Office Network Renovation

Existing Office Network


Introduction:

  • My project's name is Office Network Renovation. The office network topology is a FLAT Network Diagram. The office has 20 users. There are four departments offered here.
  • Wireless network access should be restricted to authorized personnel only.
  • The office network architecture, including the domain environment, IP address management, secure wireless access, internet sharing, features, and services, as well as the essential equipment and suitable topology, should be finalized.

Objective:

    • To provide a smart and secured office network
    • Determine bottlenecks in the current network and suggest solutions to problems
    • Used Hierarchical Network Design instead of Flat Network Diagram.

    Existing Network Problem:

    📡 Inefficient network topology: The office currently has a flat network design, resulting in a single collision domain. This setup leads to network congestion, increased security risks, and difficulties in managing network traffic.

    🚷 Lack of VLAN segmentation: There is no VLAN segmentation in place to isolate departments or network functions. As a result, data from different departments can flow freely across the network, potentially compromising security and causing performance issues.

    🔌 Inadequate cabling infrastructure: The office has messy and tangled cables running haphazardly, making it challenging to troubleshoot network issues and identify connectivity problems.

    🌐 Absence of DMZ for web server: The web server is placed within the same network as other internal resources, making it vulnerable to external attacks. There is no dedicated DMZ (Demilitarized Zone) to provide an additional layer of security.

    📧 Absence of email server: The current email sending/receiving lacks proper configuration and optimization and potential vulnerabilities. Every user is using their personal email for office purpose.

    🗄️ Unorganized file storage: File sharing is chaotic, with files scattered across different shared folders, making it difficult to locate important documents or collaborate effectively.

    🕸️ Poor remote access setup: The office does not have a secure and efficient remote access setup. Employees struggle with connecting to the office network outside the premises, hindering productivity and collaboration.

    🔒 Inadequate firewall configuration: The firewall settings are not properly configured or updated, leaving the network susceptible to unauthorized access, malware attacks, or data breaches.

    🕐 No centralized management: Without a centralized management system, there is no efficient way to monitor, manage, and update network devices, resulting in time-consuming and error-prone manual configurations.

    Present Office Network (Hierarchical Network Design)



    Fundamental Design Goals:

    My network design requirements translate into four fundamental network design goals:

    Scalability: Scalable network designs can grow to include new user groups and remote sites and can support new applications without impacting the level of service delivered to existing users.

    Availability: A network designed for availability is one that delivers consistent, reliable performance, 24 hours a day, 7 days a week. In addition, the failure of a single link or piece of equipment should not significantly impact network performance.

    Security: Security is a feature that must be designed into the network, not added on after the network is complete. Planning the location of security devices, filters, and firewall features is critical to safeguarding network resources.

    Manageability: No matter how good the initial network design is, the available network staff must be able to manage and support the network. A network that is too complex or difficult to maintain cannot function effectively and efficiently.

    My correction Approach:

    1.       I introduced Hierarchical Network Design in my office network environment.

    In networking, a hierarchical design is used to group devices into multiple networks. The networks are organized in a layered approach. This design provide scalability, security, Manageability. The hierarchical design model has three basic layers:

    Core layer: Connects distribution layer devices

    Distribution layer: Interconnects the smaller local networks

    Access layer: Provides connectivity for network hosts and end devices.

    2.       IP Addressing:

    Components & Department’s

    Hierarchical Layer

    IP Address Required

    VLAN

    Address Block Assigned

    DC

    Access Switch

    1

    10

    192.168.0.1/24

    ADC

    Access Switch

    1

    10

    192.168.0.2/24

    Web Server

    Distribution Switch

    2 ( Network Load balancing)

    20

    10.10.10.1/24

    10.10.10.2/24

    File Server

    Distribution Switch

    1

    30

    10.10.10.3/24

    Email

    Access Switch

    1

    10

    192.168.0.3/24

    DNS Server

    Access Switch

    1

    10

    192.168.0.4/24

    DHCP Server

    Access Switch

    1

    10

    192.168.0.5/24

    WDS Server

    Access Switch

    1

    10

    192.168.0.6/24

    CA Server

    Access Switch

    1

    10

    192.168.0.7/24

    IT Department

    Edge Switch-1

    5

    20

    192.168.1.0/24

    HR Department

    Edge Switch-1

    5

    30

    192.168.2.0/24

    Accounts Department

    Edge Switch-1

    5

    40

    192.168.3.0/24

    Sales Department

    Edge Switch-1

    5

    50

    192.168.4.0/24

     

    3.       OSI Model & TCP IP Protocol Layer Based on Component:


    4.      Prerequisites for Components in my Network Architecture:

    Domain Controller (DC):

    • Suitable hardware specifications (CPU, RAM, storage) for the server.
      • CPU: 1.4 GHz 64-bit processor or higher
      • RAM: 2 GB or higher
      • Storage: 32 GB or higher
      • Network: 1 Gbps Ethernet adapter
      • Supported server operating system (Windows Server 2016)
    • Supported server operating system (e.g., Windows Server 2016/2019/2022).
    • Ensure the server has a static IP address.
    • Network connectivity and proper network configuration.

    Additional Domain Controller (ADC):

    • Suitable hardware specifications (CPU, RAM, storage) for the server.
      • CPU: 1.4 GHz 64-bit processor or higher
      • RAM: 2 GB or higher
      • Storage: 32 GB or higher
      • Network: 1 Gbps Ethernet adapter
      • Supported server operating system (Windows Server 2016)
    • Supported server operating system (e.g., Windows Server 2016/2019/2022).
    • Ensure the server has a static IP address.
    • Network connectivity and proper network configuration.

    DHCP Server:

    • Suitable hardware specifications for the server.
      • CPU: 1 GHz 64-bit processor or higher
      • RAM: 1 GB or higher
      • Storage: 32 GB or higher
      • Network: 1 Gbps Ethernet adapter

    ·         Supported server operating system (Windows Server 2016)

    • Static IP address and proper network connectivity.
    • Plan and define the DHCP scope (IP address range, subnet mask, DNS settings, lease durations, etc.)
    • Administrative access and appropriate privileges.

    DNS Server:

    • Suitable hardware specifications for the server.
      • CPU: 1 GHz 64-bit processor or higher
      • RAM: 512 MB or higher
      • Storage: 32 GB or higher
      • Network: 1 Gbps Ethernet adapter

    ·         Supported server operating system (Windows Server 2016)

    • Static IP address and proper network connectivity.
    • Choose the DNS server role during the server installation process.
    • Plan the DNS namespace and determine the forward and reverse lookup zones.
    • Administrative access and appropriate privileges.

    Web Server:

    • Suitable hardware specifications for the server.
      • CPU: 1.4 GHz 64-bit processor or higher
      • RAM: 2 GB or higher
      • Storage: 32 GB or higher
      • Network: 1 Gbps Ethernet adapter

    ·         Supported server operating system (Windows Server 2016)

    • Static IP address and proper network connectivity.
    • Install web server software (e.g., Apache, Nginx, IIS).
    • Configure firewall rules to allow HTTP/HTTPS traffic.
    • Web application files or content ready to be deployed.
    • Administrative access and appropriate privileges.

    File Server:

    • Suitable hardware specifications for the server.
      • CPU: 1 GHz 64-bit processor or higher
      • RAM: 2 GB or higher
      • Storage: Sufficient capacity for file shares
      • Network: 1 Gbps Ethernet adapter or higher

    ·         Supported server operating system (Windows Server 2016)

    • Static IP address and proper network connectivity.
    • Allocate sufficient storage for file shares.
    • Plan and define folder structure and permissions.
    • Administrative access and appropriate privileges.

    WSUS Server:

    • Suitable hardware specifications for the server.
      • CPU: 1.4 GHz 64-bit processor or higher
      • RAM: 2 GB or higher
      • Storage: 20 GB or higher for updates repository
      • Network: 1 Gbps Ethernet adapter or higher
    • Supported server operating system (Windows Server 2016)
    • Static IP address and proper network connectivity.
    • Sufficient storage for updates repository.
    • Approve and configure updates based on requirements.
    • Administrative access and appropriate privileges.

    CA Server (Certificate Authority):

    • Suitable hardware specifications for the server.
      • CPU: 1 GHz 64-bit processor or higher
      • RAM: 2 GB or higher
      • Storage: 32 GB or higher
      • Network: 1 Gbps Ethernet adapter
    • Supported server operating system(Windows Server 2016)
    • Static IP address and proper network connectivity.
    • Determine the type of CA (standalone or enterprise) based on requirements.
    • Plan and define the certificate templates and issuance policies.
    • Administrative access and appropriate privileges.

    Firewall:

    • Suitable hardware specifications for the firewall device.
    • Understand and identify the network traffic requirements.
    • Plan the firewall rule sets, including inbound and outbound rules.
    • Determine the zones, security policies, and NAT configurations.
    • Ensure proper network connectivity and configuration for the firewall.
    • Administrative access and appropriate privileges.

    Remote Access VPN:

    • Suitable hardware specifications for the VPN server.
    • Supported server operating system.
    • Static IP address and proper network connectivity.
    • Determine the VPN technology and protocols to be used (e.g., PPTP, L2TP/IPSec, OpenVPN).
    • Configure firewall and router to allow VPN traffic.
    • Plan and define VPN user access policies and authentication methods.
    • Administrative access and appropriate privileges.

    Exchange Server 2016:

    • Server Hardware:
      • CPU: 64-bit architecture (varies based on the number of mailboxes and expected workload)
      • RAM: 8 GB (minimum) or higher (varies based on workload and number of mailboxes)
      • Storage:
      • System Drive: Minimum 30 GB of free space
      • Database Drive: Separate volume for mailbox database files (recommended at least 1.5 times the size of the mailbox database)
      • Log Drive: Separate volume for transaction log files (recommended at least 20-30 GB)
      • Network: 1 Gbps Ethernet adapter or higher
      • Supported server operating system: Windows Server 2016/2019/2022 (Exchange Server 2019 supports Windows Server Core)
    • Server Operating System: Install a supported Windows Server version, such as Windows Server 2016/2019/2022. Ensure that the server is updated with the latest service packs, patches, and updates.
    • Active Directory: Your environment should have an Active Directory infrastructure, and it should be functioning properly.
    • Active Directory Forest Functional Level: The forest functional level should be at least Windows Server 2008 or higher.
    • Domain Controller: Ensure that you have at least one domain controller installed and running in your Active Directory environment.
    • DNS: Set up Domain Name System (DNS) and ensure that it is configured correctly to resolve hostnames and domain names within your network.
    • Domain User Account: Create a domain user account that will be used to install and manage Exchange Server. This account should have the necessary permissions, such as being a member of the Schema Admins, Enterprise Admins, and Domain Admins security groups.
    • Certificate Requirements: Prepare the SSL certificate(s) that will be used for securing Exchange services and client connectivity. You can obtain a certificate from a trusted third-party certificate authority or use an internal certificate authority.
    • Mail Exchanger (MX) Records: If you are going to receive email from the internet, you need to configure proper MX records in your public DNS to point to your Exchange Server's external IP address.
    • Firewall Configuration: Ensure that the necessary firewall ports are open to allow inbound and outbound communication for Exchange services.
    • Antivirus and Anti-spam Software: If you plan to install antivirus or anti-spam software on the Exchange Server, make sure it is compatible with Exchange and properly configured to avoid any conflicts or performance issues.

    5.       Group Policy required for Each department:

    Here are some Group Policy settings that can be considered as a minimum requirement for IT, Sales, HR, and Account departments:

    IT Department:

    ·         Password Policy: Enforce password complexity, minimum password length, and password expiration settings to ensure strong and secure passwords.

    ·         User Rights Assignment: Grant administrative privileges only to IT personnel who require them for their job responsibilities.

    ·         Software Installation Restrictions: Control software installation by allowing only authorized software to be installed on workstations to minimize security risks.

    ·         Windows Firewall: Configure Windows Firewall settings to allow necessary network communication while blocking unauthorized access.

    Sales Department:

    ·         Internet Explorer/Edge Security Settings: Configure security settings to restrict access to potentially harmful websites and download files.

    ·         Folder Redirection: Redirect user folders (such as Documents and Desktop) to a network location for centralized backup and access.

    ·         USB Device Restrictions: Control the use of USB storage devices to prevent data leakage or introduction of malicious software.

    HR Department:

    ·         Folder/File Access Permissions: Set appropriate access permissions on HR-specific folders and files to protect sensitive employee data.

    ·         User Account Control (UAC): Enable UAC to prevent unauthorized changes to HR-related system settings or applications.

    ·         Audit Policies: Enable auditing of HR-related files and folders for tracking access and changes.

    Account Department:

    ·         Data Encryption: Enable BitLocker or other encryption solutions to protect sensitive financial data on workstations and laptops.

    ·         Financial Application Restrictions: Restrict access to financial applications to authorized personnel only.

    ·         Account Lockout Policy: Configure account lockout settings to prevent unauthorized access attempts to financial systems.





    Comments

    Post a Comment

    Popular posts from this blog

    Install a domain controller using Install from Media

    Image
    1. IFM(Install From Media) Lab Setup: Let me give you a list of machines and the OS info. Server Name OS Roles & Features IP Configuration DC.abc.local Server 2016 DC 10.1.1.1/24 M1.abc.local Server 2016 Active Directory 10.1.1.2/24 2. On an existing domain controller, using File Explorer, make a folder, for example C:\IFM, to store the AD DS snapshot. 3. Open an elevated command prompt and run the ntdsutil.exe command. 3.1.           At the ntdsutil: prompt, type Activate instance ntds, and then press Enter. 3.2.           At the ntdsutil: prompt, type ifm, and then press Enter. At the ifm: prompt, type create SYSVOL full C:\IFM, and then press Enter. 3.3.           At the ntdsutil: prompt, type quit and then press Enter. 3.4. ...
    Read more

    Install and Configure WSUS on Windows Server 2016

    Image
    1.        Introduction to WSUS Server: The latest Microsoft product updates can be installed by managers with Windows Server Update Services (WSUS). WSUS is a server role for Windows Server. Once you install it, you can easily control and launch updates.   One of the most important things that system admins do is make sure that all client and server computers have the most recent security and software patches. It would be really hard to control where to put updates without WSUS.   The updates come straight from Microsoft Update when you only have one WSUS server in your setup. WSUS servers can be set up to act as an update source, which is also called an upstream server, if you install more than one.   Instead of letting multiple computers grab updates from the internet, you can set up a WSUS server and tell the clients to get all of their updates from that server. You can save data on the Internet and speed up the Windows upd...
    Read more