1

Jacob Kline
IS3220 Charleston
May 25, 2016
Final Project

Contents
Network Survey..................................................................................................................... 3
Network Design..................................................................................................................... 5
Multi-Layered Security per 7 IT Infrastructure Domains: .................................................... 6
Overall Network Security Plan: ............................................................................................ 8
Remote Access/VPN Plan: .................................................................................................. 8
Departmental VLANs identified and designed .................................................................... 9
Virtual IPv4 Schema ........................................................................................................... 10
VPN Connectivity Troubleshooting Checklist .................................................................... 11

Network Survey
Security should always be in the front running of importance for any company. This
is especially true because of technology today. Making sure your network, including all
users and devices attached to the network, are secure is an absolute must. In order to
do this properly, it is important to know what your network is comprised of, what runs on
your network, and generally how the network is behaving. To do this, I will conduct a
network scan.
There are many tools to do a network survey by allowing you to virtually scan the
network and any activity. I will be using NetWitness to scan the network for any
vulnerabilities or abnormalities. NetWitness will allow me to identify all the hosts within
the network, the protocols currently in use, and the services in use. This scan will be
used as a baseline to compare future scans against to ensure everything on the
network is still operating the way it should be.
Hosts identified within the Corporation Techs network:
1. Host IP: 10.21.3.35
2. Host Aliases: besespecially.com, protectedreality.com, definitelyfriendly.com,
bestremarkably.com, www.netwitness.com, truly-secure.com, securetruly.com,
securereally.com, resolution-sharp.com, definitelysociable.com, decisionintelligent.com, and bright-decision.com
3. Host Location: Fairfax city, USA
Protocols identified within the Corporation Techs network:
1. TCP
2. UDP
3. IP

Services identified to be in use within the Corporation Techs network:

1. DNS
2. HTTP
3. IRC
4. GNUTELLA
5. RTP
6. TDS
7. MSN IM
8. SSL
9. POP3
10. SSH

Network Design

The above network design is a slightly extended version than the information
provided. It basically sets up to have firewalls in place at multiple points in the
network. This will help with a layered security approach. It is also allowing for the
use of multiple routes and switches to minimize network lag when activity is at its
peak. Also, by separating servers and not having a direction connection to the
workstations, it would allow for the servers to be stored off site. This could be
beneficial if there was a disaster of some kind to the main building. Information
and data integrity will remain intact and be able to be restored from completed
back-ups.

Multi-Layered Security per 7 IT Infrastructure Domains:

Applying security in layers, across as many facets of the infrastructure as possible,
will minimize the risk to the network. This includes securing every domain and how
they connect. It will also minimize the impact if a breach were to occur.
1. User Domain:
a. All employees will be required to take mandatory security awareness
training and proper usage training. Failure to do so will result in noncompliance and have the employee quarantined from the company
network until training is satisfied.
b. Periodical audits of user activity. Logs will be kept and maintained.
Corrective action and/or quarantine will take affect if necessary.
2. Workstation Domain:
a. Mandatory antivirus software will be installed and updated as necessary
on every workstation connected to the company network.
b. Access to resources will be restricted on a need-to-know/need-to-use
basis
3. LAN Domain:
a. Secure network switches will be implemented
b. WPA2 encryption will be mandatory for all wireless Aps
c. Physical security measures will be put in place to limit access to server
and networking rooms
d. Firewalls will be strategically placed within the LAN design to maximize
security and safeguarding
4. LAN to WAN Domain:

a. Firewalls will be implemented here, as a barrier from the intranet to the

Internet
i. Filtering will be set for certain egress/ingress activity
ii. Any and all unused ports will be disabled to limit unwanted network
activity
b. All components of the network will have to have updated security patches,
operating systems, and any other applicable updates to ensure optimal
compliance
5. WAN Domain:
a. Encryption of data will be mandatory
b. Remote users will be expected to utilize pre-designated VPNs
c. Routers and firewalls will be expected to block ping requests from other
machines
d. All email attachments must undergo scanning for viruses prior to being
opened/downloaded
6. Remote Access Domain:
a. Establish and enforce strict password policies
b. Establish and enforce strict lockout policies
c. Implement the use of tokens, especially for VPN/Remote users;
maximizing authentication procedures
d. All company devices need to have encryption built in (i.e. hard drives,
mobile devices, laptops, workstations, etc)
7. Systems and Applications Domain:

a. All software installed will have had prior approval

b. All software and applications will be updated on a regular basis
c. Users are not allowed to install or remove software/applications unless
they have administrative privileges

Overall Network Security Plan:

This would follow most other security plans. Different measures and
defenses would be put in place such as firewalls, IDS, and IPS. Administrators
will encrypt information for added protection. Password complexity will be
enforced. All computers, servers, and other devices connected to the network will
be updated regularly. This includes security patches, OS patches, and all other
applicable updates. All software and applications will also be updated to ensure
the latest and most secure versions are being utilized. Anti-virus software will be
mandatory to be installed and updated regularly.
All security policies and AUPs will be strictly followed to ensure maximum
network security. Network activity will be monitored daily to ensure no breaches.
If there is a threat, or attack, it should be discovered, quarantined, and eradicated
as soon as possible. All employees will be expected to follow the policies and
procedures implemented or face severe consequences.

Remote Access/VPN Plan:

Only specified employees will be allowed VPN access. This means that no
vendors or temporary employees will have access. Each employee granted
access will have a specialized token tied with their work profile and a one-time
generated password (from something similar to a Gemalto device). This will

ensure only authorized users have and use granted access. Full access granted
will be evaluated on a case by case basis. Depending on the nature of the
employees job, they may not have complete and full access to the network via
VPN.
Users will be expected to only connect through VPN from a secure
connection. This means it must be password protected and at least WPA
encryption. Users can connect from their home network if the connection means
the above listed requirements. If an employee is fired, VPN access is taken away
immediately (as with all other company/network access) to ensure maximum
security.

Departmental VLANs identified and designed

The use of VLANs is paramount to ensuring optimal network performance. The
virtual IPs associated with VLANs are actually a separate design than the
aforementioned virtualization. VLANs are implemented for in-house use of AWS
employees while the virtualization of some of the servers are related to customers. The
virtualization within the customers servers allows the customers to more effectively
manage their use of space and network connectivity; however, AWS employees do not
use these servers.
Below, the table depicts the baseline for each country. There are 19 locations
(offices) total, including the corporate office. The VLAN IP schema is broken down by
country. The schema will also leave room for growth should the company need the
expansion space.

10

Virtual IPv4 Schema

Virtual IPv4 Schema
VLAN
Number (in
sections)
1
2
3
4
5

Mask
255.255.0.
0
255.255.0.
0
255.255.0.
0
255.255.0.
0
255.255.0.
0

Virtual IP
(Network)
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24

Broadcast IP
192.168.1.25
5
192.168.2.25
5
192.168.3.25
5
192.168.4.25
5
192.168.5.25
5

IP Range
192.168.1.1 192.168.1.254
192.168.2.1 192.168.2.254
192.168.3.1 192.168.3.254
192.168.4.1 192.168.4.254
192.168.5.1 192.168.5.254

11

VPN Connectivity Troubleshooting Checklist

There are four common categories a VPN connection failure can fall into:
Connection is rejected when it should be accepted, connection is accepted when it
should be rejected, unable to reach any locations beyond the VPN server (or servers),
and the connection is unable to establish a viable tunnel. For any of these instances,
the following checklist should be followed to determine the root cause, who is affected,
and how to resolve the issue.
Checklist Steps:
1. Determine who is affected
a. This is an easy step. Likely, an employee who normally has VPN access
will contact the company helpdesk team and divulge their identity to the
helpdesk techs.
2. Determine whether or not it is a companywide affliction
a. If the network or server is down, it may be affecting multiple users across
the company. If this is not the case, and it is the individual, work on root
cause.
3. Determine root cause
a. Whether or not the cause of failure is one of the four categories mentioned
above, it is imperative to determine what caused the failure in order to
implement a viable solution.
4. Determine if it is the individual user/client or the specific system
a. Have the affected user attempt to establish a connection from a different
computer. If it is successful, then it can be assumed the users computer is

12

at fault. If the other connection attempt fails, a deeper look into the users
profile and access privileges may help determine cause.
5. Ask for any potential error codes
a. For example, some companies will not allow VPN access to one user if
multiple users are logged in from that system. It comprises security. If this
is the case, have the other user log off or restart the system.
6. Resolve any determined issue, if applicable
a. Depending on the nature of the issue, the majority of them can be
resolved. From access privileges to user error, helpdesk technicians are
trained to find and solve a variety of issues.