Worldwide Trading Company: Comprehensive Assessment Plan
Nathan Dan
Professor
School
Course
Date
TABLE OF CONTENTS
Executive Summary...... 2
Project Goal Statement...... 3
Project Scope...... 3
Assumptions & Constraints...... 4
Design Requirements...... 4
Priority Scale...... 4
Technical Requirements...... 5
Network Applications...... 6
Current State of the Network...... 7
Design Solution...... 8
Implementation Plan1
Wireless, LAN and VoIP Equipment List / Budget6
Project Timeline5
Design Document Appendix6
References...... 31
EXECUTIVE SUMMARY
The focus of this comprehensive assessment plan is a large online broker firm called the World Trading Company (WWTC). This company focuses on buying and selling financial securities among buyers and sellers. They have a large customer base of investor and the staff of the organization is 9,000 across the world. The company has their head office in New York City. The purpose of this comprehensive assessment plan is that for the head office in New York City, this plan is for a cutting edge network that will increase the productivity of the WWTC.
This new network stands to improve the revenue base of WWTC from their existing revenue of $10 billion to $40 billion over the span of approximately three to four years. The network will also decrease the operating costs for the WWTC by 15% to 30%. The network will involve encrypted methods for investors to buy and sell online, plus include VOIP and data network capability to use on personal assistant devices (PDAs).
The network will have a confidentiality level equivalent to the CIA and will also use a Microsoft Winders Server 2012 Active Directory, with a Cisco network system. The budget for this new network will also be included in this report.
The end result will greatly improve the organizational operation of the WWTC, plus increase revenue the company’s productivity.
PROJECT GOAL STATEMENT
The project goal for this improved network for WWTC is to design a logical and physical component design for the network that implements information on technologies towards the design solution for the network that will increase the revenue of the WWTC and improve the organization’s structure.
PROJECT SCOPE
The project scope will include cutting edge network technology that will include an Active Directory, LAN, CIA-level security, VOIP, and wireless devices for the New York City head office of the WWTC. The departments that will be improved by this venture include Human Resources, Finance and Information Technology. Below, I discuss what will be included and what will be excluded from the project scope:
Includes:
- Create a LAN/WAN/VoIP network
- CIA-level security measures that involves encryption
- A wireless network that will run in cubical areas, conference rooms, as well as the entrance of the WWTC in New York City
- Installation of the network
- Installing a data and voice network
Excludes:
- Power supply will not be included
- Maintenance of the network and other new systems will not be included
Assumptions & Constraints
There will be a gigabyte (GB) network installed. The power supply in the WWTC should be more than adequate to support and to enable the network. The design of the network will also include adaptations for future changes of the network to meet the changing needs of the WWTC. The timeline that is included is designed to prevent any delays from occurring in the implementation of the network.
DESIGN REQUIREMENTS
This section focuses on the design requirements that are necessary for installing the network for WWTC in New York City. Please see the details below:
Priority Scale
Value / Rating / DescriptionA / Very High / Component is of very high importance to the success of the plan.
B / High / Component is of high importance to the success of the plan.
C / Medium / Component is of medium importance to the success of the plan.
D / Low / Component is of low importance to the success of the plan.
E / Future / Component is of future importance to the on-going success of this plan.
Technical Requirements
Requirement / Priority Value / Purpose and Goal CharacteristicsSecurity / A / This section describes the CIA-level security protocol that will ensure that the network is protected and safe. This includes encryption, classification markings, audits and activity monitoring and defense-in-depth layers.
Availability / A / Access to users, lenders trading online and minimizing downtime of the server are of very high priority.
Network Performance / A / Response time to the users will be done over 1Gbps Ethernet and transfer rates will be over Mbps on Lan, as well more than 54 Mbps Internet speeds for wireless connections.
Reliability / B / The product selection for the network will be equipment/systems, reduce the failure rate and be life-long sustaining.
Scalability / B, E / The scalability is linked to the future plans for WWTC growth and expansion and relates to the current active users, network capacity, client applications and the anticipation of future users for the network.
Usability / C / The system needs to be enabled for user-friendliness and navigation purposes without any instruction required such as the systems, networks and the overall use of the network.
Manageability / C / The maintenance, deployments and configurations of the network need to be centralized through services and servers, supported by the manufacturers who are supplying the hardware and also contain Quality of Service (QoS).
Network Applications
This section discusses current applications that are being used by the WWTC in New York City:
- Adobe Acrobat Pro
- Accessing library card-catalog
- Email (Outgoing/Incoming)
- File server application
- Microsoft Office 365 Plan (Office 2016 Suite, Exchange, Active Directory, SharePoint, One Drive, and Skype for Business)
- Secure Zip
The network will also include custom applications. Market tracking applications will give real time reports of stocks and bonds for traders. An online trading application will help to direct the clients on how to set up the online portal.
CURRENT STATE OF THE NETWORK
The current network at the WWTC’s office in New York City has security issues which have been identified through an internal audit. The desire and the need of WWTC is to improve upon this system so that unclassified networks cannot access their own network system and a secure network with encryption will facilitate financial growth for the organization. There is a lot of classified data on these networks that needs to remain secure. The WAN link and the added layer of encryption will help to be configured with HTTPS. Users who are offsite can use the network through VPN channels and through dial up usage. The high speed wireless network will be VOIP enabled and also help to secure the data. All of these completions with this plan will help to greatly improve the network and the financial growth of WWTC in New York City, as well as their global company.
DESIGN SOLUTION
LAN/WAN Solution
The new WWTC network will comply with scalability, facilitate fault isolation and also include high-availability. There will be six network modules that will be components to this network and they are:
- Access
- Services (server farm)
- Core
- Demilitarized zone (DMZ)
- Enterprise edge
- Physically separated encrypted classified zone.
The unique features of the network will also include a redesign to the IP address and redirection from the current network to the new network for client users, there will be an integration of voice and data, extra capacity at switches and high speed wireless access.
Access Layer
For end users connectivity through the equipment, there will be an access layer that will provide this. Including in this are desktops, phones, printers and laptops and PDAs. The access layer is separate from the VLANs which are supported through security measures to handle the network traffic so that the network will function smoothly and efficiently. The access layer will consist of four Cisco WS-C3750X-48PF-L switches with 1Gbs connection access to the end-user. The wireless points of access will cover the main parts of the WWTC New York City office building such as conference rooms, cubicle areas and the entrance way or lobby. The third path of the layer will connect all of the closest switches to the network. This will help to maximize the use of the network at the workstation level.
Core Layer
The core layer of the network design includes a Cisco 6800 XL layer that includes three switches. By leveraging Cisco’s proprietary Gateway Load Balancing Protocol there is high availability for first hop redundancy. One device is a hot-standby mode and the other is an active device. If the messages in this system are lost, there is a default timer that responds in three seconds with a hot-standby switch that becomes active. The advantages of deploying in IPv6 capable, fast convergence, efficient use of links by using unequal cost load balancing (Enhanced Interior, n.d.).
Services/Server Layer
For the services layer, this will control the email, file share, internal websites, print functions and call manager. This access layer will be controlled by Nexus 7000 series of switches with uplinks to each core chassis.
DMZ Layer
The DMZ module will control all of the WWTC’s public services for the network. This will be separated from the office’s LAN, however it will be protected with firewalls and through monitoring.
Enterprise/Internet Edge
The layer that is organized by the enterprise and the Internet will deal with VPN connections and work from a network address translation (NAT) to run the enterprise. The routers will be static with a primary service Internet Service Provider (ISP) that will be floating static to alternate the ISP. For the default router, it will be redistributed through to ensure all routing devices EIGRP where the routes will be contained through a table. If the IP were to get lost, the floating static will be inserted into the routing protocol and traffic will once again flow as a backup to the ISP connection. VPN connections will terminate on the ASR routers to allow remote users the ability to access WWTC resources. Additionally, all NAT with overload functions will be done on these routers. The NAT pool 208.1.1.12 /30 will be created and all internal web traffic will be translated to use either 208.1.1.13 or 208.1.1.14 to reach the public internet.
Best practices are necessary for a secure network in order to stabilize and protect telecommunications within any organization. This document is a proposal for a Cisco network design in the WWTC building in New York City, United States. Microsoft Active Directory is also used to back up the system and the network will be designed with a fluid capability to support all needs of the WWTC building in New York City, United States.
WWTC Requirements
WWTC's very specific list of requirements conveys the expectation that their new network will be high performance, extremely scalable, cost effective to manage, and very secure. A Cisco network infrastructure with Microsoft based directory and resource management features together are fully capable of meeting these expectations. The high performance requirement means not only that bandwidth is available, but also that protocols and configurations are in place such as RSTP to prevent traffic loops and broadcast congestion, a well thought out subnet scheme, VLAN design and robust routing protocols such as EIGRP and PIM with IGMP Snooping enabled (for Multicast) to ensure that unnecessary traffic (broadcasts and multi-cast flooding) are contained and required traffic is forwarded over the best path possible in expeditious fashion. WWTC also expects the network to be designed to accommodate a growth rate of 100% capacity so that as the company grows and expands they will not have to invest in network upgrades nor suffer the business disruption that can be caused during network down time while additions are installed. Along these same lines, modularity is another aspect that WWTC requires, which would enable changes as well as expansion in the future with a minimum of disruption, cost, and effort. WWTC expects that sometime in the near future it may be advantageous or even required to move from the antiquated IPv4 protocol currently in widespread use to the newer, much improved IPv6, hence all network infrastructure specified on this project will support both IPv4 and IPv6 along with dual stack and migration capabilities (such as IPv4 to IPv6 tunneling).
Another requirement is centralized management capability that will enable the company to manage the new network with minimal IT staff, saving cost and decreasing complexity. Essential to meeting this requirement are DHCP services for dynamic IP management, as it enables a large number of IP configurations to be managed centrally for all hosts on the network in addition to boosting security through the use of Active Directory integration.
Routing requirements for WWTC include a hierarchical IP address design scheme, route aggregation (which increases network performance by decreasing routing table complexity), and support for VoIP integrated into the network infrastructure to allow for video and multi-media support such as the feature rich IP phones Cisco offers that can be installed without requiring a separate cable infrastructure (as is the case with standard analogue phone systems).
Finally, WWTC has a stringent network security requirement that includes best practice defense-in-depth layered security countermeasures and defenses which are essential with cyber crime increasing at an exponential pace. A combination of Microsoft and Cisco managed infrastructure is fully capable of meeting this expectation.
WWTC Equipment List
As noted above, the equipment and services selected to meet the stated requirements must be very high performance LAN infrastructure devices along with services designed for centralized management. Cisco switches, routers (and wireless devices to meet the WWTC wireless requirement for specific network segments) support the stated requirements when the models are specified correctly, and using a single vendor for network infrastructure helps ensure top level performance, ease of administration, and seamless integration. The network devices listed in the following table will handle over twice the current network capacity requirement, both in port count as well as bandwidth and performance, while also featuring the required support such as for VoIP, fault tolerance and high availability, seamless integration with wireless, and state of the art security features.
Table 1: Proposed devices.
Device / Cisco Model # / Quantity / CommentsCore layer switches - redundant / 6509-E / 2 / HA/fault tolerant support for up to 534 devices plus advanced IP services
Distribution layer switches / 4503-E / 2 / Supports full mesh distribution layer plus advanced IP services
Access layer switches / WS-C3850-48U-E / 22 / UPoE support, 48 gigabit ports per switch, advanced IP services, fault tolerant and stackable with integrated wireless controller
Firewall with IPS services / ASA 5508-X / 2 / Support for redundant dual WAN link connections and
egress/ingress IPS monitoring
Dual power supply for access switch / PWR-C1-1100WAC / 22 / Second power supply for all WS-C3850-48U-E
Wireless AP / Cisco Aironet 2600 / 8 / 802.11a/b/g/n, LAN integration up to 450Mbps data rates, VLAN support, 128 client session capable
Cisco 6500 switch supervisor / Cisco VS-S2T-10G-XL / 4 / 10G redundant support for the core switch fabric
Cisco 6500 switch second power supply / Cisco CAB-AC-2500W-US1 / 2 / Redundant power supply support for HA
Cisco 4500 switch supervisor / Cisco WS-X45-Sup 7L-E / 4 / 10G redundant distribution layer support
Cisco 4500 line card / Cisco Catalyst 4500E UPOE Line Card / 4 / For 1G redundant access layer support
The network equipment specified above is designed with centralized management, high level security, and high performance and availability in mind. Throughout the network there is no single point of failure as the dual power supplies on each device, full mesh interconnection, dual supervisor engines, and dual uplinks attest. The Cisco ASA firewall with IPS services both protects the network through advanced deep packet inspection filters as well as through advanced intrusion detection monitoring that can take action to block access to network segments where critical information is stored, or shut down access completely if an intrusion or security breach is detected. The 4500 and 6500 series supervisors also have IPS capability which will be configured in a similar manner. In addition, a VLAN will be configured for each department with ACLs (Access Control Lists) setup so that only authorized access is allowed into each department. At the access layer the Cisco 3850 switches provide seamless wireless integration through wireless controller support so that mobile devices do not lose connectivity when moving from one AP to another. The wireless network is designed with plenty of overlap to prevent dead spots and support the faster speeds up to 450 Mbps. The network switches will have RSTP configured (for fast spanning tree convergence), EIGRP (for fast routing convergence), and IGMP snooping with PIM for multi-cast forwarding that minimizes flooding at layers 2 and 3 of the OSI. All switches also support the most current PoE (Power over Ethernet) for IP telephones and VoIP, and are modular so that if additional hardware support is needed (such as fiber to another floor) the infrastructure is ready to accommodate. The following diagram depicts the network design: