserts a tag and computes a new frame check sequence at the end of the frame. “Trunk
Ports” are used between the Layer 2 Access Switches and Layer 3 Distribution Switches,
using MVRP, the Trunk Ports are automatically provisioned based on which VLANs have
devices connected to each of the access switches. This is a benefit to the network
performance overall by avoiding the distribution of unwanted traffic from the distribution
switches.
16. 6 VLAN pruning
(YouTube, 2016)
All switches must also support the required Power over Ethernet (POE) and dual power
supplies.
CABLING
We would recommend CAT6 specification as it is suitable for up to 10 gigabit Ethernet at
250 MHz and would future-proof the network. CAT6 has internal separator that isolates pairs
from one another which means it is much better at keeping crosstalk compared to CAT5 and
CAT5e. We would highly recommend using the STAR topology as this will centralized
management of the network, through the use of the central switch. It also easier to add
another computer to the network and If one computer on the network fails, the rest of the
network continues to function normally.
Network solutions offer installation and config at low rate and highly recommend. (Appendix
3)
2. COMMUNICATIONS
17. Email, VOIP and Desktop applications.
The recommended employee interfacing services is Office 365 Business (SaaS service),
Exchange Server 2016 and Skype for Business. These services can be provided by Microsoft
Azure and are managed centrally by Microsoft. Email will become the communication
medium of choice within the business. With Exchange and Office 365 in the cloud enhances
document sharing, and eliminates version control of documents. The background
maintenance and product updates are managed centrally by the hosting provider eliminating
the need for on site dedicated IT support. Also provided is Data Loss Prevention, Managed
Availability, Automatic recovery from storage failures and web-based Exchange admin
center for managing user accounts and security (managed either internally or externally).
Skype for Business
Office 365 Business Enterprise customers can avail of S4B for the following,
Skype Meeting Broadcast – enabling meetings over the internet (10,000 connections max).
PSTN Conferencing (invite people to join meetings via landline or mobile phones).
Free calls and meetings within the business.
Integrated IM within the business with the option to make available to external clients. Will
allow remote chat support to clients querying holiday booking or enquiries.
Skype uses ‘MS Notification Protocol 24’ moving away from peer-to-peer architecture.
Protocol specification have not been made publicly available. Included S4B is Video
Conferencing and Instant Messaging where messages are easily shared with a single or
multiple users of the service. Group meetings and sharing of information can be easily
performed with the need for users to leave their desks and enter a meeting room.
We would recommend EIR as they are a gold CISCO house for many years and have the best
experience in the industry to deploy VOIP solution (https://business.eir.ie/sipvoice).
The SIP-enabled IP PBX provides the telephony infrastructure inside the business and
replaces PBX server. This allows you to rapidly scale to cope with temporary or seasonal
demand.
SIP voice ultimately cost less for voice service and secure the added benefit of resilience. It
is a unified communications and collaboration services, allowing voice and video to traverse
IP networks, although bandwidth and quality of service must be carefully managed to protect
application performance.
Important considerations in choosing a cloud VOIP provider are for:
18. Quality of Codecs: Sound quality of the audio communication and also the bandwidth
being used.
Quality of Service (QOS): Must have low latency and sufficient bandwidth for
successful VOIP setup.
19. 3. VLANS
We are recommending segregating the internal network to four separate subnets as below:
7 Proposed VLAN layout
VLAN 1 which will be for the users, covering all XenDesktop thin client connections, all
laptops and all mobile access, and which is a /22 network to allow growth in hosts
connections particularly as users utilize more devices (thin client desktop, laptop, tablet,
phone).
VLAN 2 which will be for the VOIP real-time audio communications, again a /22 network
with plenty of capacity for growth.
VLAN 3 which will be for all network attached devices such as printers, scanners etc. This
will be a /24 network as there is much lower capacity requirements and less growth expected.
VLAN 4 which will be for the servers, this is a /28 network with only 14 hosts to act as a
simple first measure of security for the servers by reducing the number of potential IPs in the
same VLAN.
4. FIREWALL, VPN, AV AND WEB FILTER - FORTINET
We are recommending the use of an all-in-one hardware solution from Fortinet for
addressing these needs.
Travel industry has much cyber threats due to the nature of the online booking business. With
the EU data protection rule that’s came in place this year client information must be
protected as a priority as 1 breach could possibly bankrupt a business. Part of any business
day to day operation is data retention, data center, financial information, credit card
information, names, address and passport information, flight details, identify theft, ensuring
payment industry standard compliance (PCI) of clients.
Traditionally SME would run multiple systems, complicated mix and match units and
support service many vendors, alerts, and ways of managing each device: leading to an
unmanageable infrastructure where gaps can be difficult to find.
5. SOFTWARE
VLAN VLAN Name Subnet Mask Network Add. Broadcast Add. Total Hosts
VLAN 1 Users 255.255.252.0 10.1.0.0 10.1.63.255 1,022
VLAN 2 VOIP 255.255.252.0 10.200.0.0 10.200.63.255 1,022
VLAN 3 Devices 255.255.255.0 192.168.1.0 192.168.1.255 254
VLAN 4 Servers 255.255.255.240 192.168.2.0 192.168.2.15 14
20. DESKTOP AND OFFICE
Citrix XenDesktop
We are recommending a Thin Client Architecture as detailed above which will run the Citrix
XenDesktop Software. The provided VDIs will run Windows X, to ensure the latest support
and security patches are available from Microsoft.
Office 365
For enabling the office to communicate effectively and produce quality documentation:
- Microsoft Office Suite.
HRMS
We are recommending the purchasing of a new HR Management System to satisfy the HR
Software Requirements. For this, we are recommending the use of Sage Software’s “Sage
HR”. This allows storing of employee data in one place and integrates with the Sage Payroll
solution.
PAYROLL
We are recommending the purchasing of a new Payroll System to satisfy the HR and
Accounts Payroll Software Requirements. For this, we are recommending the use of Sage
Software’s “Micropay Professional”. This allows uploading of timesheets, shares common
employee data with Sage HR and integrates with the firms Accounting Software.
(Shop.sage.ie, 2016)
CRM
Again, for the CRM software, to maintain the standardized software offerings, consistent
look and feel and sharing of common data we are recommending Sage’s “CRM Cloud
Professional”. (Shop.sage.ie, 2016)
PAYMENTS
It will be critical for the fully networked and new online presence of Honeymoon Holidays
that they can securely accept payments online and over the phone. To facilitate this, we are
recommending the use of “Sage Pay Online Payments”. This will be available for the Sales
staff on mobile, tablet and laptops and also to the administration staff and via the new
company website (Sage.ie, 2016)
21. ACCOUNTS
There is a requirement to replace the outdated accounting system and in keeping with the
entire Sage suite and the integration benefits that it brings, we are recommending the use of
“Sage 50 Accounts Professional”. (Sage.ie, 2016). This also meets the requirement of
integration with the company’s banking provider.
6. COMPANY WEBSITE
With the new infrastructure rollout and approach to business it is strongly advised that a
website be provided for internal use and external clients. Website to follow name of company
www.honeymoonholidays.com. The domain name should be registered online with any
readily available company letshost.ie, register365.ie, blackknight.ie for a small cost of
approx. 20 per month. The website should be hosted in MS Azure Business platform (IaaS
and PaaS). With the PaaS model, Azure can be used as a development service hosting and
management thus allowing the company full autonomy to design a website which allows a
full intranet and internet service. Azure offers various purchase options,
Pay-As-You-Go subscription, recommended option.
No minimum purchase or commitments and ability to cancel at any time.
22. DETAILED NETWORK DESIGN
LOCAL AREA NETWORK
1. DUBLIN
NETWORK DESIGN AND LAYOUT
Accounts Team, First Floor, Dublin
IP IP IP IP IP
VLAN 1
ACCOUNTS
IP IP
Access Switch 2
(Layer 2) MVRP Client
VLAN 2
Access Switch 1
(Layer 2) MVRP Client
8 Network for Accounts Department
There will be 7 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be
connected to either Access Switch 1, or Access Switch 2 via powered Ethernet as per the above
diagram. The VOIP phones will provide an Ethernet pass-through for the connected thin-client
terminals. There is capacity for further growth on each switch.
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
24. HR & Management, First Floor, Dublin
HR
IP IP IP
MD
IP
Finance
IP
VLAN 1
HR + MANAGEMENT
Access Switch 3
(Layer 2) MVRP Client
Access Switch 4
(Layer 2) MVRP Client
VLAN 2
9 VLAN layout for HR & Management Dublin
There will be 5 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be
connected to either Access Switch 3, or Access Switch 4 via powered Ethernet as per the
above diagram. The VOIP phones will provide an Ethernet pass-through for the connected
thin-client terminals. There is capacity for further growth on each switch.
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
Subnet Mask: 255.255.252.0
25. Sales, Ground Floor, Dublin
VLAN 1
SALES
IP IP IP IP IP IP IP IP IP
Access Switch 5
(Layer 2) MVRP Client
Access Switch 6
(Layer 2) MVRP Client
VLAN 2
10 VLAN layout for Sales team Dublin
There will be 9 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be
connected to either Access Switch 5, or Access Switch 6 via powered Ethernet as per the
above diagram. The VOIP phones will provide an Ethernet pass-through for the connected
thin-client terminals and laptop LAN cables when required at the desk. There is capacity for
further growth on each switch.
Sales tablets and mobile devices can access the Wireless network as needed (See Proposed
Wireless Plan).
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
Subnet Mask: 255.255.252.0
26. Administration, Ground Floor Dublin
VLAN 1
ADMINISRATION
IP IP IP IP IP IP IP
Access Switch 7
(Layer 2) MVRP Client
Access Switch 8
(Layer 2) MVRP Client
VLAN 2
11 VLAN layout for Administration Dublin
There will be 7 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be
connected to either Access Switch 7, or Access Switch 8 via powered Ethernet as per the
above diagram. The VOIP phones will provide an Ethernet pass-through for the connected
thin-client terminals. There is capacity for further growth on each switch.
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
Subnet Mask: 255.255.252.0
27. Devices and Meeting Room
Access Switch 2
(Layer 2) MVRP Client
VLAN 3
MFD
(Printer, Scanner, Copier)
PolyCon
/w Video
12 Access Switch MVRP Client
Access Switch 8
(Layer 2) MVRP Client
VLAN 3
MFD
(Printer, Scanner, Copier)
13 Access Switch MVRP Client
Devices will be connected to the “Devices - VLAN 3, along with the PolyCon equipment
present in the first floor meeting area. These are connected to Access Switch 2 and Access
Switch 8 respectively, where there is still further room for growth.
28. Devices VLAN 3
Network Address: 192.168.1.0/24
Broadcast Address: 192.168.1.255
Subnet Mask: 255.255.255.0
2. CORK PREMIUM TRAVEL
VLAN 1
PREMIUM TRAVEL
IP IP IP IP IP
VLAN 2
Access Switch 9
(Layer 2)
14 VLAN layout Cork Office, Switch 9
VLAN 2
IP IP IP IP IP
VLAN 1
PREMIUM TRAVEL
Access Switch 10
(Layer 2)
15 VLAN layout Cork Office, Switch 10
There will be 10 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be
connected to either Access Switch 9, or Access Switch 10 via powered Ethernet as per the
above diagram. The VOIP phones will provide an Ethernet pass-through for the laptops when
being used at the desks. Laptops also have connectivity to the buildings WAP (See Proposed
Wireless Plan. The recommendation for laptops here is purely on the basis that these staff
29. may be also acting as “on-the-road” sales staff. It will be at the company’s discretion whether
laptops, or additional thin client desktops would be the preference here.
There is capacity for further growth on each switch.
Desktops: Users VLAN 1
Network Address: 10.1.0.0/22
Broadcast Address: 10.1.3.255
Subnet Mask: 255.255.252.0
Phones: VOIP VLAN 2
Network Address: 10.200.0.0/22
Broadcast Address: 10.200.3.255
Subnet Mask: 255.255.252.0
VLAN 3
MFD
(Printer, Scanner, Copier)
16 Printer Scanner Copier, Cork office
A single MFD will be connected to the “Devices - VLAN 3. These are connected to Access
Switch 2 and Access Switch 8 respectively, where there is still further room for growth or
addition of another polycom device.
Devices VLAN 3
Network Address: 192.168.1.0/24
Broadcast Address: 192.168.1.255
Subnet Mask: 255.255.255.0
30. 3. SERVER ROOMS
Server rooms will consist of three servers, one router and a firewall per site along with hosting
the distribution switches (to be assessed on further inspection of the premises). This network is
kept to a small range of IP addressing to act as a basic first line of security against potential
breaches, there is still allowed sufficient room for growth if required.
CE Dublin
Office Router
(Layer 3)
Fortinet Firewall,
AV, VPN and Web
Filtering
Windows
AD + File
Server
VLAN 4
Citrix
XenDeskt
op Server
(SSL V2.0)
SAGE
Server
Access Switch 11
(Layer 2) MVRP Client
Access Switch 12
(Layer 2) MVRP Client
Servers VLAN 4:
Network Address: 192.168.2.0/28
Broadcast Address: 192.168.2.15
Subnet Mask: 255.255.255.240
31. WIDE AREA NETWORK
1. INTER-OFFICE COMMUNICATIONS
For inter-office communication you require that each site/office has internet connection via its
local ISP.
Each site's connection bandwidth to Internet depends on amount of data traffic and frequency of
it between offices/sites.
Each site will require a router as point of inbound/outbound traffic, a firewall will be required to
protect the LAN network from malicious attacks, all inbound/outbound traffic will be filtered
through it. To establish inter-office virtual private network will be set up on each firewall to
allow transparent data traffic between offices/sites.
Firewalls also provide tools to setup access lists through which specific traffic is allowed or
denied in/out of each office.
In effect the above scheme establishes Honeymoon Travel’s Wide Area Network (WAN).
For the ISPs it is vital that the business internet provides Multiprotocol Label Switching (MPLS).
MPLS is effective at layer 2.5 of the OSI model, with a header added to the layer 2 frame. It
allows for tunneling across the ISP from one site to another, effectively extending the LAN. It is
a one-to-many connection, which with two or more offices is not dependent on a single “central”
office. The extension of the LAN over the ISP network is important on two fronts:
1. Simplicity: The devices on each site, in each VLAN are effectively local making the
overall network easier to manage.
2. Quality of Service: QoS considerations are paramount when an organization is using real
time audio communication with VOIP phones. It is far more important that there are no
dropped packets with this type of traffic, and MPLS allows for extension of QoS over the
ISPs network to give voice traffic priority over data traffic.
More broadly speaking, this allows for differentiated services:
- Classify traffic
- Mark traffic
- Congestion Management (queuing)
- Congestion Avoidance
- Traffic Conditioning
- Traffic Policing
- Traffic Shaping
Internal QoS classifications can be mapped to the ISPs classifications and vice versa:
33. OSI MODEL
18 OS1 Layer model
(Blog.buildingautomationmonthly.com, 2016)
Relate to Honeymoon Holidays:
34. 19 OSI 7 layers
DATA TRANSFER
Application data will traverse the new network topology as described below through
encapsulation and decapsulation.
20 Data flow through the OSI model.
Layer Description Description2 Honeymoon Holidays
Applications leveraging HTTP:
- Citrix, Office 365, Sage etc.
6 Presentation
Special processing required by applications, such as
translation and encryption
May be leveraged by Fortinet, or
other uses of e.g SSL
5 Session Logical linking of software application processes Any software leveraging APIs
4 Transport
Link between application layers and lower 'concrete'
layers
TCP/IP, UDP
3 Network Defines how interconnected networks function VLANs, Dist Switches
2 Data Link LAN Technologies Ethernet, 802.11
1 Physical Layer
Hardware Specs, encoding, data transmisson and
reception
Physical equipment, topologies
7 Application
Functions performed by users to complete various tasks
over the network.
OSI 7 Layers
Host A Host B
7 Application Data Data Application
6 Presentation Data Data Presentation
5 Session Data Data Session
4 Transport TCP Data TCP Data Transport
3 Network IP TCP Data IP TCP Data Network
2 Data Link Ethernet IP TCP Data Etherenet IP TCP Data Data Link
1 Physical Physical
<----------------------------------------------- Network -------------------------------------------------->
--------------------->------>>
--------------------->------>>
Example of a user sending an e-mail via the Office 365 cloud service,
11010101110101101110000111000001111110101
Encapsulation
Decapsulation
35. For our networks using IPSec for the VPN and MVPN, the following type of additional
encapsulation would be present, with MVRP information present in the Ethernet header 802.1Q
tag.
The MPLS Label allows for the extension off QoS over the ISPs network, and ensures that the
key traffic such as voice data identified by Honeymoon Holidays gets maintains a base quality,
with data traffic, which can afford to be slower being less of a priority (see section on Quality of
Service).
21 Data Encapsulation
36. SECURITY
1. PROVIDED MEASURES
In order to apply protection against these real threats to a business and minimize potential
breach for any organization you will need to ensure you have the following:
Firewall
- The Service is based on Fortinet’s award winning range of Next Generation
Firewall (NGFW) and Unified Threat Management (UTM) appliances which
provide a range of firewall, VPN, intrusion prevention (IPS), antimalware and
web filtering capabilities.
- The firewall service provides organizations with a firewall optimized and
configured for their environment. Fortinet is the provider of ICSA, EAL4+ &
NSS* certified UTM solutions, powered by a custom designed ASIC chip for
real-time content processing and network protection.
- Firewalls are delivered with the full UTM subscription which provides a range of
firewall, VPN, IPS, antimalware and web filtering capabilities. Once the firewall
in installed and configured ongoing configuration, maintenance and support is
delivered by our SOC staff that monitors the environment on a 24x7 basis.
Anti-Virus
- Real-time protection against the installation of malicious software
VPN
- SSL VPN establishes an encrypted link, ensuring that all data passed between the
web server and the browser remains private and secure.
Web filtering
- Combines sophisticated filtering capabilities together with a powerful policy
engine and cloud-based model to create a high performance and flexible web
content filtering solution
Anti-Spam
- Antispam detection capabilities provide greater protection than standard real-time
blacklists.
Intrusion protection
- monitor, log, identify and block malicious network activity
Data loss prevention
37. - Sophisticated pattern matching to prevent unauthorized communication of
sensitive or regulated data through the corporate perimeter.
-
Fortinet solutions allow easy manage of all components under one roof. Using Fortinet has a
comprehensive security infrastructure from the VM service or endpoint and a complete
solution where you deliver more control, greater visibility and less complexity.
Fortinet offer a firewall device that can offer all these protection in one box and we would
highly recommend Fortinet solution. See appendix for description for all solutions below
By enabling this configuration this will allow for greater protection and compliance for
Honeymoon Holidays as current system have many vulnerabilities. Within the control we can
also implement an internet proxy client within the domain controller to manage what internal
team have access to and was a concern from the finance manager. This will provide him
with better control and visibility over files and access to each team member and department.
2. FURTHER CONSIDERATIONS
With the access to VPN both the CEO and finance manager will be able to work remotely by
logging in via vpn and have secure access to share drives without having to use usb
connection. This will also allow the sales team to log in remoting while out of the road
instead of calling in each evening to get pricing and allow for “REAL-TIME” updates on
pricing.
Within the network we will also need to separate out the printer, scanners, wireless controller
and AP on different VLans to ensure control as the account team and HR department must
have greater security as they would hold account and admin sensitive details.
As retail shops will have their own devices and their own Wi-Fi access. We will issue vpn
soft-tokens to them and they can securely update your customer information and sales as
appropriate.
38. PROPOSED WIRELESS PLAN
We propose a wireless network to enable BYOD, business tablets and ability of users to hot seat
within the business. There two basic types of wireless deployments, coverage and capacity. The
goal is to provide a good quality of service (QOS) in as much area as possible with a single or
multiple access points.
In coverage the number of access points (Aps) is determined by signal strength which in turn is
determined by type of site, floor layout, construction materials, number of floors, physical
obstructions etc.
With capacity the objective is to provide a good quality of wireless service to enable the
business to efficiently use their devices. Factors that determine QOS are, number of users
covered by single AP, number of Wi-Fi devices per person, percentage of users that are expected
to be active, type of applications being used, etc.
WIRELESS AP
FortiAP are thin access points, delivering secure, identity-driven Wi-Fi access for an enterprise
network, managed centrally by the integrated WLAN controller of any FortiGate security
appliance. With the integration of the wireless controller functionality into the market leading
FortiGate appliance, Fortinet delivers a true Unified Access Layer. This enables you to easily
manage wired and wireless security from a Single Pane of Glass management console and
protects your network from the latest security threats.
INDOOR ENTERPRISE WLAN DEPLOYMENT
Office Wi-Fi provides convenient way for hot desking without the need for extra cabling in each
office. It also provides Internet access to mobile and tablet devices as well as visiting clients.
Users can take laptops into meetings and connect via office Wi-Fi eliminating need for extra
cabling connections in boardroom or other meeting rooms.
APs are low cost devices and require very little in terms of management and maintenance once
setup.
To implement office Wi-Fi HMT need a Wi-Fi controller that is connected to office LAN. Using
Wi-Fi controller application we can setup wireless access point (WAP) at appropriate locations
in the office.
For ease of administration and maintenance all offices is given same identifiable universal HMT-
Wi-Fi name and SSID.
39. To protect company LAN from visiting clients separate Wi-Fi VLAN can be setup that only
allows Internet traffic, that way a visiting person connected to company Wi-Fi cannot access
internal LAN, data and systems.
22 FortiAP Wireless AP
Highlights
Supports latest 802.11ac technology with association rate of up to 1.3 Gbps.
Leverage existing FortiGate or FortiWiFi platforms as controllers for low TCO.
Integration with FortiManager and FortiAnalyzer for centralized management and
reporting.
Fast Roaming for uninterrupted data access
Automatic Radio Resource Provisioning (ARRP) for optimized throughput.
Layer 7 application control prioritizes business traffic.
Rogue AP detection and mitigation to satisfy PCI DSS compliant
Key Features & Benefits
Advanced Security Protection Wireless LAN security done right, from the leader in
network security.
Integrated Firewall, IPS, Application Control, and Web Filtering protect the wireless
LAN from the latest security threats.
Integrated WIDS and Rogue AP Suppression
Protects the network from advanced wireless threats and satisfies PCI DSS compliance.
Deep Application Control Fortinet goes above Wireless Multimedia Extensions (WME)
by offering deep Layer 7 inspection to precisely control applications and bandwidth
usage.
“Single Pane of Glass” Management Console Unified management console simplifies
operations, ensuring consistent and effective policy enforcement and compliance.
40. PLANNING WI-FI LAYOUT
Wi-Fi is a shared medium and operates in half-duplex mode. For 802.11x Wi-Fi uses a band plan
that breaks up the available spectrums into a groups of non-overlapping channels. How many
users should use a single AP depends on the number of users that can be serviced adequately by
the AP. To prevent two access points transmitting on the same channel causing device bleed and
poor performance (co-channel interference, CCI) effective channel reuse must be employed. CCI
can be reduced by the use of non-overlapping channels. Fortis 5Gz channel has more usable
channels and throughput than 2.4GHz for Wi-Fi devices. It has 23 non-overlapping channels vs.
3 in the 2.4GHz band. However the 5GHz has shorter range than the 2.5GHz, Older devices may
not use the newer 5GHz channels.
23 Channel Reuse for 2.5GHz band
Possible to increase the potential per-user throughput by decreasing the number of users
contending for the aggregate throughput provided by a single AP. This can be done by
decreasing the size of the coverage area, or adding a second AP on a non-overlapping channel in
the same coverage area. To reduce the coverage area, the AP power or antenna gain can be
reduced, resulting in fewer clients in that coverage area. This means you need more APs for the
same overall area, increasing the cost of deployment.
41. 24 Typical Wireless AP layout with Channels
To enable roaming wireless a single AP is configured as controller which in turn manages
multiple Aps that share the same configuration. A feature known as “fast roaming” enables users
to move between APs (floors and buildings) without losing signal connectivity and
authentication.
43. IMPLEMENTATION
ROLLOUT PHASES
Take a phased approach to implementation.
Deliver the core network components first
- Routers
- Switches
- Firewalls
- Cabling
Follow with core main access pieces
- XenDesktop Servers
- AD/File system Servers
- Thin Client Machines
- VOIP ‘Phones’
Users can now access desktops and shared files, have internet access and are protected with
reasonable security measures via the multi-purpose firewalls.
Cloud services should be brought in next along with ensuring connectivity to banking platform
and airlines and the old ISDN lines and physical machines can start to be decommissioned.
Other core services should be brought in next such as Sage Payroll and Accounts, after which
remaining old machines can be decommissioned.
Lastly new value add services should be brought in such as the Sage HRMS and CRM software,
new Corporate Website and Pay Online.
As there is disaster recovery in place with servers at each of the two sites, extensive Operational
Testing of the equipment including site failovers should be carried out as part of implementation.
44. RISK MANAGEMENT
The purpose of a risk management for a business is to have a guideline for plan B and to
understand what potential threat that could stop operational or create downtime.
In this assessment we need to look at the risks to Honeymoon Holidays sensitive IT systems and
data, and protecting the resources that support the business mission.
26 Risk Analysis 1
Honeymoon must look at risks to the IT system that may occur such as when vulnerabilities (i.e.,
flaws or weaknesses) in the IT system or its environment can be exploited by threats (i.e. natural,
human, or environmental factors).
Risk level
High
Moderate
Low
Effectiveness of
Controls
Low Moderate High
High Low Low Moderate
Moderate Low Moderate High
Low Moderate High High
Loss of conidentiality, integrity or availability which could have
severe or catastropic effect to the business operations, assets or
individual
Loss of conidentiality, integrity or availability which could have
serious effect to the business operations, assets or individual
Loss of conidentiality, integrity or availability which could
havelimited or little effect to the business operations, assets or
individual
Risk Description
Risk is assess be 3 level
Probability of Threat Occurrence (Natural or Environmental
Threats) or Threat Motivation and Capability (Human Threats)
45. Below are potential risks:
27 Potential Risks for Honeymoon Holidays
Risk Vulnerability Threat Risk of Compromise of Risk Summary
1 Wet-pipe sprinkler system in Honeymoon
Holidays Data Center.
Fire Availability of
Honeymoon Holidays
and data.
Fire would activate sprinkler system causing
water damage & compro-mising the
availability of Honeymoon Holidays
2 Honeymoon Holidays user identifiers (IDs) no
longer required are not removed from
Honeymoon Holidays in timely manner.
Unauthorized
Use
Confidentiality & integrity
of Honeymoon Holidays
data.
Unauthorized use of unneeded user IDs could
compromise confidentiality & integrity of
Honeymoon Holidays data.
3 Honeymoon Holidays access privileges are
granted on an ad-hoc basis rather than using
predefined roles.
Unauthorized
Access
Confidentiality & integrity
of Honeymoon Holidays
data.
Unauthorized access via ad-hoc privileges
could compromise of confidentiality & integrity
of Honeymoon Holidays data.
5 User names & passwords are in scripts &
files.
Malicious Use
- cyber crime
Confidentiality & integrity
of Honeymoon Holidays
data.
Exploitation of passwords in script & files
could result in compromise of confidentiality &
integrity of Honeymoon Holidays data.
6 Passwords are not set to expire; regular
password changes are not enforced.
Malicious Use
- cyber crime
Confidentiality & integrity
of Honeymoon Holidays
data.
Compromise of unexpired/unchanged
passwords could result in compromise of
confidentiality & integrity of Honeymoon
Holidays data.7 Sensitive Honeymoon Holidays data is
stored on USB drives
Malicious Use Confidentiality of
Honeymoon Holidays
data.
Loss or theft of USB drives could result in
compromise of confidentiality of Honeymoon
Holidays data.
4 New patches to correct flaws in application
security design have not been applied.
Malicious Use
- cyber crime
Confidentiality & integrity
of Honeymoon Holidays
data.
Exploitation of un-patched application security
flaws could compromise confidentiality &
integrity of Honeymoon Holidays data.
Potential Risks for Honeymoon Holidays
46. Recommended controls required for Honeymoon Holidays:
28 Recommended Risk Control for Honeymoon Holidays
Control Area Planned or in-place Description of Controls
IT System & Data Sensitivity Classification
IT Security Roles & Responsibilities
Business Impact Analysis
IT System Inventory & Definition
IT Security Audits
Continuity of Operations Planning
IT Disaster Recovery Planning
IT System & Data Backup & Restoration
IT System Hardening
Malicious Code Protection
IT Systems Development Life Cycle Security
Account Management
Password Management
Remote Access
Data Storage Media Protection
Encryption
Facilities Security
Access Determination & Control
IT Security Awareness & Training
Acceptable Use
Incident Handling
Threat Detection
Security Monitoring & Logging
IT Asset Control
Software License Management
Configuration Management & Change Control
Recommended controls required for Honeymoon Holidays
Data Protection Planned
Facilities Security
& Personnel
Security
Planned
Threat
Management &
Security Controls
Planned
Risk Management Planned
Contingency
Planning
Planned
IT Systems
Security
Planned
47. CONCLUSION
Honeymoon Holidays as it stands today is not an IT efficient company. With no IT network
between departments or offices it wastes time managing the business instead of growing the
business to meet the demands of an ever increasing IT literate public. For the company to grow
and survive long term improvements in their IT infrastructure is a must have.
The key areas of reform will be the current IT network, communication between various
departments while retaining full security of data. The net benefits are ease of access for remote
sales and managerial staff. Up to date reports on business profitability and expenditure. Staff
management, HR resourcing and accounting via central Sage reporting. Modern interface to
flight booking and hotel booking software.
Honeymoon Holidays once it implements all of the above recommendations will have a very
strong, secure network infrastructure which will allow it to grow and expand within Ireland.
48. APPENDICES
APPENDIX 1 – VENDOR SELECTION
FORTINET
Best Price/ Performance & Consolidated Security
Provides More Signatures for Visibility & Control with Web 2.0 applications
Proven Security - Threat Research & Third Party Certifications
Best Price/ Performance network security platform in the market, which provides predictable performance
in the real world traffic.
Fortinet ranks #1 in the NSS Labs Firewall 2013 and earned the NSS Labs Recommend for the Firewall,
NGFW, and IPS 2013 Tests.
Fortinet continues its 5 year leadership in the Gartner Magic Quadrantfor Unified Threat
Management, 2013 and in 4 other Gartner Magic Quadrants.
Lowest Total Cost of Ownership and Price/ Protected Mbps accordingto NSS Labs.
Achieved the top score on the BreakingPoint / IXIAResiliency Test with 95.
More Web 2.0 Visibility & Control and Better Centralized Management
Easily control on over 2,900 apps
Fortinet has a rangeof FortiManager & FortiAnalyzer to meet the needs of the customers.
FortiManager can deploy thousands of new devices,distributed updates, or installingsecurity policies
across managed assets.
FortiAnalyzer provides the central security event logging, reporting, forensic research,content
archiving,data mining,and malicious file quarantining.
Proven Security - Threat Research & Third Party Certifications
No one comes closeto the third party certificationsFortinethas achieved.NSS Labs,ICSA, VB100, and
others are a testament on the protection
49. Vs Cisco
Competitive Matrix & Customer Deployment
With price/ performance and proven security,Fortinet provides network security for all markets.
Fortinet provides a 10Gigappliance(FortiGate800C) in the sub $10K priceband,whereas the initial
10GigCisco ASA applianceisthe ASA 5585-X SSP10 at $40K,with non-competitive performance.
Currently, Cisco’s releasehas a choiceof runningIPS or next generation firewall (CX),but can’t run
both.
Gartner does not view Cisco’s security strategy as messagingeffectively in the broader NGFW
market”, Gartner MQ Enterprise Firewall,2013.
Fortinet Crushes Cisco ASA 5500-X/ 5585-X Series in Security Performance, Scalability, & Total Cost of
Ownership.
• A singleFortinet FortiGate applianceoffers more functionality than up to 7 pieces of hardware from Cisco.
• With a fraction of the cost, the FortiGate 3600C vs. Cisco ASA 5585-X SSP60 is an example of how Fortinet
beats Cisco in price/performance,capacity and over all security.
50. Benefits
Service based on Fortinet’ award winning Next Generation Firewall (NGFW) /
Unified Threat Management (UTM) Complete protection against malware, spyware,
spam and intrusion attempts.
Round the clock threat defense from our 24x7 Monitoring from our Security
Operations Centre.
On-going firewall maintenance (firmware / patches /upgrades)
On-going policy changes and configuration updates by our SO staff as required.
Customizable web filtering.
Remote VPN access for users for anywhere / any device /any time access.
Next Business Day hardware replacement.
Components
Fortinet: UTM device
Fortinet: UTM subscription 8x5 NBD Enhanced Support
Next Generation Firewall (NGFW) / Unified Threat Management (UTM) device with
UTM subscription
FortiGate 60D / 90D / 100D
Features
Next Generation Firewall Feature Set
Network Based AV
Antispam Service
Web Filtering Service
51. Intrusion Prevention
SSL VPN
VPN and Tokens
It secures your users computer internet connection to guarantee that all of the data you're
sending and receiving is encrypted and secured as well as a way to bolster your security and
access resources on a network you're not physically connected to. The best VPNs offer a
solid balance of features, server location, connectivity protocols, and price. Fortinet offers
SSL protocols will provide a secure connection.
Two-Factor Authentication & PKI Solutions
FortiToken Strong Authentication Solutions allow you to easily enable Two-factor
Authentication for access to protected Networks and Security devices. Two-factor
authentication solutions improve security and reduce the risk of compromise inherent in
single-factor authentication solutions such as static passwords.
User Identity Management
FortiAuthenticator extends two-factor authentication capability to multiple FortiGate
appliances and to third party solutions that support RADIUS or LDAP authentication. User
identity information from FortiAuthenticator combined with authentication information from
FortiToken ensures that only authorized individuals are granted access to your organization’s
sensitive information. This additional layer of security greatly reduces the possibility of data
leaks while helping companies meet audit requirements associated with government and
business privacy regulations. FortiAuthenticator supports the widest range of tokens possible
to suit your user requirements. With the physical time-based FortiToken 200, FortiToken
Mobile (for iOS and Android), e-mail and SMS tokens, FortiAuthenticator has token options
for all users and scenarios. Two-factor authentication can be used to control access to
applications such as FortiGate management, SSL and IPsec VPN, Wireless Captive Portal
login and third-party, RADIUS compliant networking equipment.
Enterprise Certificate BasedVPNs
Site-to-site VPNs often provide access direct to the heart of the enterprise network from
many remote locations. Often these VPNs are secured simply by a preshared key, which, if
compromised, could give access to the whole network. FortiOS support certificate-based
VPNs; however, use of certificate secured VPNs has been limited, primarily due to the
overhead and complexity introduced by certificate management. FortiAuthenticator removes
this overhead involved by streamlining the bulk deployment of certificates for VPN use in a
FortiGate environment by cooperating with FortiManager for the configuration and
automating the secure certificate delivery via the SCEP protocol. For client-based certificate
VPNs, certificates can be created and stored on the FortiToken 300 USB Certificate store.
This secure, pin-protected certificate store is compatible with FortiClient and can be used to
enhance the security of client VPN connections in conjunction with FortiAuthenticator.
Highlights
Low cost per user with no user based licensing makes the FortiAuthenticator one of the
most cost effective solutions in the market
52. Standards-based secure authentication which works in conjunction with FortiTokens to
deliver secure two-factor authentication to any third-party device capable of
authentication via RADIUS or LDAP
Hardened Appliance which can be deployed in minutes to secure access to your network
infrastructure
Integrates with existing solutions such as LDAP or AD servers to lower the cost and
complexity of adding strong authentication to your network
Support for E-mail and SMS tokens enables rapid deployment of two-factor
authentication without the need for additional dedicated hardware.
User Self Service Password reset lowers your costs by allowing your users to reset their
own password without administrator intervention
Certificate Authority functionality simplifies your CA management and delivers user
certificate signing, FortiGate VPN, or server x.509 certificates for use in certificate-based
two-factor authentication
Upgrade path from FortiGate/FortiToken allows you to maximize your existing
investment and scale your two-factor deployment when needed
53. AIRWATCH FOR MOBILE SECURITY
Mobile Device Management (MDM) software secures, monitors, manages, and supports,
reports and alerts on smartphones deployed across your organization. The intent of MDM is
to optimize the functionality, productivity and security of a mobile communications network,
while minimizing cost and downtime.
The AirWatch service delivers a web-based, enterprise-grade mobile device and smartphone
management solution that enables organizations to secure, monitor, manage and support all
their mobile devices and their wireless infrastructure, while also successfully achieving
compliance with all governmental regulations.
What this productoffers is fivephases of managingSmartphones and mobiledevices
Deploy
activate devices using SMS, Email, URL and other flexible options
enrol corporate and employee-liable devices individually or en masse
instantly configure policies, settings, certificates and access to enterprise accounts over
the air
Wirelessly provision internal and recommended apps through the enterprise app
catalogue.
Secure
ensure authorised and compliant devices have secured access to enterprise resources
and accounts while preventing unauthorised device use by locking down device features
and enforcing restrictions
protect personal and corporate data and the entire device through encryption and
passcode policies
Automate business policies for non-compliant or jail broken devices.
Monitor
monitor both devices and network health status and statistics
Track user activity, such as app downloads, voice, SMS and data usage against pre-
defined thresholds, white or black lists.
Manage
streamline and automate mobile asset and inventory management quickly and easily
update and provision new policies, settings, certificates, apps, software and access to
enterprise accounts - over the air
Push down apps, software or remote lock/wipe commands on-demand.
Support
54. perform device diagnostic tests remotely to identify issues
provide remote assistance to mobile users and communicate from the console via SMS
messaging
Take remote control of a device for more efficient troubleshooting.
Industry Accolades
200+ awards, including:
Security Product of the Year
Best Integrated Security Appliance
Best UTM
Best IPS solution
Top Mid-market Solution
5 ICSA security certifications
NSS recommended (FW, NGFW, IPS, ATP) and ISO 9001 certified
55. APPENDIX 2 – HARDWARE SELECTION
FIREWALL HARDWARE - DUBLIN OFFICE – 100D X 2
Mid-Range Business Platform- FortiGate 100D - Rack mount Deployment Ideal for mid-
range offices.
Recommended for 50 to 100+ users
2x GE RJ45 WAN Ports
1x GE RJ45 DMZ Interface Port
1x GE RJ45 Mgmt. Interface Port
2x GE RJ45 HA Interface Port
14x GE RJ45 Switch Ports
2x Shared Media interfaces pairs
WIRELESS HARDWARE DUBLIN OFFICE - FORTIAP 221C X 4
The FortiAP 221C is dual-radio, designed for medium density indoor environments,
including hotspot and guest or social Wi-Fi deployments. The RP-SMA antenna connectors
on the FortiAP 223C allow directional or panel antennas to be installed, providing a range of
antenna options in environments with challenging coverage requirements. The FortiAP 221C
is dual-radio 802.11ac APs and dual-band devices, supporting simultaneous client
connections and rogue AP scanning for PCI compliance
WIRELESS HARDWARE – CORK OFFICE – 90D X 2
Small Business Platform- FortiGate 90D - Desktop Deployment Ideal for Small offices
Recommended for 20 to 50 users
2x GE RJ45 WAN Ports
14x GE RJ45 Switch Ports
Standalone Pricing €2670 fully managed service
WIRELESS HARDWARE - CORK OFFICE - FORTIAP 24D X 2
The FortiAP 24D is a cost-effective single radio 802.11n AP, designed for non-mission
critical applications in low density indoor environments like small branch offices. The
integrated switch-ports allow you to connect additional wired devices directly to the AP, such
as PCs or printers.
ACCESS SWITCHES – DUBLIN AND CORK OFFICES – JUNIPER EX2200 (24
PORT)
We are recommending the Juniper EX3200 24 port model switches to be used as the required
Access Switches in all offices. These switches support the key features required by the
business and as called out in the System Architecture.
56. EX2200 switches provide:
Up to four uplink ports
12 (compact, fanless model), 24, or 48 built-in network ports with 10/100/100BASE-T
Gigabit Ethernet connectors.
Virtual Chassis capability—you can connect up to four EX2200 switches (including
EX2200-C switches) together to form one unit that you manage as a single chassis, called a
Virtual Chassis, starting in Junos OS Release 12.2.
Power over Ethernet (PoE or PoE+) on all network ports (in PoE-capable models)
DISTRIBUTION SWITCHES – DUBLIN AND CORK OFFICES – JUNIPER
EX4200 (24 PORT)
We are recommending the Juniper EX4200 24 port model switches to be used as the required
Distribution Switches in all offices. These switches support the key features required by the
business and as called out in the System Architecture.
EX4200 switches include:
Dual redundant power supplies that are field-replaceable and hot-swappable. An optional
additional connection to an external power source is also available.
A field-replaceable fan tray with three fans. The switch remains operational if a single fan
fails.
Redundant Routing Engines in a Virtual Chassis configuration. This redundancy enables
graceful Routing Engine switchover (GRES) and nonstop active routing (NSR).
Junos OS with its modular design that enables failed system processes to gracefully restart.
EX4200 switches have these features:
Run under Junos OS for EX Series switches
Have options of 24-port and 48-port models
Have options of full (all ports) PoE/PoE+ capability or partial (8 ports) PoE capability
Have optional uplink modules that provide connection to distribution switches
Software – Dublin and Cork Two-Factor Authentication - FortiToken software x 100
FTM-LIC-100
Software one-time password tokens for iOS, Android and Windows Phone mobile devices.
Perpetual licenses for 100 users. Electronic license certificate.
57. APPENDIX 3 – SOFTWARE SELECTION
MICROSOFT
Windows server 2012
Office 365, Exchange 2016
Skype for business
SAGE
Sage HR
Having a single established and widely used vendor provides consistency across HR and
Payroll applications and reduces risk. (Sage.ie, 2016)
Sage HR Pros:
MS Office integration
Sage Micropay Professional integration
Manage employee information, documents and entitlements
Manage training, performance appraisals and targets
Sage Payroll
Sage Payroll Pros:
Links to Sage Accounts and Sage HR
Manage holiday entitlements, payments and deductions
Fully manage payroll and taxes
Backup and restore key data easily
Link to online ROS submissions
Sage CRM Cloud Professional
Sage CRM Cloud Professional Pros:
Manage products and equipment
Oversee key business projects
Track competitors
Track brand and company mentions
Available on mobile (iOS and Android)
Analyze sales campaigns
Sage Pay Online
58. Sage Pay Online Payments Pros:
Wide range of payment options
Mail and Telephone payment support
Accepts invoice payments directly through Sage Accounts
Secure: Real-time AVS/CV2 checks and 3D Secure Authentication
Free Support 24/7
Advanced fraud screening tools as standard
Sage 50 Accounts
Sage 50 Accounts Professional Pros:
Manage company finances
Manage company products and services
Overview of customer activity
Manage Suppliers
Manage stock
Integrates with Sage Drive for cloud backups
Provides requisite bank feeds
59. APPENDIX 4 – BUSINESS REQUIREMENTS
Business Requirements
Req. # Name Description
REQ001 Expanduse of technology
Make commonapplicationsandplatformsavailabletoall staff on
any device.
REQ002 Improve deliveryof services Aidinternal andexternal communication
REQ003
StrategicAlliance - Global
Company
Openuppossibilityof strategicalliance withaglobal travel company.
Make thisachievable withaplanned,secure networkthatcan be
openedglobally.
PolyCon - meetingfacilities
REQ004 NetworkConnectthe Retail Shops
Several retail shopsaroundthe Citycentre andmainshopping
centres
REQ005 MD LaptopConnectivity Maintainthe MDs laptopas ithas a modernSpec.
REQ006 MD Data Transfer Remove the needforusingCDsand MemorySticksto transferdata.
REQ007 Finance ManagerConnectivity
Refreshthe Finance Manager'sdateddesktopwithathinclient
terminal,connectedtothe Citrix XenDesktopserver
REQ008
Finance ManagerSecurity
Concerns
Utilise the FortinetFirewall,VPN,AV andWebsensesolutiontoallay
securityconcerns.
Utilise AirWatchformobile security
REQ009 Finance ManagerCost Concerns
Provide the requiredsecurityusingcosteffective means:
Thinclientarchitecture
Single Fortinetdevice ineachof the DublinandCorkOffices
REQ010 Accounts Desktops
Replace "dumb"terminalswiththinclientterminals,connectedto
the LAN andCitrix XenDesktopserver.
REQ011 AccountsSoftware - Payroll
Replace local hostingforthe payroll platformwithacloudbased
SAASproviderforcost,supportability andresiliency.
Take informationfromHRabout payroll toavoidrekeying
information;ensurethatHR have accessto the cloudpayroll
solutionalsoandthatemployeeshave one systemonwhichtolog
time.
REQ012 AccountsBank Access
Replace the local PC ISDN access withconnectivityoverthe internet.
ProvisionBankConnectivityoverSFTPforpayroll files.
REQ013
AccountsSoftware - Client
Accounts
Recommenduse of anotherSAASCRMsoftware toallowaccessboth
fromthe companyandfor the customersto theiraccounts.
Ensure SalesTeamhas accessto enterthe detailsdirectlyintothe
CRM systemalso.
Replace integrationwiththe majorairline systems - use of Airline
APIswhere possible.
REQ014 Salesdesktops
Replace stand-alonePCswiththinclient terminal,connectedtothe
LAN and Citrix XenDesktopserver.
REQ015 Saleslaptops Replace laptopswithuptodate WinX machines.
60. REQ016 Salestablets
Maintainthe tablets,canbe usedfortestingclientaccesstothe
companywebsite andclientportal usingAndroidandOS/X.Provide
networkconnectivitywirelessly.
REQ017 SalesManagerPC
Replace stand-alonePCwiththinclientterminal,connectedtothe
LAN and Citrix XenDesktopserver.
REQ018 SalesHot Desks
Provide stand-alone PCswiththinclient terminal,connectedtothe
LAN and Citrix XenDesktopserver.
REQ019 Sales/MarketingSoftware
Provide latestPublisherviaOffice365.
Provide central source onthe networkforpricingthatSalesstaff can
access directlytoavoidcallinginat5:30pm daily.
REQ020 CompanyWebsite
Arrange for thirdpartyto provisionawebsite andarrange hosting.
Ensure thisis a ContentManagementSystem(CMS) sothatthe
companycan update the requisite detailsthemselves.
It shouldalsoprovide linkstothe Company'sCRMwebbased
solutionfora seamlessuserexperience forclientswithaccounts.
Ensure it issetup for consistencyacrossend-userdevicesandlittle
to no code maintenance.
REQ021 Administrationdesktops
Replace stand-alonePCswiththinclient terminal,connectedtothe
LAN and Citrix XenDesktopserver.ScrapMicrosoftWindowsfor
Workgroupsas the software isdeprecatedandhasa maintenance
overheadwithoutaddingvalue.
REQ022 AdministrationISDN
Remove the 4 line ISDN presentforAdministration,all clientswill
have requisite internetaccessprovidedviathe ISPandcontrolled
throughthe Active DirectorysetupandFortinetfirewall andWeb
Filter.
REQ023 AdministrationE-mail
Replace the currentsingle Hotmail emailaccountwith individual
accounts onMS Outlook(Office365),hostedonthe company'snew
WebDomain.
Setupmailinggroupsorsharedmailboxesforeachdepartmentto
avoidexchangingemailsinter-departmenteitherbyhandor through
email.
REQ024 HR desktops
Provide thinclientterminalsforeachHR staff member,connectedto
the LAN andCitrix XenDesktopserver.
REQ025 HR Software
Provide SAASsoftware solutionforPayroll,Time Recordingand
HRMS
REQ026 Network:LAN
Provide LAN accessto all permanenton-siteemployeesvianewthin
clients.
Provide LAN accessforSalesHot Desksalsovianewthinclients.
REQ027 Network:WAN
Provide WAN accessbetweenthe DublinandCorkoffice,preferably
extendingthe LAN andmaintainingQoS
REQ028 Network:WAP
Provide requisite WirelessAccessPointstoallow all laptopand
mobile deviceseffectivelyaccessthe network
REQ029 Network:VPN Ensure presence of a VPN forremote login,andbetweenoffices.
61. REQ030 Network:BusinessInternet
Ensure adequate business (symmetric) internetisavailable toservice
the companyneedsandthe new cloudbasedSAASmodel forkey
software,alongwithVOIPandrequisite QoS.
REQ031 Telecoms:VOIP
Arrange setupof a cloudbasedVOIPsolution,withrequisite QoS
internallyand externally.Forfall back,maintaintwophysical
telephonelinesinDublinandone inCorkandeach satellite officeto
ensure callscanstill be made and received.
REQ032 Server:Active Directory
Provide anew Active DirectoryServerformanaginguseraccessthat
will alsomanage the LAN sharedfile systems.
REQ033 Server:SharedFile system
LAN sharedfile systemswillbe managedviathe same serveras
hostingActive Directory.
REQ034 Server:Virtual Desktops
Provide aserverto setupvirtual desktops inathinclientarchitecture
to achieve economiesof scale asthe companygrows,to enable end-
usersaccessthe same desktopregardlessof where theyare
connectingfrom, andloweringthe maintenance andreplacement
costs of physical hardware.
REQ035
Storage:Sharedredundant
storage
Ensure requisite redundantsharedstorage isinplace andbackups
takenregularlytoavoidanylossof keydata
REQ036 Server:Backupserver Ensure requisite backupserversare inplace forDisasterRecovery.
62. APPENDIX 5 - STAR NETWORK EXPLANATION
In its simplest form, a star network consists of one central switch, hub or computer, which
acts as a conduit to transmit messages. This consists of a central node where all other nodes
are connected. The central node is a common connection point between other nodes via a hub
or switch. The star topology reduces the damage caused by line failure by connecting all of
the systems to a central node. When applied to a bus-based network, this central hub
rebroadcasts all transmissions received from any peripheral node to all peripheral nodes on
the network, sometimes including the originating node. All peripheral nodes may thus
communicate with all others by transmitting to, and receiving from, the central node only.
The failure of a transmission line linking any peripheral node to the central node will result in
the isolation of that peripheral node from all others, but the rest of the systems will be
unaffected.
Star networks are very reliable because if one computer or its connection breaks it
doesn’t affect the other computers and their connections.
An expensive network layout to install because of the amount of cables needed.
If the server crashes or stops working then no computers will be able to access the
network.
If either HUB or switch fails, whole systems will crash as well.
Star Network, simple form
63. APPENDIX 6 – HARDWARE REQUIREMENTS
The following table is a preliminary list of the upgrade to Honeymoon Holidays IT
Infrastructure. It is by no means complete and should not be taken as a final statement of the
project requirements.
Laptop Required Mobile Required Printer/Canon Required
Managing Director Dell Inspiron 5000 series 1 Samsung S6 1 MAXIFY MB2050 1
Finance Manager Dell Inspiron 5000 series 1 Samsung S6 1 MAXIFY MB2050 1
HR Manager Dell Inspiron 5000 series 1 Samsung S6 1
Clerks Wyse 3020 W/Thin OS +
Monitor and Keyboard. VOIP
Enabled
2
Sales Manager/Cordinator Dell Inspiron 5000 series 1 Samsung S6 1
Marketing Coordinator Dell Inspiron 5000 series 1 Samsung S6 1
Sales team Wyse 3020 W/Thin OS +
Monitor and Keyboard. VOIP
Enabled
25
Samsung S6
25
Manager Dell Inspiron 5000 series 1
Admin Staff Wyse 3020 W/Thin OS +
Monitor and Keyboard. VOIP
Enabled
5
Staff Wyse 3020 W/Thin OS +
Monitor and Keyboard. VOIP
Enabled
5
Trainees Wyse 3020 W/Thin OS +
Monitor and Keyboard. VOIP
Enabled
6
Manager Dell Inspiron 5000 series 1 Samsung S6 1
Staff
Wyse 3020 W/Thin OS +
Monitor and Keyboard. VOIP
Enabled
10
Future room for expansion is enabled via Fortinet switches.
Cork Office
Proposed IT Hardware for Honeymoon Holidays
Accounts
Administration
Sales
HR
C3330i. Up to 30000
pager per month.
1
C3330i. Up to 30000
pager per month.
MAXIFY MB2050
MAXIFY MB2050 shared
between the
departments.
2
1
2
64. Required
Servers 6
Switches 12
Routers 4
Modems 5
Wiring N/A
Internet Connectivity Solution (Eircom, Vodafone, UPC, Imagine, etc
WAP FortiAP 221C - Dublin 4
WAP FortiAP 24D - Cork 2
? FortiClient 100 licence FortiAuthenticator - Dublin - all 1
Firewall FortiGate-100D Firewall - Dublin 2
Switch Juniper EX2200-24-T 12
Switch Juniper EX4200-24PX-TAA 3
Router Juniper MX5-T-AC 2
Desktop HP Thin Client G9F08AA 22
Payroll 1
CRM 1
Payments Sage Pay Online per payment 1
Accounting 1
POE
Hardware
Sage 50 Accounts Professional
Cat6 cabling (price per 10 metres)
Backend Hardware
Networking Solutions
Sage MicroPay Professional (Unlimited Users)
Sage CRMCloud Professional (50 Users)
Symmetric (Business) DSL
Firewall configuration (Watchguard, Sonicwall etc)
Installation of new data switch (8-port to 12 port)
Apple-to-window networking (2 systems)
Details
Eircom MPLS WAN with VPN and SIP support
Wireless Connectivity Solutions (e.g. re-configfuration of wireless router)
Wireless Network Extension (excluding hardware)
Setup and Configure of Network shares per PC or Server
Setup and Configure of network shares per Mac (Apple)
65. BIBLIOGRAPHY
REFERENCES
Anon, (2016). [online] Available at:
http://www.hp.com/rnd/pdf_html/wirelessLANsite_assessment.html [Accessed 10
Apr. 2016].
Azure.microsoft.com. (2016). Microsoft Azure: Cloud Computing Platform and
Services. [online] Available at: https://azure.microsoft.com/en-gb/? [Accessed 10
Apr. 2016].
Blog.buildingautomationmonthly.com. (2016). [online] Available at:
http://blog.buildingautomationmonthly.com/wp-content/uploads/2013/05/OSI-
Model.png [Accessed 9 Apr. 2016].
Citrix.com. (2016). Licensing Basics. [online] Available at:
https://www.citrix.com/buy/licensing.html [Accessed 10 Apr. 2016].
Citrix.com. (2016). XenDesktop VDI Virtual Desktop Infrastructure. [online]
Available at: https://www.citrix.com/products/xendesktop/overview.html
[Accessed 10 Apr. 2016].
Fortinet.com. (2016). FortiGuard-Security-Services.pdf. [online] Available at:
http://www.fortinet.com/sites/default/files/productdatasheets/FortiGuard-Security-
Services.pdf [Accessed 6 Apr. 2016].
Sage.ie. (2016). Sage 50 Accounts Professional Detailed Information. [online]
Available at: http://www.sage.ie/software-and-services/accounting-and-
finance/sage-50-accounts-professional/detailed-information [Accessed 4 Apr.
2016].
Sage.ie. (2016). Sage HR: Software to simplify running human resources. [online]
Available at: http://www.sage.ie/software-and-services/hr/sage-hr [Accessed 4
Apr. 2016].
Sage.ie. (2016). Sage Pay: Accept online payments securely and easily. [online]
Available at: http://www.sage.ie/software-and-services/payments/sage-pay-
online-payments [Accessed 4 Apr. 2016].
66. Shop.sage.ie. (2016). Sage CRM Cloud Professional | CRM Software | Sage Ireland
Store. [online] Available at: https://shop.sage.ie/sage-crm-cloud-professional.aspx
[Accessed 4 Apr. 2016].
Shop.sage.ie. (2016). Sage Micropay Professional | Payroll Software | Sage Ireland
Store. [online] Available at: https://shop.sage.ie/micropay-professional.aspx
[Accessed 4 Apr. 2016].
Vodafone.ie. (2016). One Net Express for Your Business | Vodafone Ireland. [online]
Available at: http://www.vodafone.ie/small-business/phones-plans/one-net-
express/?gclid=Cj0KEQjwoYi4BRDF_PHHu6rI7NMBEiQAKZ-
JuFeGopAV3LE08XraJLhHPtx_frmo4mO7NmOzPEz17IEaAqUa8P8HAQ&gcls
rc=aw.ds [Accessed 5 Apr. 2016].
YouTube. (2016). Cisco QoS: Design and Best Practices for Enterprise Networks.
[online] Available at: https://www.youtube.com/watch?v=xePZcobaJUY
[Accessed 9 Apr. 2016].
YouTube. (2016). Deploying MVRP Learning Byte. [online] Available at:
https://www.youtube.com/watch?v=C-JkzYbGPBk [Accessed 4 Apr. 2016].