Upload
emma
View
24
Download
3
Tags:
Embed Size (px)
DESCRIPTION
DATA COMMUNICATION & NETWORKING 11- PROJECT: PROJECT DESIGN DOCUMENT. REQUESTED BY:SEAN THORPE DATE : JUNE 20, 2010 CONTACT: MARLON MARAGH –Project Manager Email: [email protected], [email protected],[email protected] . Group Members. - PowerPoint PPT Presentation
Citation preview
DATA COMMUNICATION & NETWORKING 11- PROJECT: PROJECT DESIGN DOCUMENT
REQUESTED BY: SEAN THORPE
DATE : JUNE 20, 2010CONTACT: MARLON MARAGH –Project Manager
Email: [email protected], [email protected],[email protected].
Group Members Dionne Newman - BS08-1770-IT3 Andrew Taylor - BS09-7800-IT3 Andre Palmer - BS08-6411-IT3 Marlon Maragh - BS09-8008-IT3 Sheldon Mitchell - BS09-8114-IT3 Mark Daniels - BS09-8378-IT3
PROJECT DESIGN DOCUMENT
Problem Statement: Grace Kennedy Jamaica Ltd is one of the fastest growing food distribution and
manufacturing company in Jamaica with many branches and outlets island wide, as a result client base communication among staff is becoming challenging and time consuming. The sharing of information between the organization and its clients is also being negatively impacted.
Access to information is constantly demanding and need for the process to be seamless and automated. The need to setup and deploy a secure wireless solution to afford our internal and external clients and stakeholders accessibility is a number one priority.
As a group we have decided that the designing and implementation of a wireless system would be a major benefit both to Grace Kennedy and its clients, as with every successful business the sharing of timely and accurate information is of paramount importance.
Purpose of Project Study
One of the main aim of this project is to identify the steps involved in setting up a wireless secure session and to share such services to guest users when required.
At Grace Kennedy, Customer satisfaction is of paramount importance as
well as the easy access of information by employees. Another purpose of the project study is to identify a suitable means
where communication to both employees and clients cannot only be timely but also be accurate. Accurate and timely information can only lead to job satisfaction among employees and also improve the company Customer Relationship Management (CRM).
Significance of the Study
Over the past five years, the world has become increasingly mobile. As a result, traditional ways of networking the world has proven inadequate to meet the challenges posed by our new collective lifestyle. If users must be connected to a network by physical cables, their movement is dramatically reduced. Wireless connectivity, however, poses no such restriction and allows a great deal more free movement on the part of the network user.
Another significance of the study is flexibility, which can translate into rapid deployment. Wireless networks use a number of base stations to connect users to an existing network. Wireless Network facilitates the adding of nodes onto the network. Adding a user to a wireless network is a matter of configuring the infrastructure, but it does not involve running cable.
Companies like Grace Kennedy with many outlets will benefit, as the wireless network allows internet access pass the limitation of DSL into communities where high speed internet was only a dream. These companies can now communicate with each other successfully in and out of places that were too rugged for traditional cable approach.
Literature Review Document
Literature review document (rev 1.1.0)International case Review of the Problem:Enterprise: JFK AirportPurpose: Check-In, Flight Information, KioskDevices:Access PointsRoutersKiosk (Virtual Machine)Web Content FilteringSecurity Protocols:Advance Encryption Standard (AES) 802.1X Cisco AironetCisco Compatible Extension wirelessWireless Protected Access (WPA)
Literature Review Document
Local case study review of problem:Enterprise: HiLo Food Store.Purpose: Goods Receivables & BillingPrimary Devices:-InternalHandheld Wireless device (Motorola symbol)Access Points (Cisco Aironet 1200)-Access list/WPA Ent.Wireless protocol standard 802.1XCisco 2950 SwitchRadius authentication server (Security)Active Directory Authentication (ADDS)Protocol: TCP/IP
Project name- Wireless Implementation and design
Implementation and recommendation summary (rev 1.1.0) last revised 04/07/2010.
Purpose Equipment Configuration
Active Domain Controller Windows 2008 server Windows 2008 server-: IAS;
(hardware to be spec) Radius Authentication server Security /connectivity(edge perimeter) Cisco -ASA5000 Firewall –securing the
external network Cisco 2950 router Gateway
Routing
Connectivity –internal Cisco 2950 – switch (VLAN) Vlan configuration Cisco Aeronet 1200- Access point Access list Internal control – LAN
Security Access Point WPA 2 Ent/ TKIP RADIUS AUTHENTICATION SERVER Radius client
GRACEKENNEDY LIMITEDWIRELESS IMPLEMENTATION
CONTENTS Project Objective Project Design Documentation Purpose of Project Study
Project objective Steps in setting up a Wireless Secure session and how to share such wireless services to Guest
users when needed
PROJECT DESIGN DOCUMENT
GraceKennedy Jamaica Ltd is one of the fastest growing food distribution and manufacturing company in Jamaica.
The need to setup and deploy a secure wireless solution to afford our internal and external clients and stakeholders accessibility is a number one priority.
Purpose of Project Study:
One of the main aim of this project is to identify the steps involved in setting up a wireless secure session and to share such services to guest users when required.
Purpose Equipment Configuration
Active Domain Controller Windows 2008 server (hardware to be spec)
Windows 2008 server-: IAS; Radius Authentication server.
Security /connectivity(edge perimeter) Cisco -ASA5000 Firewall –securing the external network
Cisco 2950 router Gateway Routing
Connectivity -internal Cisco 2950 – switch (VLAN) Vlan configuration
Cisco Aeronet 1200- Access point Access list
Internal control – LAN
Security Access Point WPA 2 Ent/ TKIP
RADIUS AUTHENTICATION SERVER Radius client
Design methodology:- setting up the networking and security infrastructure, and
connect the different devices on your wireless network.
Step Topic
1. Install Microsoft Windows Server 2008. Installation Settings for a Wireless Network Using Windows Server 2008
2. Create a domain controller. Domain Settings for a Wireless Network
3. Configure the Dynamic Host Configuration Protocol (DHCP) Server, create and authorize a scope.
DHCP Server Settings for a Wireless Network –Design implemented on AD
4. Use DHCP to reserve static IP addresses for your wireless access points.
Static IP Address Settings for the Wireless Access Points
5. Configure Microsoft Active Directory for users and groups. Configuring Active Directory for a Wireless Network
6. Familiarize yourself with certificate infrastructure. Certificate Infrastructure for a Wireless Network
7. Install certificate services. Installing Certificate Services and IAS on Windows Server 2008
8. Configure certificate server templates. Configuring Certificate Server Templates with Windows Server 2008
9. Create the IAS clients. "Add RADIUS clients."
IAS Client Settings for Windows Server 2008
10. Create remote access policies. Configuring Remote Access Policies with Windows Server 2008
11. Configure both wireless access points. Configuring the WPA-Enabled Wireless Access Point Configuring the 802.1x Wireless Access Point
Project scope and guideWireless Design and Implementation - Site (GraceKennedy)
Last Updated :
TASK START FINISH RESPONSIBILITY STATUS
Wireless Design project implementation 07-Jun-10
1.0 Submission of Project Idea Grp Submitted1.1 Problem Statement Sheldon
1.2 Propose of the project study Marlon
1.3 Significance of the study Andrew
Literature Review Documentation 22-Jun-10 Submitted
2.0 Internatonal Case Review of the problem Completed
2.1 Local case study Completed
2.2 Implementation of recommendations
Implementation Strategy Document 29-Jun-10 Andrew
3.0 Outlines design methodoloy Completed
3.1 Illustration of network design diagram Completed
Final Presentation 20-Jul-10
4.0 Summary of project outcomes Completed
4.1 Demonstration of Simulated System Prototype Completed
4.2 Conclusions and Recommendations Presentation
RADIUS SERVER
Diagram and layout 1.
Diagram and layout 2.
GKI Int OfficeData SwitchVlan 24,20Vlan 25,40
Vlan 34(6)
Dist. OfficesSec. Switch
Vlan 26(11)
Sec. GateSec. Switch
Vlan 26(10)
M ODE
STACKSPEEDDUPLXSTATM AS TRRPSSYST
Catal yst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
1 2 3 4
Catalyst 3750 SERIES
M ODE
SYSTRPSMASTRSTA TDUPLXSPEEDSTA CK
1 2 3 4 5 6 7 8 9 10 11 12
M ODE
STACKSPEEDDUPLXSTATM AS TRRPSSYST
Catal yst 3750 SERIES
1 2 3 4 5 6 7 8 9 10 11 12
1X
2X
11X
12X
13 14 15 16 17 18 19 20 21 22 23 24
13X
14X
23X
24X
1 2 3 4
Catalyst 3750 SERIES
M ODE
SYST
RPSMASTRSTA TDUPLXSPEED
STA CK
1 2 3 4 5 6 7 8 9 10 11 12
Catalyst 2960G Series
M OD E
SYSTRPSSTA TDUPLXSPEED
1X
2X
1 2 3 4 5 6 7 8 9 1 0
11X
12 X
11 1 2
13 X
14 X
13 14 15 16 17 18 19 20 21 22 23 24
25 X
26 X
25 26 27 28 29 30 31 3 2 33 3 4
35 X
3 6X
35 36
37 X
38 X
37 38 39 40 41 42 43 44
43 X
44 X
4 5 46 47 48
24 X
23 X Second Floor
Lime Metro Vlan 10
10.40.40.2Flow
Vlan 5172.20.20.10
Vlan 2010.19.0.1
Data Room/Backbone Network = 10.19.0.0/24 vlan20
Second Floor Network (data) = 10.19.3.0/24 vlan 23Second Floor Network (voice) = 10.21.3.0/24 vlan 33
First Floor Network (data) = 10.19.2.0/24 vlan 22First Floor Network (voice) = 10.21.2.0/24 vlan 32
Ground Floor Network (data) = 10.19.1.0/24 vlan 21Ground Floor Network (voice) = 10.21.1.0/24 vlan 31
General Warehouse Network (data) = 10.19.4.0/24 vlan 24General Warehouse Network (voice) = 10.21.4.0/24 vlan 34
Wireless network = 10.19.5.0/24 vlan 25Security Network = 10.19.6.0/24 vlan 26
Island Networks Data Network = x.x.x.x vlan 40
Vlan (20-26), Vlan (31-33) Vlan 40
Port (21,22) Port (1,2)
10.19.0.110.19.0.2
10.19.0.3
(10.19.0.4) all other ports vlan 23,33)
First FloorData SwitchVlan 22,20
Vlan 32(3)
Ground FloorData SwitchVlan 21,20
Vlan 31(4)
Sec. GateData SwitchVlan 24,20
Vlan 34(5)
Dist. OfficesData Switch
Vlan 24,20,25Vlan 34
(6) Ground FloorSec. Switch
Vlan 26(9)
Second FloorData SwitchVlan 23,20
Vlan 33(3)
Data Closet Data SwitchVlan 24,20
Vlan 25Vlan 34
(4)
Warehouse Office
Data SwitchVlan 24,20
Vlan 25Vlan 34
(5)
Data ClosetSec. Switch
Vlan 26(10)
WarehouseOffice
Sec. SwitchVlan 26
(11)GKI IntOffice
Sec. SwitchVlan 26
(9)Second FloorData Switch
Vlan 23Vlan 33Vlan 20(47-52)
Catalyst 2960 G Series
M OD E
SYSTRPSSTATDUPLXSPEED
1X
2X
1 2 3 4 5 6 7 8 9 10
11 X
12 X
11 12
13 X
14 X
1 3 14 15 16 17 18 19 2 0 21 2 2 23 24
25 X
26 X
25 26 27 28 29 30 31 32 33 3 4
35 X
36 X
35 3 6
37 X
38 X
3 7 38 39 40 41 4 2 43 44
4 3X
4 4X
45 46 47 4 8
2 4X
2 3X
First FloorData Switch
Vlan 22Vlan 32Vlan 20(47-52) First Floor
Catalyst 2960G Series
M ODE
SYSTR PSSTATDUPLXSPEED
1X
2X
1 2 3 4 5 6 7 8 9 1 0
11 X
12 X
11 12
1 3X
1 4X
13 14 15 16 17 18 19 2 0 21 22 23 24
25 X
26 X
25 26 27 28 2 9 30 31 3 2 33 34
35 X
3 6X
35 36
37 X
38 X
37 38 39 40 41 42 43 44
43 X
44 X
4 5 46 47 48
2 4X
2 3X
Ground FloorData SwitchVlan 22,20
Vlan 31(47-52)
Ground Floor
(10.19.0.5) all other ports vlan 22,32)
(10.19.0.6) all other ports vlan 22,31)
Catalyst 2960G Series
MO DE
SY STRPSSTATDUPLXSPEED
1X
2X
1 2 3 4 5 6 7 8 9 10
11X
12 X
11 12
13X
14X
13 14 1 5 16 17 18 19 20 21 22 23 24
25 X
26 X
25 26 27 28 29 30 31 32 33 34
35 X
36X
35 36
37 X
38 X
37 3 8 39 40 41 42 43 44
43X
44X
45 46 47 48
24X
23X
Catalyst 2960 G Series
M OD E
SYSTRPSSTATDUPLXSPEED
1X
2X
1 2 3 4 5 6 7 8 9 10
11 X
12 X
11 12
13 X
14 X
13 1 4 15 16 17 18 19 20 21 22 2 3 24
25X
26X
2 5 26 27 2 8 29 3 0 31 32 33 34
35X
36X
35 36
37 X
38X
37 38 39 40 41 42 43 44
43 X
44 X
45 46 4 7 48
24X
23X
Catalyst 2970 SERIES
MO DE
SYSTRPS ST ATDUPL XSPEED
16 X
1 9 20 21 22 23 2413 14 15 16 17 18
13X
14X
23X
24 X16 X
7 8 9 10 11 121 2 3 4 5 6
1X
2X
11X
12 X
Catalyst 2970 SE RIES
MODE
SYSTRPS ST ATDUPLXSPEED
16 X
19 20 2 1 22 23 241 3 14 15 16 17 18
13X
14X
23X
24X16 X
7 8 9 10 11 121 2 3 4 5 6
1X
2X
11X
12X
Catalyst 2970 SE RIES
MODE
SYSTRPS ST ATDUPLXSPEED
16 X
19 20 2 1 22 23 241 3 14 15 16 17 18
13X
14X
23X
24X16 X
7 8 9 10 11 121 2 3 4 5 6
1X
2X
11X
12XData Closet
Warehouse Offices
GKI Offices
Distribution Office
(10.19.6.13)
Catalyst 2970 SERIES
M ODE
SYSTRPS STATDUPLXSPEED
16 X
19 2 0 21 22 23 2413 14 15 16 17 18
13 X
14 X
23X
24X16X
7 8 9 10 11 121 2 3 4 5 6
1X
2X
11X
12X
Security Gate
(10.19.6.10)
(10.19.0.7) all other ports vlan 24,34
(10.19.0.8) all other ports vlan 24,34
(10.19.6.14)
(10.19.6.15) Switch all ports vlan 26
(10.19.6.12)
(10.19.0.9) all other ports vlan 24,34
(10.19.0.10) Switch all ports vlan 24,34
(10.19.0.11) all other ports vlan 24,34
Vlan 20,24,34(25-26)
Vlan 20,24,3425
(47-52)
Vlan 20,24,3425
(47-52)
Vlan 20,24,3425,40
(23-28)
Vlan 20,24,34(24)
Island NetworkVlan 40
(21)
Vlan 25(41-46)
Vlan 25(41-46)
Vlan 25(17-20)
Grd Flr Security Section Vlan 26(33-36)(51-52)
(10.19.6.11)
Distr Security Section Vlan 26(33-36)(51-52)
W/house Security Vlan26(33-36)(51-52)
W/house Security Vlan26(27-28)
S/GateSecurity Vlan26(27-28)
New Distribution CentreDetail Network Diagram
With VLAN’s
Subnet Descriptions
IP MONITOR
CITRIX
SUMMARY
Most wireless networks are based on the IEEE® 802.11 standards. A basic wireless network consists of multiple stations communicating with radios that broadcast in either the 2.4GHz or 5GHz band (though this varies according to the locale and is also changing to enable communication in the 2.3GHz and 4.9GHz ranges).
802.11 networks are organized in two ways: in infrastructure mode one station acts as a master with all the other stations associating to it; the network is known as a BSS and the master station is termed an access point (AP). In a BSS all communication passes through the AP; even when one station wants to communicate with another wireless station messages must go through the AP. In the second form of network there is no master and stations communicate directly. This form of network is termed an IBSS and is commonly known as an ad-hoc network.
If you decide to build a wireless network, you'll need to take steps to protect it -- you don't want your competitors hitchhiking on your wireless signal. Wireless security options include:
Wired Equivalency Privacy (WEP) Wi-Fi Protected Access (WPA) Media Access Control (MAC) address
filtering
802.11 networks are organized in two ways: in infrastructure mode one station acts as a master with all the other stations associating to it; the network is known as a BSS and the master station is termed an access point (AP). In a BSS all communication passes through the AP; even when one station wants to communicate with another wireless station messages must go through the AP.
In the second form of network there is no master and stations communicate directly. This form of network is termed an IBSS and is commonly known as an ad-hoc network.
If you decide to build a wireless network, you'll need to take steps to protect it -- you don't want your competitors hitchhiking on your wireless signal. Wireless security options include:
Wired Equivalency Privacy (WEP) Wi-Fi Protected Access (WPA) Media Access Control (MAC) address
filtering
You can choose which method (or combination of methods) you want to use when you set up your wireless router. The IEEE has approved each of these security standards, but studies have proven that WEP can be broken into very easily. If you use WEP, you may consider adding Temporal Key Integrity Protocol (TKIP) to your operating system. TKIP is a wrapper with backward compatibility, which means you can add it to your existing security option without interfering with its activity.
Think of it like wrapping a bandage around a cut finger -- the bandage protects the finger without preventing it from carrying out its normal functions.
Wireless access can provide the following benefits:
Strong authentication. IEEE 802.1X was a standard that existed for Ethernet switches and was adapted to 802.11 wireless LANs to provide much stronger authentication than what was provided in the original 802.11 standard. Wireless network authentication can be based on different EAP authentication methods such as those using secure password (the user account name and password credentials)
or a digital certificate. IEEE 802.1X prevents a wireless node from joining a wireless network until the node has performed a successful authentication. Additionally, a component of mutual authentication in EAP prevents wireless users from connecting to rogue wireless access points (APs), rogue NPS servers.
Although 802.1X authenticated access is optimal for medium and large wireless LANs, it can also be used for small organizations that require strong security. An 802.1X authenticated wireless access infrastructures consists chiefly of servers running Network Policy Server (NPS) and an account database such as the Active Directory® Domain Service (AD DS) account database. IEEE 802.1X uses Extensible Authentication Protocol (EAP).
Infrastructure flexibility. In general, WLANs can extend or replace a wired infrastructure in situations where it is costly, inconvenient, or impossible to lay cables. A wireless LAN can connect the networks in two buildings that are separated by physical obstacles or financial constraints. You can also use wireless LAN technologies to create a temporary network, which is in place for only a specific amount of time.
Additionally, deploying a wireless network, in instances where a company needs to rapidly expand their workforce, can be a more efficient and cost effective alternative than installing the physical cabling required for a traditional Ethernet network. And even if no wireless infrastructure is present, wireless portable computers can still form their own ad hoc networks to communicate and share data with each other.
Mobility and productivity. Wireless access can increase productivity for employees that require mobility. Mobile users who are equipped with a portable computer can remain connected to the network. This enables the user to change locations—to meeting rooms, hallways, lobbies, cafeterias, classrooms, and so forth—and still have access to network resources.
Without wireless access, the user must carry Ethernet cabling and is restricted to working near a network jack. Wireless LAN networking is a perfect technology for environments where movement is required.
CONCLUSION
There are some fundamental prerequisites that must be met before implementing or deploying any wireless network:
Before deploying this scenario, you must first purchase and install 802.1X-capable wireless APs to provide wireless coverage in the locations you want at your site.
Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide.
Server certificates are required when you deploy the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) certificate-based authentication methods. For information about deploying server certificates, see Foundation Network Companion Guide: Deploying Server Certificates.
Server certificates and computer and user certificates are required when you deploy Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). For information about deploying user and computer certificates, see Foundation Network Companion Guide: Deploying Computer and User Certificates.
This guide uses a step-by-step approach to help you decide which design best fits your wireless access needs and to help you create a design based on the most common wireless design goals. The two scenarios are:
Wireless access by using PEAP-MS-CHAP v2 for secure password authentication. This design is well suited to small businesses and medium organizations. Secure password authentication provides strong security, and uses domain account credentials (user name and password) for client authentication.
When deploying wireless access by using PEAP-MS-CHAP v2, you can either purchase certificates from a public certification authority (CA), such as VeriSign, or deploy a private CA on your network by using Active Directory Certificate Services (AD CS).
Wireless access by using either EAP-TLS or PEAP-TLS for authentication using digital certificates. This design is well suited to medium- and enterprise-sized networks. Digital certificates provide more robust security than secure password authentication. Digital certificates are either smart cards, or certificates issued to your users and computers by the CA you deploy on your network. If your wireless solution uses either EAP-TLS or PEAP-TLS, you must deploy a private CA on your network by using AD CS.