Network and Communications Management

Honeymoon Holidays Course Title:

Business Information Systems with Cloud Computing

Lecturer Name:

Brian Hickey

Module/Subject Title:

B8IT045 – Network & Communications Management

Assignment Title:

Honeymoon Holidays Co. Case Study

Number of words

5,474 (Excluding TOC, Exec. Summary, Conclusion & Bibliography)

NETWORK ASSESSMENT AND DESIGN

APRIL 2016

DUBLIN BUSINESS SCHOOL

www.dbs.ie

CONTENTS

Figures and Diagrams......................................................................................................................2

Executive Summary.........................................................................................................................4

Current Organizational Structure.....................................................................................................5

Current Systems Review & network design....................................................................................6

Current System Architecture...........................................................................................................8

1. Hardware...........................................................................................................................8

2. Software............................................................................................................................8

Proposed Network and Systems Overview......................................................................................9

Business Case for Updating the Network and Systems...............................................................9

High Level Network Design (see attached visio diagram for detailed layout)..............................10

System Architecture.......................................................................................................................10

1. Hardware.........................................................................................................................10

Communications............................................................................................................................14

Routers...........................................................................................................................................15

Switches.........................................................................................................................................15

Cabling...........................................................................................................................................16

Software.........................................................................................................................................17

Desktop and Office........................................................................................................................18

Detailed Network Design..............................................................................................................20

Local Area Network...................................................................................................................20

1. Dublin..............................................................................................................................20

Cork...............................................................................................................................................26

Premium Travel..........................................................................................................................26

Wide Area Network....................................................................................................................28

1. Inter-Office Communications.........................................................................................28

OSI Model..................................................................................................................................29

Data Transfer..............................................................................................................................31

Security..........................................................................................................................................33

1. Provided Measures..........................................................................................................33

2. Further Considerations....................................................................................................34

Proposed Wireless plan..................................................................................................................35

Wireless AP................................................................................................................................35

Indoor Enterprise WLAN Deployment......................................................................................35

Planning Wi-Fi layout..............................................................................................................37

Implementation..............................................................................................................................40

Rollout Phases............................................................................................................................40

Risk management...........................................................................................................................41

CONCLUSION..............................................................................................................................44

APPENDICES...............................................................................................................................45

Appendix 1 – Vendor Selection.................................................................................................45

Airwatch for mobile security......................................................................................................50

Appendix 2 – Hardware Selection..............................................................................................52

Appendix 3 – Software Selection...............................................................................................54

Appendix 4 – Business Requirements........................................................................................56

Appendix 5 - Star Network explanation.....................................................................................59

Appendix 6 – Costing.................................................................................................................60

Bibliography..................................................................................................................................61

FIGURES AND DIAGRAMS

1 Current HR structure for Honeymoon Holidays...........................................................................6

2 Existing IT Infrastructure.............................................................................................................7

3 Proposed Network Layout..........................................................................................................11

4 StoreFront Web API - Citrix Logon...........................................................................................13

5 Citrix logon screen presented to user..........................................................................................14

6 VLAN pruning............................................................................................................................17

7 Proposed VLAN layout..............................................................................................................18

8 Network for Accounts Department.............................................................................................21

9 VLAN layout for HR & Management Dublin............................................................................22

10 VLAN layout for Sales team Dublin........................................................................................22

11 VLAN layout for Administration Dublin.................................................................................24

12 Access Switch MVRP Client....................................................................................................25

13 Access Switch MVRP Client....................................................................................................25

14 VLAN layout Cork Office, Switch 9........................................................................................27

15 VLAN layout Cork Office, Switch 10......................................................................................27

16 Printer Scanner Copier, Cork office.........................................................................................28

17 QoS Strategy.............................................................................................................................30

18 OS1 Layer model......................................................................................................................31

19 OSI 7 layers..............................................................................................................................32

20 Data flow through the OSI model.............................................................................................32

21 Data Encapsulation...................................................................................................................33

22 FortiAP Wireless AP................................................................................................................37

23 Channel Reuse for 2.5GHz band..............................................................................................38

24 Typical Wireless AP layout with Channels..............................................................................39

25 Multiple Access Points (roaming enabled)...............................................................................40

26 Risk Analysis 1.........................................................................................................................42

27 Potential Risks for Honeymoon Holidays................................................................................43

28 Recommended Risk Control for Honeymoon Holidays...........................................................44

EXECUTIVE SUMMARY

Honeymoon Holidays proposes to upgrade its ‘IT Infrastructure’ by adding significant functionality, incorporating complete review on how it does business today and new proposals for future business needs and expansion. The proposal is to include a complete overview of the current IT infrastructure in the Dublin and Cork offices including small satellite sites. The current IT infrastructure in the Dublin and Cork offices is disjointed in design (no coherent network between departments) preventing effective sharing of documentation, ideas, communication and efficiency.

The proposed upgrade is to provide on-premises servers (including backup), laptops, mobile phones and printers all running seamlessly over a purpose built network using Fortis routers/switches which utilize the latest security concepts. Email infrastructure, office documentation and VoIP will be a cloud based solution running on MS Azure platform. All offices and employees will be network enabled, allowing them instant and reliable access to databases, applications, business reports and ease of access to flight/hotel bookings menus.

All of the existing user hardware is outdated and will be replaced by laptops, tablets and mobile phones where applicable. To reduce cost, the front desk of Sales, Administration, HR and Trainees will be serviced by dumb terminals running secure Citrix XenDesktop for login. The secure login will allow managed access to pertinent applications which can be easily secured by Microsoft (active directory) and Citrix security policies.

HR, Accounts, Sales and Administration will run Sage Business software. Office 365, email server 2016 and Skype for Business will be deployed and made available on site and mobile phones. Sales personnel will have access to the network 24/7 either by logging in at the office or remote via mobile phone over secure Securid authentication.

The Fortinet devices that are recommended are future proof for expansion within Honeymoon Holiday. Both Fortigate model 100D and 90D allows Dublin and Cork offices to double in size. As Fortinet is an all in one device box allows for future requirements such as SOC (Security Operating Center), Database Security, LAN, Mobile, Cloud SAAS and remote users. Fortinet also is the only provider that allow for trade in of old equipment that is at end of life and trade up on devices, as well as the more you add on the cheaper it becomes.

CURRENT ORGANIZATIONAL STRUCTURE

1 Current HR structure for Honeymoon Holidays

CURRENT SYSTEMS REVIEW & NETWORK DESIGN

2 Existing IT Infrastructure

Currently Honeymoon Holidays System are not communicating with each other which is resulting in disconnection between each department as there is no internal communications.

The MD is currently using usb/cd to transfer file which is not an effective or secure method.

HR is still paper based which mean there is no backup of files should a fire or other disaster occur.

Sales department have to contact the office at 5:30 each day to get updates on pricing which is not effective as there are no real time updates.

There is no direct overview of Cork offices.

Accounts have no view of Sales, HR or Admin and not shared folder to see anything from Finance.

CURRENT SYSTEM ARCHITECTURE

1. HARDWARE

Client-server with MS Workgroup is deprecated.

UNIX mini-computer is not fit for purpose based on the company’s requirements.

Desktops are dated and in need of replacement.

No details on telephony, assume standard phones.

Routers, some presence, likely dated ISDN modem/router

Switches, some presence, likely dated and in need of replacement

Cabling, some presence, likely dated and in need of replacement

Internet, outdated 1 line and 4 line ISDN connections

2. SOFTWARE

There is no security software in place to note

Known desktop software is out of support, dated and in need of replacement across the board.

PROPOSED NETWORK AND SYSTEMS OVERVIEW

BUSINESS CASE FOR UPDATING THE NETWORK AND SYSTEMS

Pros: In modern day of sharing and exchanging information quickly and instantly, it is imperative that spread out organization (business with multi locations) have a well-connected office network. This can only be achieved by making sure these locations are connected (networked).

By networking all location and systems they will be able to feed or report and collection information which will support the success of the business and delivery of projects.

The extensive availability and economies of scale of SAAS, PAAS and IAAS solutions means it is more important than ever that all staff are connected, to each other, and to the internet.

A key benefit is on long term reduction of Total Cost of Ownership (TCO) of IT for the business, the use of thin client end-user desktops running Virtual Desktop Images is a good example of this giving economies of scale and reducing the need for expensive replacements of physical hardware on such an ongoing basis. Ultimately, this could also be a candidate for cloud hosting but at present our recommendation is local servers for Citrix and AD to ensure users always have basic services and data available from their own offices.

Customer expectations in modern times is for a seamless, simple experience regardless of the channel through which you are engaging with business, on this front it is imperative that Honeymoon holidays has a simple, consistent approach to the services they provide. To achieve this, they must have all satellite offices, Cork offices and “on-the-road” salespeople with access to the same services available at their Dublin main office or hosted in the cloud through their third party providers. Our network architecture below achieves this, putting the customer first in ensuring quality delivery of simple services.

Cons: As with any implementation of the above there is a cost involved. First is hiring the experts to implement it, then the capital to buy the hardware and then the running cost of ISP & VOIP telephony. We can expect that there will be a need for ongoing IT support for the new systems on top of the capital costs, and annual support and maintenance costs from the various vendors. However, the risks of doing nothing will not allow the business to continue being competitive when consumers have so many choices available to them to make holiday bookings in the comfort of their own home, with quality after-service available.

Chris Aherne, 03/20/16,

Question 1: Produce coherent arguments as to the advantages and disadvantages of implementing a network for the above system.

HIGH LEVEL NETWORK DESIGN (SEE ATTACHED VISIO DIAGRAM FOR DETAILED LAYOUT)

3 Proposed Network Layout

SYSTEM ARCHITECTURE

1. HARDWARE

SERVERS

The servers are Dell PowerEdge 13G R630 Rack Server running Windows Server 2012

DESKTOPS

Easy to use, common interface allows employee access to apps in Office and remote using “CitrixReceive”. CitrixReceive connects to TCP port 443, and communicates with StoreFront using via the StoreFront Service API (see Citrix Web loon image below). The applications are run on virtual machines managed from the central Citrixserver providing the security and authentication. The Citrix server is easily maintained, (software/hardware) upgraded and backed up from central source. There is no requirement to deploy software patches, security updates to remote VDIs, employee’s personal computers or BYOD. One of VDI’s main


Question 2: Design a network for the above system. This should include a detailed network plan, with diagrams, functional area breakdowns, IP Planning, Wan planning, security planning, expansion planning, risk management planning, etc…


Question 2: Design a network for the above system. This should include a detailed network plan, with diagrams, functional area breakdowns, IP Planning, Wan planning, security planning, expansion planning, risk management planning, etc…

benefits is that it’s easy to provision new instances and delete them when you’re done with them. This also implies that different separate virtual domains can be easily built on the server allowing even greater security between, sales, accounts, managers and employees. Future expansion is effortless and seamless to implement

With VDI, the data is presented visually and the data traverses the network to the employee device from a remote server. This makes VDI very attractive as a security concept as it reduces the risk of data theft or loss. For some employees, just being able to access their desktop from any location without having to use the same client device (designated desk) every time is a big benefit. Employees moving between work locations can access the same desktop environment with their applications and data.

Citrix XenDesktop offers a stable platform to run MS Office 365 Suite, Windows 10 and integrates seamlessly with MS Active Directory, MS Exchange 2016 and integrated VOIP/Skype for Business (S4B). By using RDSH VDI (XenDesktop) and Exchange operating in cached mode the location of the Exchange server become irrelevant (in this case in the cloud).

The main operations available through this API include:

• Authenticating users through a variety of methods: explicit forms, domain pass-through, smart card, NetScaler Gateway Single Sign-On and post credentials.

• Enumerating applications/desktops.

• Enumerating available HDX sessions.

• Reconnecting, disconnecting and logging off HDX sessions.

• Launching applications/desktops.

• Powering off specific VDI desktops.

• Retrieving images and icons for applications/desktops.

• Subscribing to applications.

StoreFront Web API for secure login over Citrix

Receiver for Web is a component of Citrix StoreFront providing access to applications and desktops using a Web browser over HTTPS, SSL2.0 and or TLS. It comprises a User Interface tier and a StoreFront Services Web Proxy tier. This architecture is illustrated below.

4 StoreFront Web API - Citrix Logon

CitrixReceiver configuration

The Web Proxy tier is a bridge between the UI tier and the StoreFront Services (namely the Authentication Service and the Store Service). It provides a simplified API suitable for consumption by a JavaScript/Ajax client running in a Web browser. HTTPS protocols is used to secure data passing between server and StoreFront. HTTPS uses SSL and TLS providing strong data encryption. However since StoreFront requires IIS to communicate effectively with Active Directory it is advisable that the SSL 2.0 provided by IIS is used.

5 Citrix logon screen presented to user

ROUTERS

We are recommending Juniper routers to fit in with the switch selections and ensure all relevant protocols are supported across the network.

The MX series routers are affordable and provide the below requirements: VPLS – Virtual Private LAN interface. MPLS Label-Switched Path and Fast Reroute. Bidirectional Forwarding Detection. Hierarchical QoS. Pay-as-you-grow capacity upgrades available.

SWITCHES

We are recommending Juniper switches that support the MVRP Layer 2 protocol, allowing VLAN to VLAN traffic using the IEEE 802.1ak standard. This does not encapsulate frames, but inserts a tag and computes a new frame check sequence at the end of the frame. “Trunk Ports” are used between the Layer 2 Access Switches and Layer 3 Distribution Switches, using MVRP, the Trunk Ports are automatically provisioned based on which VLANs have devices connected to each of the access switches. This is a benefit to the network performance overall by avoiding the distribution of unwanted traffic from the distribution switches.

6 VLAN pruning

(YouTube, 2016)

All switches must also support the required Power over Ethernet (POE) and dual power supplies.

CABLINGWe would recommend CAT6 specification as it is suitable for up to 10 gigabit Ethernet at 250 MHz and would future-proof the network. CAT6 has internal separator that isolates pairs from one another which means it is much better at keeping crosstalk compared to CAT5 and CAT5e. We would highly recommend using the STAR topology as this will centralized management of the network, through the use of the central switch. It also easier to add another computer to the network and If one computer on the network fails, the rest of the network continues to function normally.Network solutions offer installation and config at low rate and highly recommend. (Appendix 3)

2. COMMUNICATIONS

Email, VOIP and Desktop applications.

The recommended employee interfacing services is Office 365 Business (SaaS service), Exchange Server 2016 and Skype for Business. These services can be provided by Microsoft Azure and are managed centrally by Microsoft. Email will become the communication medium of choice within the business. With Exchange and Office 365 in the cloud enhances document sharing, and eliminates version control of documents. The background maintenance and product updates are managed centrally by the hosting provider eliminating the need for on site dedicated IT support. Also provided is Data Loss Prevention, Managed Availability, Automatic recovery from storage failures and web-based Exchange admin center for managing user accounts and security (managed either internally or externally).

Skype for Business

Office 365 Business Enterprise customers can avail of S4B for the following,

Skype Meeting Broadcast – enabling meetings over the internet (10,000 connections max).

PSTN Conferencing (invite people to join meetings via landline or mobile phones).

Free calls and meetings within the business.

Integrated IM within the business with the option to make available to external clients. Will allow remote chat support to clients querying holiday booking or enquiries.

Skype uses ‘MS Notification Protocol 24’ moving away from peer-to-peer architecture. Protocol specification have not been made publicly available. Included S4B is Video Conferencing and Instant Messaging where messages are easily shared with a single or multiple users of the service. Group meetings and sharing of information can be easily performed with the need for users to leave their desks and enter a meeting room.

We would recommend EIR as they are a gold CISCO house for many years and have the best experience in the industry to deploy VOIP solution (https://business.eir.ie/sipvoice).

The SIP-enabled IP PBX provides the telephony infrastructure inside the business and replaces PBX server. This allows you to rapidly scale to cope with temporary or seasonal demand.

SIP voice ultimately cost less for voice service and secure the added benefit of resilience. It is a unified communications and collaboration services, allowing voice and video to traverse IP networks, although bandwidth and quality of service must be carefully managed to protect application performance.

Important considerations in choosing a cloud VOIP provider are for:

Quality of Codecs: Sound quality of the audio communication and also the bandwidth being used.

Quality of Service (QOS): Must have low latency and sufficient bandwidth for successful VOIP setup.

3. VLANS

We are recommending segregating the internal network to four separate subnets as below:

VLAN VLAN Name Subnet Mask Network Add. Broadcast Add. Total HostsVLAN 1 Users 255.255.252.0 10.1.0.0 10.1.63.255 1,022VLAN 2 VOIP 255.255.252.0 10.200.0.0 10.200.63.255 1,022VLAN 3 Devices 255.255.255.0 192.168.1.0 192.168.1.255 254VLAN 4 Servers 255.255.255.240 192.168.2.0 192.168.2.15 14

7 Proposed VLAN layout

VLAN 1 which will be for the users, covering all XenDesktop thin client connections, all laptops and all mobile access, and which is a /22 network to allow growth in hosts connections particularly as users utilize more devices (thin client desktop, laptop, tablet, phone).

VLAN 2 which will be for the VOIP real-time audio communications, again a /22 network with plenty of capacity for growth.

VLAN 3 which will be for all network attached devices such as printers, scanners etc. This will be a /24 network as there is much lower capacity requirements and less growth expected.

VLAN 4 which will be for the servers, this is a /28 network with only 14 hosts to act as a simple first measure of security for the servers by reducing the number of potential IPs in the same VLAN.

4. FIREWALL, VPN, AV AND WEB FILTER - FORTINET

We are recommending the use of an all-in-one hardware solution from Fortinet for addressing these needs.

Travel industry has much cyber threats due to the nature of the online booking business. With the EU data protection rule that’s came in place this year client information must be protected as a priority as 1 breach could possibly bankrupt a business. Part of any business day to day operation is data retention, data center, financial information, credit card information, names, address and passport information, flight details, identify theft, ensuring payment industry standard compliance (PCI) of clients.

Traditionally SME would run multiple systems, complicated mix and match units and support service many vendors, alerts, and ways of managing each device: leading to an unmanageable infrastructure where gaps can be difficult to find.

5. SOFTWARE

DESKTOP AND OFFICE

Citrix XenDesktop

We are recommending a Thin Client Architecture as detailed above which will run the Citrix XenDesktop Software. The provided VDIs will run Windows X, to ensure the latest support and security patches are available from Microsoft.

Office 365

For enabling the office to communicate effectively and produce quality documentation:

- Microsoft Office Suite.

HRMS

We are recommending the purchasing of a new HR Management System to satisfy the HR Software Requirements. For this, we are recommending the use of Sage Software’s “Sage HR”. This allows storing of employee data in one place and integrates with the Sage Payroll solution.

PAYROLL

We are recommending the purchasing of a new Payroll System to satisfy the HR and Accounts Payroll Software Requirements. For this, we are recommending the use of Sage Software’s “Micropay Professional”. This allows uploading of timesheets, shares common employee data with Sage HR and integrates with the firms Accounting Software. (Shop.sage.ie, 2016)

CRM

Again, for the CRM software, to maintain the standardized software offerings, consistent look and feel and sharing of common data we are recommending Sage’s “CRM Cloud Professional”. (Shop.sage.ie, 2016)

PAYMENTS

It will be critical for the fully networked and new online presence of Honeymoon Holidays that they can securely accept payments online and over the phone. To facilitate this, we are recommending the use of “Sage Pay Online Payments”. This will be available for the Sales staff on mobile, tablet and laptops and also to the administration staff and via the new company website (Sage.ie, 2016)

ACCOUNTS

There is a requirement to replace the outdated accounting system and in keeping with the entire Sage suite and the integration benefits that it brings, we are recommending the use of “Sage 50 Accounts Professional”. (Sage.ie, 2016). This also meets the requirement of integration with the company’s banking provider.

6. COMPANY WEBSITE

With the new infrastructure rollout and approach to business it is strongly advised that a website be provided for internal use and external clients. Website to follow name of company www.honeymoonholidays.com. The domain name should be registered online with any readily available company letshost.ie, register365.ie, blackknight.ie for a small cost of approx. 20 per month. The website should be hosted in MS Azure Business platform (IaaS and PaaS). With the PaaS model, Azure can be used as a development service hosting and management thus allowing the company full autonomy to design a website which allows a full intranet and internet service. Azure offers various purchase options,

Pay-As-You-Go subscription, recommended option.No minimum purchase or commitments and ability to cancel at any time.

DETAILED NETWORK DESIGN

LOCAL AREA NETWORK

1. DUBLIN

NETWORK DESIGN AND LAYOUT

Accounts Team, First Floor, Dublin

8 Network for Accounts Department

There will be 7 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be connected to either Access Switch 1, or Access Switch 2 via powered Ethernet as per the above diagram. The VOIP phones will provide an Ethernet pass-through for the connected thin-client terminals. There is capacity for further growth on each switch.

Desktops: Users VLAN 1

Network Address: 10.1.0.0/22

Broadcast Address: 10.1.3.255

Subnet Mask: 255.255.252.0

Phones: VOIP VLAN 2



Subnet Mask: 255.255.252.0

HR & Management, First Floor, Dublin

9 VLAN layout for HR & Management Dublin





Subnet Mask: 255.255.252.0

Phones: VOIP VLAN 2



Subnet Mask: 255.255.252.0

Sales, Ground Floor, Dublin

10 VLAN layout for Sales team Dublin

There will be 9 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be connected to either Access Switch 5, or Access Switch 6 via powered Ethernet as per the above diagram. The VOIP phones will provide an Ethernet pass-through for the connected thin-client terminals and laptop LAN cables when required at the desk. There is capacity for further growth on each switch.

Sales tablets and mobile devices can access the Wireless network as needed (See Proposed Wireless Plan).




Subnet Mask: 255.255.252.0

Phones: VOIP VLAN 2



Subnet Mask: 255.255.252.0

Administration, Ground Floor Dublin

11 VLAN layout for Administration Dublin





Subnet Mask: 255.255.252.0

Phones: VOIP VLAN 2



Subnet Mask: 255.255.252.0

Devices and Meeting Room

12 Access Switch MVRP Client

13 Access Switch MVRP Client

Devices will be connected to the “Devices - VLAN 3, along with the PolyCon equipment present in the first floor meeting area. These are connected to Access Switch 2 and Access Switch 8 respectively, where there is still further room for growth.

Devices VLAN 3



Subnet Mask: 255.255.255.0

2. CORK PREMIUM TRAVEL

14 VLAN layout Cork Office, Switch 9

15 VLAN layout Cork Office, Switch 10

There will be 10 VOIP phones which are setup on the “VOIP - VLAN 2”, and which will be connected to either Access Switch 9, or Access Switch 10 via powered Ethernet as per the above diagram. The VOIP phones will provide an Ethernet pass-through for the laptops when being used at the desks. Laptops also have connectivity to the buildings WAP (See Proposed Wireless Plan. The recommendation for laptops here is purely on the basis that these staff may be also acting as “on-the-road” sales staff. It will be at the company’s discretion whether laptops, or additional thin client desktops would be the preference here.

There is capacity for further growth on each switch.




Subnet Mask: 255.255.252.0

Phones: VOIP VLAN 2



Subnet Mask: 255.255.252.0

16 Printer Scanner Copier, Cork office

A single MFD will be connected to the “Devices - VLAN 3. These are connected to Access Switch 2 and Access Switch 8 respectively, where there is still further room for growth or addition of another polycom device.

Devices VLAN 3



Subnet Mask: 255.255.255.0

3. SERVER ROOMS

Server rooms will consist of three servers, one router and a firewall per site along with hosting the distribution switches (to be assessed on further inspection of the premises). This network is kept to a small range of IP addressing to act as a basic first line of security against potential breaches, there is still allowed sufficient room for growth if required.

Servers VLAN 4:



Subnet Mask: 255.255.255.240

WIDE AREA NETWORK

1. INTER-OFFICE COMMUNICATIONS

For inter-office communication you require that each site/office has internet connection via its local ISP.

Each site's connection bandwidth to Internet depends on amount of data traffic and frequency of it between offices/sites.

Each site will require a router as point of inbound/outbound traffic, a firewall will be required to protect the LAN network from malicious attacks, all inbound/outbound traffic will be filtered through it. To establish inter-office virtual private network will be set up on each firewall to allow transparent data traffic between offices/sites.

Firewalls also provide tools to setup access lists through which specific traffic is allowed or denied in/out of each office.

In effect the above scheme establishes Honeymoon Travel’s Wide Area Network (WAN).

For the ISPs it is vital that the business internet provides Multiprotocol Label Switching (MPLS). MPLS is effective at layer 2.5 of the OSI model, with a header added to the layer 2 frame. It allows for tunneling across the ISP from one site to another, effectively extending the LAN. It is a one-to-many connection, which with two or more offices is not dependent on a single “central” office. The extension of the LAN over the ISP network is important on two fronts:

1. Simplicity: The devices on each site, in each VLAN are effectively local making the overall network easier to manage.

2. Quality of Service: QoS considerations are paramount when an organization is using real time audio communication with VOIP phones. It is far more important that there are no dropped packets with this type of traffic, and MPLS allows for extension of QoS over the ISPs network to give voice traffic priority over data traffic. More broadly speaking, this allows for differentiated services:

- Classify traffic- Mark traffic- Congestion Management (queuing)- Congestion Avoidance - Traffic Conditioning

- Traffic Policing- Traffic Shaping

Internal QoS classifications can be mapped to the ISPs classifications and vice versa:

17 QoS Strategy

(YouTube, 2016)


OSI MODEL

18 OS1 Layer model

(Blog.buildingautomationmonthly.com, 2016)

Relate to Honeymoon Holidays:

Layer Description Description2 Honeymoon Holidays

Applications leveraging HTTP:

- Citrix, Offi ce 365, Sage etc.

6 PresentationSpecial processing required by applications, such as translation and encryption

May be leveraged by Fortinet, or other uses of e.g SSL

5 Session Logical linking of software application processes Any software leveraging APIs

4 TransportLink between application layers and lower 'concrete' layers

TCP/IP, UDP

3 Network Defines how interconnected networks function VLANs, Dist Switches

2 Data Link LAN Technologies Ethernet, 802.11

1 Physical LayerHardware Specs, encoding, data transmisson and reception

Physical equipment, topologies

7 ApplicationFunctions performed by users to complete various tasks over the network.

OSI 7 Layers

19 OSI 7 layers

DATA TRANSFER

Application data will traverse the new network topology as described below through encapsulation and decapsulation.

Host A Host B7 Application Data Data Application6 Presentation Data Data Presentation5 Session Data Data Session4 Transport TCP Data TCP Data Transport3 Network IP TCP Data IP TCP Data Network2 Data Link Ethernet IP TCP Data Etherenet IP TCP Data Data Link1 Physical Physical

<----------------------------------------------- Network -------------------------------------------------->

--------------------->------>> --------------------->------>>

Example of a user sending an e-mail via the Offi ce 365 cloud service,

11010101110101101110000111000001111110101

Enca

psul

ation

Deca

psul

ation

20 Data flow through the OSI model.

For our networks using IPSec for the VPN and MVPN, the following type of additional encapsulation would be present, with MVRP information present in the Ethernet header 802.1Q tag.

The MPLS Label allows for the extension off QoS over the ISPs network, and ensures that the key traffic such as voice data identified by Honeymoon Holidays gets maintains a base quality, with data traffic, which can afford to be slower being less of a priority (see section on Quality of Service).

21 Data Encapsulation

SECURITY

1. PROVIDED MEASURESIn order to apply protection against these real threats to a business and minimize potential breach for any organization you will need to ensure you have the following:

Firewall- The Service is based on Fortinet’s award winning range of Next Generation

Firewall (NGFW) and Unified Threat Management (UTM) appliances which provide a range of firewall, VPN, intrusion prevention (IPS), antimalware and web filtering capabilities.

- The firewall service provides organizations with a firewall optimized and configured for their environment. Fortinet is the provider of ICSA, EAL4+ & NSS* certified UTM solutions, powered by a custom designed ASIC chip for real-time content processing and network protection.

- Firewalls are delivered with the full UTM subscription which provides a range of firewall, VPN, IPS, antimalware and web filtering capabilities. Once the firewall in installed and configured ongoing configuration, maintenance and support is delivered by our SOC staff that monitors the environment on a 24x7 basis.

Anti-Virus- Real-time protection against the installation of malicious software

VPN- SSL VPN establishes an encrypted link, ensuring that all data passed between the

web server and the browser remains private and secure.

Web filtering- Combines sophisticated filtering capabilities together with a powerful policy

engine and cloud-based model to create a high performance and flexible web content filtering solution

Anti-Spam- Antispam detection capabilities provide greater protection than standard real-time

blacklists.

Intrusion protection- monitor, log, identify and block malicious network activity

Data loss prevention

- Sophisticated pattern matching to prevent unauthorized communication of sensitive or regulated data through the corporate perimeter.

-Fortinet solutions allow easy manage of all components under one roof. Using Fortinet has a comprehensive security infrastructure from the VM service or endpoint and a complete solution where you deliver more control, greater visibility and less complexity.

Fortinet offer a firewall device that can offer all these protection in one box and we would highly recommend Fortinet solution. See appendix for description for all solutions belowBy enabling this configuration this will allow for greater protection and compliance for Honeymoon Holidays as current system have many vulnerabilities. Within the control we can also implement an internet proxy client within the domain controller to manage what internal team have access to and was a concern from the finance manager. This will provide him with better control and visibility over files and access to each team member and department.

2. FURTHER CONSIDERATIONSWith the access to VPN both the CEO and finance manager will be able to work remotely by logging in via vpn and have secure access to share drives without having to use usb connection. This will also allow the sales team to log in remoting while out of the road instead of calling in each evening to get pricing and allow for “REAL-TIME” updates on pricing.

Within the network we will also need to separate out the printer, scanners, wireless controller and AP on different VLans to ensure control as the account team and HR department must have greater security as they would hold account and admin sensitive details.

As retail shops will have their own devices and their own Wi-Fi access. We will issue vpn soft-tokens to them and they can securely update your customer information and sales as appropriate.

PROPOSED WIRELESS PLAN

We propose a wireless network to enable BYOD, business tablets and ability of users to hot seat within the business. There two basic types of wireless deployments, coverage and capacity. The goal is to provide a good quality of service (QOS) in as much area as possible with a single or multiple access points.

In coverage the number of access points (Aps) is determined by signal strength which in turn is determined by type of site, floor layout, construction materials, number of floors, physical obstructions etc.

With capacity the objective is to provide a good quality of wireless service to enable the business to efficiently use their devices. Factors that determine QOS are, number of users covered by single AP, number of Wi-Fi devices per person, percentage of users that are expected to be active, type of applications being used, etc.

WIRELESS AP

FortiAP are thin access points, delivering secure, identity-driven Wi-Fi access for an enterprise network, managed centrally by the integrated WLAN controller of any FortiGate security appliance. With the integration of the wireless controller functionality into the market leading FortiGate appliance, Fortinet delivers a true Unified Access Layer. This enables you to easily manage wired and wireless security from a Single Pane of Glass management console and protects your network from the latest security threats.

INDOOR ENTERPRISE WLAN DEPLOYMENT

Office Wi-Fi provides convenient way for hot desking without the need for extra cabling in each office. It also provides Internet access to mobile and tablet devices as well as visiting clients.

Users can take laptops into meetings and connect via office Wi-Fi eliminating need for extra cabling connections in boardroom or other meeting rooms.

APs are low cost devices and require very little in terms of management and maintenance once setup.

To implement office Wi-Fi HMT need a Wi-Fi controller that is connected to office LAN. Using Wi-Fi controller application we can setup wireless access point (WAP) at appropriate locations in the office.

For ease of administration and maintenance all offices is given same identifiable universal HMT-Wi-Fi name and SSID.

To protect company LAN from visiting clients separate Wi-Fi VLAN can be setup that only allows Internet traffic, that way a visiting person connected to company Wi-Fi cannot access internal LAN, data and systems.

22 FortiAP Wireless AP

Highlights

Supports latest 802.11ac technology with association rate of up to 1.3 Gbps. Leverage existing FortiGate or FortiWiFi platforms as controllers for low TCO. Integration with FortiManager and FortiAnalyzer for centralized management and

reporting. Fast Roaming for uninterrupted data access Automatic Radio Resource Provisioning (ARRP) for optimized throughput. Layer 7 application control prioritizes business traffic. Rogue AP detection and mitigation to satisfy PCI DSS compliant

Key Features & Benefits

Advanced Security Protection Wireless LAN security done right, from the leader in network security.

Integrated Firewall, IPS, Application Control, and Web Filtering protect the wireless LAN from the latest security threats.

Integrated WIDS and Rogue AP Suppression Protects the network from advanced wireless threats and satisfies PCI DSS compliance. Deep Application Control Fortinet goes above Wireless Multimedia Extensions (WME)

by offering deep Layer 7 inspection to precisely control applications and bandwidth usage.

“Single Pane of Glass” Management Console Unified management console simplifies operations, ensuring consistent and effective policy enforcement and compliance.

PLANNING WI-FI LAYOUT

Wi-Fi is a shared medium and operates in half-duplex mode. For 802.11x Wi-Fi uses a band plan that breaks up the available spectrums into a groups of non-overlapping channels. How many users should use a single AP depends on the number of users that can be serviced adequately by the AP. To prevent two access points transmitting on the same channel causing device bleed and poor performance (co-channel interference, CCI) effective channel reuse must be employed. CCI can be reduced by the use of non-overlapping channels. Fortis 5Gz channel has more usable channels and throughput than 2.4GHz for Wi-Fi devices. It has 23 non-overlapping channels vs. 3 in the 2.4GHz band. However the 5GHz has shorter range than the 2.5GHz, Older devices may not use the newer 5GHz channels.

23 Channel Reuse for 2.5GHz band

Possible to increase the potential per-user throughput by decreasing the number of users contending for the aggregate throughput provided by a single AP. This can be done by decreasing the size of the coverage area, or adding a second AP on a non-overlapping channel in the same coverage area. To reduce the coverage area, the AP power or antenna gain can be reduced, resulting in fewer clients in that coverage area. This means you need more APs for the same overall area, increasing the cost of deployment.

24 Typical Wireless AP layout with Channels

To enable roaming wireless a single AP is configured as controller which in turn manages multiple Aps that share the same configuration. A feature known as “fast roaming” enables users to move between APs (floors and buildings) without losing signal connectivity and authentication.

25 Multiple Access Points (roaming enabled)

IMPLEMENTATION

ROLLOUT PHASES

Take a phased approach to implementation.

Deliver the core network components first

- Routers- Switches- Firewalls- Cabling

Follow with core main access pieces

- XenDesktop Servers- AD/File system Servers- Thin Client Machines- VOIP ‘Phones’

Users can now access desktops and shared files, have internet access and are protected with reasonable security measures via the multi-purpose firewalls.

Cloud services should be brought in next along with ensuring connectivity to banking platform and airlines and the old ISDN lines and physical machines can start to be decommissioned.

Other core services should be brought in next such as Sage Payroll and Accounts, after which remaining old machines can be decommissioned.

Lastly new value add services should be brought in such as the Sage HRMS and CRM software, new Corporate Website and Pay Online.

As there is disaster recovery in place with servers at each of the two sites, extensive Operational Testing of the equipment including site failovers should be carried out as part of implementation.


Question 2: Expansion planning, risk management, phased rollout etc.

RISK MANAGEMENT

The purpose of a risk management for a business is to have a guideline for plan B and to understand what potential threat that could stop operational or create downtime.

In this assessment we need to look at the risks to Honeymoon Holidays sensitive IT systems and data, and protecting the resources that support the business mission.

Risk level

High

Moderate

Low

Effectiveness of Controls

Low Moderate HighHigh Low Low ModerateModerate Low Moderate HighLow Moderate High High

Loss of conidentiality, integrity or availability which could have severe or catastropic effect to the business operations, assets or

individual

Loss of conidentiality, integrity or availability which could have serious effect to the business operations, assets or individual

Loss of conidentiality, integrity or availability which could havelimited or little effect to the business operations, assets or

individual

Risk DescriptionRisk is assess be 3 level

Probability of Threat Occurrence (Natural or Environmental Threats) or Threat Motivation and Capability (Human Threats)

26 Risk Analysis 1

Honeymoon must look at risks to the IT system that may occur such as when vulnerabilities (i.e., flaws or weaknesses) in the IT system or its environment can be exploited by threats (i.e. natural, human, or environmental factors).

Below are potential risks:

Risk Vulnerability Threat Risk of Compromise of Risk Summary

1 Wet-pipe sprinkler system in Honeymoon Holidays Data Center.

Fire Availability of Honeymoon Holidays and data.

Fire would activate sprinkler system causing water damage & compro mising the availability of Honeymoon Holidays

2 Honeymoon Holidays user identifiers (IDs) no longer required are not removed from Honeymoon Holidays in timely manner.

Unauthorized Use

Confidentiality & integrity of Honeymoon Holidays data.

Unauthorized use of unneeded user IDs could compromise confidentiality & integrity of Honeymoon Holidays data.

3 Honeymoon Holidays access privileges are granted on an ad-hoc basis rather than using predefined roles.

Unauthorized Access


Unauthorized access via ad-hoc privileges could compromise of confidentiality & integrity of Honeymoon Holidays data.

5 User names & passwords are in scripts & files.

Malicious Use - cyber crime


Exploitation of passwords in script & files could result in compromise of confidentiality & integrity of Honeymoon Holidays data.

6 Passwords are not set to expire; regular password changes are not enforced.



Compromise of unexpired/unchanged passwords could result in compromise of confidentiality & integrity of Honeymoon Holidays data.7 Sensitive Honeymoon Holidays data is

stored on USB drivesMalicious Use Confidentiality of

Honeymoon Holidays data.

Loss or theft of USB drives could result in compromise of confidentiality of Honeymoon Holidays data.

4 New patches to correct flaws in application security design have not been applied.



Exploitation of un-patched application security flaws could compromise confidentiality & integrity of Honeymoon Holidays data.

Potential Risks for Honeymoon Holidays

27 Potential Risks for Honeymoon Holidays

Recommended controls required for Honeymoon Holidays:

Control Area Planned or in-place Description of Controls

IT System & Data Sensitivity ClassificationIT Security Roles & ResponsibilitiesBusiness Impact AnalysisIT System Inventory & DefinitionIT Security AuditsContinuity of Operations Planning IT Disaster Recovery PlanningIT System & Data Backup & RestorationIT System HardeningMalicious Code ProtectionIT Systems Development Life Cycle SecurityAccount ManagementPassword ManagementRemote AccessData Storage Media ProtectionEncryptionFacilities SecurityAccess Determination & ControlIT Security Awareness & TrainingAcceptable UseIncident HandlingThreat Detection Security Monitoring & LoggingIT Asset ControlSoftware License ManagementConfiguration Management & Change Control

Recommended controls required for Honeymoon Holidays

Data Protection Planned

Facilities Security & Personnel

SecurityPlanned

Threat Management &

Security Controls Planned

Risk Management Planned

Contingency Planning

Planned

IT Systems Security Planned

28 Recommended Risk Control for Honeymoon Holidays

CONCLUSION

Honeymoon Holidays as it stands today is not an IT efficient company. With no IT network between departments or offices it wastes time managing the business instead of growing the business to meet the demands of an ever increasing IT literate public. For the company to grow and survive long term improvements in their IT infrastructure is a must have.

The key areas of reform will be the current IT network, communication between various departments while retaining full security of data. The net benefits are ease of access for remote sales and managerial staff. Up to date reports on business profitability and expenditure. Staff management, HR resourcing and accounting via central Sage reporting. Modern interface to flight booking and hotel booking software.

Honeymoon Holidays once it implements all of the above recommendations will have a very strong, secure network infrastructure which will allow it to grow and expand within Ireland.

APPENDICES

APPENDIX 1 – VENDOR SELECTION

FORTINET Best Price/ Performance & Consolidated Security Provides More Signatures for Visibility & Control with Web 2.0 applications Proven Security - Threat Research & Third Party Certifications

Best Price/ Performance network security platform in the market, which provides predictable performance in the real world traffic.

Fortinet ranks #1 in the NSS Labs Firewall 2013 and earned the NSS Labs Recommend for the Firewall, NGFW, and IPS 2013 Tests.

Fortinet continues its 5 year leadership in the Gartner Magic Quadrant for Unified Threat Management, 2013 and in 4 other Gartner Magic Quadrants.

Lowest Total Cost of Ownership and Price/ Protected Mbps according to NSS Labs. Achieved the top score on the Breaking Point / IXIA Resiliency Test with 95.

More Web 2.0 Visibility & Control and Better Centralized Management Easily control on over 2,900 apps Fortinet has a range of FortiManager & FortiAnalyzer to meet the needs of the customers. FortiManager can deploy thousands of new devices, distributed updates, or installing security policies

across managed assets. FortiAnalyzer provides the central security event logging, reporting, forensic research, content

archiving, data mining, and malicious file quarantining.Proven Security - Threat Research & Third Party Certifications

No one comes close to the third party certifications Fortinet has achieved. NSS Labs, ICSA, VB100, and others are a testament on the protection

Vs CiscoCompetitive Matrix & Customer DeploymentWith price/ performance and proven security, Fortinet provides network security for all markets.

Fortinet provides a 10Gig appliance (FortiGate 800C) in the sub $10K price band, whereas the initial 10Gig Cisco ASA appliance is the ASA 5585-X SSP10 at $40K, with non-competitive performance.

Currently, Cisco’s release has a choice of running IPS or next generation firewall (CX), but can’t run both.

Gartner does not view Cisco’s security strategy as messaging effectively in the broader NGFW market”, Gartner MQ Enterprise Firewall, 2013.

Fortinet Crushes Cisco ASA 5500-X/ 5585-X Series in Security Performance, Scalability, & Total Cost of Ownership.• A single Fortinet FortiGate appliance offers more functionality than up to 7 pieces of hardware from Cisco.• With a fraction of the cost, the FortiGate 3600C vs. Cisco ASA 5585-X SSP60 is an example of how Fortinet beats Cisco in price/performance, capacity and over all security.

Benefits Service based on Fortinet’ award winning Next Generation Firewall (NGFW) /

Unified Threat Management (UTM) Complete protection against malware, spyware, spam and intrusion attempts.

Round the clock threat defense from our 24x7 Monitoring from our Security Operations Centre.

On-going firewall maintenance (firmware / patches /upgrades) On-going policy changes and configuration updates by our SO staff as required. Customizable web filtering. Remote VPN access for users for anywhere / any device /any time access. Next Business Day hardware replacement.

Components Fortinet: UTM device Fortinet: UTM subscription 8x5 NBD Enhanced Support

Next Generation Firewall (NGFW) / Unified Threat Management (UTM) device with UTM subscription

FortiGate 60D / 90D / 100D Features Next Generation Firewall Feature Set Network Based AV Antispam Service Web Filtering Service Intrusion Prevention

SSL VPN

VPN and TokensIt secures your users computer internet connection to guarantee that all of the data you're sending and receiving is encrypted and secured as well as a way to bolster your security and access resources on a network you're not physically connected to. The best VPNs offer a solid balance of features, server location, connectivity protocols, and price. Fortinet offers SSL protocols will provide a secure connection.

Two-Factor Authentication & PKI SolutionsFortiToken Strong Authentication Solutions allow you to easily enable Two-factor Authentication for access to protected Networks and Security devices. Two-factor authentication solutions improve security and reduce the risk of compromise inherent in single-factor authentication solutions such as static passwords.

User Identity ManagementFortiAuthenticator extends two-factor authentication capability to multiple FortiGate appliances and to third party solutions that support RADIUS or LDAP authentication. User identity information from FortiAuthenticator combined with authentication information from FortiToken ensures that only authorized individuals are granted access to your organization’s sensitive information. This additional layer of security greatly reduces the possibility of data leaks while helping companies meet audit requirements associated with government and business privacy regulations. FortiAuthenticator supports the widest range of tokens possible to suit your user requirements. With the physical time-based FortiToken 200, FortiToken Mobile (for iOS and Android), e-mail and SMS tokens, FortiAuthenticator has token options for all users and scenarios. Two-factor authentication can be used to control access to applications such as FortiGate management, SSL and IPsec VPN, Wireless Captive Portal login and third-party, RADIUS compliant networking equipment.

Enterprise Certificate Based VPNsSite-to-site VPNs often provide access direct to the heart of the enterprise network from many remote locations. Often these VPNs are secured simply by a preshared key, which, if compromised, could give access to the whole network. FortiOS support certificate-based VPNs; however, use of certificate secured VPNs has been limited, primarily due to the overhead and complexity introduced by certificate management. FortiAuthenticator removes this overhead involved by streamlining the bulk deployment of certificates for VPN use in a FortiGate environment by cooperating with FortiManager for the configuration and automating the secure certificate delivery via the SCEP protocol. For client-based certificate VPNs, certificates can be created and stored on the FortiToken 300 USB Certificate store. This secure, pin-protected certificate store is compatible with FortiClient and can be used to enhance the security of client VPN connections in conjunction with FortiAuthenticator.

Highlights Low cost per user with no user based licensing makes the FortiAuthenticator one of the

most cost effective solutions in the market

Standards-based secure authentication which works in conjunction with FortiTokens to deliver secure two-factor authentication to any third-party device capable of authentication via RADIUS or LDAP

Hardened Appliance which can be deployed in minutes to secure access to your network infrastructure

Integrates with existing solutions such as LDAP or AD servers to lower the cost and complexity of adding strong authentication to your network

Support for E-mail and SMS tokens enables rapid deployment of two-factor authentication without the need for additional dedicated hardware.

User Self Service Password reset lowers your costs by allowing your users to reset their own password without administrator intervention

Certificate Authority functionality simplifies your CA management and delivers user certificate signing, FortiGate VPN, or server x.509 certificates for use in certificate-based two-factor authentication

Upgrade path from FortiGate/FortiToken allows you to maximize your existing investment and scale your two-factor deployment when needed

AIRWATCH FOR MOBILE SECURITY

Mobile Device Management (MDM) software secures, monitors, manages, and supports, reports and alerts on smartphones deployed across your organization. The intent of MDM is to optimize the functionality, productivity and security of a mobile communications network, while minimizing cost and downtime.

The AirWatch service delivers a web-based, enterprise-grade mobile device and smartphone management solution that enables organizations to secure, monitor, manage and support all their mobile devices and their wireless infrastructure, while also successfully achieving compliance with all governmental regulations.

What this product offers is five phases of managing Smartphones and mobile devices

Deploy

activate devices using SMS, Email, URL and other flexible options enrol corporate and employee-liable devices individually or en masse instantly configure policies, settings, certificates and access to enterprise accounts over

the air Wirelessly provision internal and recommended apps through the enterprise app

catalogue.

Secure

ensure authorised and compliant devices have secured access to enterprise resources and accounts while preventing unauthorised device use by locking down device features and enforcing restrictions

protect personal and corporate data and the entire device through encryption and passcode policies

Automate business policies for non-compliant or jail broken devices.

Monitor

monitor both devices and network health status and statistics Track user activity, such as app downloads, voice, SMS and data usage against pre-

defined thresholds, white or black lists.

Manage

streamline and automate mobile asset and inventory management quickly and easily update and provision new policies, settings, certificates, apps, software and access to

enterprise accounts - over the air Push down apps, software or remote lock/wipe commands on-demand.

Support

perform device diagnostic tests remotely to identify issues provide remote assistance to mobile users and communicate from the console via SMS

messaging Take remote control of a device for more efficient troubleshooting.

Industry Accolades200+ awards, including:

Security Product of the Year Best Integrated Security Appliance Best UTM Best IPS solution Top Mid-market Solution 5 ICSA security certifications NSS recommended (FW, NGFW, IPS, ATP) and ISO 9001 certified

APPENDIX 2 – HARDWARE SELECTION

FIREWALL HARDWARE - DUBLIN OFFICE – 100D X 2Mid-Range Business Platform- FortiGate 100D - Rack mount Deployment Ideal for mid-range offices.Recommended for 50 to 100+ users

2x GE RJ45 WAN Ports 1x GE RJ45 DMZ Interface Port 1x GE RJ45 Mgmt. Interface Port 2x GE RJ45 HA Interface Port 14x GE RJ45 Switch Ports 2x Shared Media interfaces pairs

WIRELESS HARDWARE DUBLIN OFFICE - FORTIAP 221C X 4The FortiAP 221C is dual-radio, designed for medium density indoor environments, including hotspot and guest or social Wi-Fi deployments. The RP-SMA antenna connectors on the FortiAP 223C allow directional or panel antennas to be installed, providing a range of antenna options in environments with challenging coverage requirements. The FortiAP 221C is dual-radio 802.11ac APs and dual-band devices, supporting simultaneous client connections and rogue AP scanning for PCI compliance

WIRELESS HARDWARE – CORK OFFICE – 90D X 2Small Business Platform- FortiGate 90D - Desktop Deployment Ideal for Small officesRecommended for 20 to 50 users

2x GE RJ45 WAN Ports 14x GE RJ45 Switch Ports Standalone Pricing €2670 fully managed service

WIRELESS HARDWARE - CORK OFFICE - FORTIAP 24D X 2The FortiAP 24D is a cost-effective single radio 802.11n AP, designed for non-mission critical applications in low density indoor environments like small branch offices. The integrated switch-ports allow you to connect additional wired devices directly to the AP, such as PCs or printers.

ACCESS SWITCHES – DUBLIN AND CORK OFFICES – JUNIPER EX2200 (24 PORT)

We are recommending the Juniper EX3200 24 port model switches to be used as the required Access Switches in all offices. These switches support the key features required by the business and as called out in the System Architecture.

EX2200 switches provide:

Up to four uplink ports12 (compact, fanless model), 24, or 48 built-in network ports with 10/100/100BASE-T Gigabit Ethernet connectors.Virtual Chassis capability—you can connect up to four EX2200 switches (including EX2200-C switches) together to form one unit that you manage as a single chassis, called a Virtual Chassis, starting in Junos OS Release 12.2.Power over Ethernet (PoE or PoE+) on all network ports (in PoE-capable models)

DISTRIBUTION SWITCHES – DUBLIN AND CORK OFFICES – JUNIPER EX4200 (24 PORT)

We are recommending the Juniper EX4200 24 port model switches to be used as the required Distribution Switches in all offices. These switches support the key features required by the business and as called out in the System Architecture.

EX4200 switches include:

Dual redundant power supplies that are field-replaceable and hot-swappable. An optional additional connection to an external power source is also available.A field-replaceable fan tray with three fans. The switch remains operational if a single fan fails.Redundant Routing Engines in a Virtual Chassis configuration. This redundancy enables graceful Routing Engine switchover (GRES) and nonstop active routing (NSR).Junos OS with its modular design that enables failed system processes to gracefully restart.

EX4200 switches have these features:

Run under Junos OS for EX Series switchesHave options of 24-port and 48-port modelsHave options of full (all ports) PoE/PoE+ capability or partial (8 ports) PoE capabilityHave optional uplink modules that provide connection to distribution switches

Software – Dublin and Cork Two-Factor Authentication - FortiToken software x 100FTM-LIC-100Software one-time password tokens for iOS, Android and Windows Phone mobile devices. Perpetual licenses for 100 users. Electronic license certificate.

APPENDIX 3 – SOFTWARE SELECTION

MICROSOFT

Windows server 2012

Office 365, Exchange 2016

Skype for business

SAGE

Sage HR

Having a single established and widely used vendor provides consistency across HR and Payroll applications and reduces risk. (Sage.ie, 2016)

Sage HR Pros:

MS Office integration Sage Micropay Professional integration Manage employee information, documents and entitlements Manage training, performance appraisals and targets

Sage Payroll

Sage Payroll Pros:

Links to Sage Accounts and Sage HR Manage holiday entitlements, payments and deductions Fully manage payroll and taxes Backup and restore key data easily Link to online ROS submissions

Sage CRM Cloud Professional

Sage CRM Cloud Professional Pros:

Manage products and equipment Oversee key business projects Track competitors Track brand and company mentions Available on mobile (iOS and Android) Analyze sales campaigns

Sage Pay Online

Sage Pay Online Payments Pros:

Wide range of payment options Mail and Telephone payment support Accepts invoice payments directly through Sage Accounts Secure: Real-time AVS/CV2 checks and 3D Secure Authentication Free Support 24/7 Advanced fraud screening tools as standard

Sage 50 Accounts

Sage 50 Accounts Professional Pros:

Manage company finances Manage company products and services Overview of customer activity Manage Suppliers Manage stock Integrates with Sage Drive for cloud backups Provides requisite bank feeds

APPENDIX 4 – BUSINESS REQUIREMENTS

Business RequirementsReq. # Name DescriptionREQ001 Expand use of technology

Make common applications and platforms available to all staff on any device.

REQ002 Improve delivery of services Aid internal and external communication

REQ003

Strategic Alliance - Global Company

Open up possibility of strategic alliance with a global travel company.Make this achievable with a planned, secure network that can be opened globally.PolyCon - meeting facilities

REQ004

Network Connect the Retail Shops

Several retail shops around the City centre and main shopping centres

REQ005 MD Laptop Connectivity Maintain the MDs laptop as it has a modern Spec.REQ006 MD Data Transfer Remove the need for using CDs and Memory Sticks to transfer data.REQ007 Finance Manager Connectivity

Refresh the Finance Manager's dated desktop with a thin client terminal, connected to the Citrix XenDesktop server

REQ008

Finance Manager Security Concerns

Utilise the Fortinet Firewall, VPN, AV and Websense solution to allay security concerns.Utilise AirWatch for mobile security

REQ009 Finance Manager Cost Concerns

Provide the required security using cost effective means:Thin client architectureSingle Fortinet device in each of the Dublin and Cork Offices

REQ010 Accounts Desktops

Replace "dumb" terminals with thin client terminals, connected to the LAN and Citrix XenDesktop server.

REQ011 Accounts Software - Payroll

Replace local hosting for the payroll platform with a cloud based SAAS provider for cost, supportability and resiliency.Take information from HR about payroll to avoid rekeying information; ensure that HR have access to the cloud payroll solution also and that employees have one system on which to log time.

REQ012 Accounts Bank Access

Replace the local PC ISDN access with connectivity over the internet.Provision Bank Connectivity over SFTP for payroll files.

REQ013

Accounts Software - Client Accounts

Recommend use of another SAAS CRM software to allow access both from the company and for the customers to their accounts.Ensure Sales Team has access to enter the details directly into the CRM system also.Replace integration with the major airline systems - use of Airline APIs where possible.

REQ014 Sales desktops

Replace stand-alone PCs with thin client terminal, connected to the LAN and Citrix XenDesktop server.

REQ015 Sales laptops Replace laptops with up to date Win X machines.

REQ016 Sales tablets

Maintain the tablets, can be used for testing client access to the company website and client portal using Android and OS/X. Provide network connectivity wirelessly.

REQ017 Sales Manager PC

Replace stand-alone PC with thin client terminal, connected to the LAN and Citrix XenDesktop server.

REQ018 Sales Hot Desks

Provide stand-alone PCs with thin client terminal, connected to the LAN and Citrix XenDesktop server.

REQ019 Sales/Marketing Software

Provide latest Publisher via Office 365.Provide central source on the network for pricing that Sales staff can access directly to avoid calling in at 5:30pm daily.

REQ020 Company Website

Arrange for third party to provision a website and arrange hosting.Ensure this is a Content Management System (CMS) so that the company can update the requisite details themselves. It should also provide links to the Company's CRM web based solution for a seamless user experience for clients with accounts.Ensure it is set up for consistency across end-user devices and little to no code maintenance.

REQ021 Administration desktops

Replace stand-alone PCs with thin client terminal, connected to the LAN and Citrix XenDesktop server. Scrap Microsoft Windows for Workgroups as the software is deprecated and has a maintenance overhead without adding value.

REQ022 Administration ISDN

Remove the 4 line ISDN present for Administration, all clients will have requisite internet access provided via the ISP and controlled through the Active Directory setup and Fortinet firewall and Web Filter.

REQ023 Administration E-mail

Replace the current single Hotmail email account with individual accounts on MS Outlook (Office 365), hosted on the company's new Web Domain.Setup mailing groups or shared mailboxes for each department to avoid exchanging emails inter-department either by hand or through email.

REQ024 HR desktops

Provide thin client terminals for each HR staff member, connected to the LAN and Citrix XenDesktop server.

REQ025 HR Software

Provide SAAS software solution for Payroll, Time Recording and HRMS

REQ026 Network: LAN

Provide LAN access to all permanent on-site employees via new thin clients.Provide LAN access for Sales Hot Desks also via new thin clients.

REQ027 Network: WAN

Provide WAN access between the Dublin and Cork office, preferably extending the LAN and maintaining QoS

REQ028 Network: WAP

Provide requisite Wireless Access Points to allow all laptop and mobile devices effectively access the network

REQ029 Network: VPN Ensure presence of a VPN for remote login, and between offices.

REQ030 Network: Business Internet

Ensure adequate business (symmetric) internet is available to service the company needs and the new cloud based SAAS model for key software, along with VOIP and requisite QoS.

REQ031 Telecoms: VOIP

Arrange setup of a cloud based VOIP solution, with requisite QoS internally and externally. For fall back, maintain two physical telephone lines in Dublin and one in Cork and each satellite office to ensure calls can still be made and received.

REQ032 Server: Active Directory

Provide a new Active Directory Server for managing user access that will also manage the LAN shared file systems.

REQ033 Server: Shared File system

LAN shared file systems will be managed via the same server as hosting Active Directory.

REQ034 Server: Virtual Desktops

Provide a server to setup virtual desktops in a thin client architecture to achieve economies of scale as the company grows, to enable end-users access the same desktop regardless of where they are connecting from, and lowering the maintenance and replacement costs of physical hardware.

REQ035

Storage: Shared redundant storage

Ensure requisite redundant shared storage is in place and backups taken regularly to avoid any loss of key data

REQ036 Server: Backup server Ensure requisite backup servers are in place for Disaster Recovery.

APPENDIX 5 - STAR NETWORK EXPLANATION

In its simplest form, a star network consists of one central switch, hub or computer, which acts as a conduit to transmit messages. This consists of a central node where all other nodes are connected. The central node is a common connection point between other nodes via a hub or switch. The star topology reduces the damage caused by line failure by connecting all of the systems to a central node. When applied to a bus-based network, this central hub rebroadcasts all transmissions received from any peripheral node to all peripheral nodes on the network, sometimes including the originating node. All peripheral nodes may thus communicate with all others by transmitting to, and receiving from, the central node only. The failure of a transmission line linking any peripheral node to the central node will result in the isolation of that peripheral node from all others, but the rest of the systems will be unaffected.

Star networks are very reliable because if one computer or its connection breaks it doesn’t affect the other computers and their connections.

An expensive network layout to install because of the amount of cables needed. If the server crashes or stops working then no computers will be able to access the

network. If either HUB or switch fails, whole systems will crash as well.

Star Network, simple form

APPENDIX 6 – HARDWARE REQUIREMENTS

The following table is a preliminary list of the upgrade to Honeymoon Holidays IT Infrastructure. It is by no means complete and should not be taken as a final statement of the project requirements.

Laptop Required Mobile Required Printer/Canon RequiredManaging Director Dell Inspiron 5000 series 1 Samsung S6 1 MAXIFY MB2050 1Finance Manager Dell Inspiron 5000 series 1 Samsung S6 1 MAXIFY MB2050 1

HR Manager Dell Inspiron 5000 series 1 Samsung S6 1Clerks Wyse 3020 W/Thin OS +

Monitor and Keyboard. VOIP Enabled

2

Sales Manager/Cordinator Dell Inspiron 5000 series 1 Samsung S6 1Marketing Coordinator Dell Inspiron 5000 series 1 Samsung S6 1Sales team Wyse 3020 W/Thin OS +


25Samsung S6

25

Manager Dell Inspiron 5000 series 1Admin Staff Wyse 3020 W/Thin OS +


5

Staff Wyse 3020 W/Thin OS + Monitor and Keyboard. VOIP Enabled

5

Trainees Wyse 3020 W/Thin OS + Monitor and Keyboard. VOIP Enabled

6

Manager Dell Inspiron 5000 series 1 Samsung S6 1

Staff

Wyse 3020 W/Thin OS + Monitor and Keyboard. VOIP Enabled

10

Future room for expansion is enabled via Fortinet switches.

Cork Office

Proposed IT Hardware for Honeymoon Holidays

Accounts

Administration

Sales

HR

C3330i. Up to 30000 pager per month.

1

C3330i. Up to 30000 pager per month.

MAXIFY MB2050

MAXIFY MB2050 shared between the departments.

2

1

2

RequiredServers 6Switches 12Routers 4Modems 5Wiring N/A

Internet Connectivity Solution (Eircom, Vodafone, UPC, Imagine, etc

WAP FortiAP 221C - Dublin 4WAP FortiAP 24D - Cork 2? FortiClient 100 licence FortiAuthenticator - Dublin - all 1Firewall FortiGate-100D Firewall - Dublin 2Switch Juniper EX2200-24-T 12Switch Juniper EX4200-24PX-TAA 3Router Juniper MX5-T-AC 2Desktop HP Thin Client G9F08AA 22Payroll 1CRM 1Payments Sage Pay Online per payment 1Accounting 1POE

Hardware

Sage 50 Accounts ProfessionalCat6 cabling (price per 10 metres)

Backend Hardware

Networking Solutions

Sage MicroPay Professional (Unlimited Users)Sage CRM Cloud Professional (50 Users)

Symmetric (Business) DSL

Firewall configuration (Watchguard, Sonicwall etc)Installation of new data switch (8-port to 12 port)Apple-to-window networking (2 systems)DetailsEircom MPLS WAN with VPN and SIP support

Wireless Connectivity Solutions (e.g. re-configfuration of wireless router) Wireless Network Extension (excluding hardware)Setup and Configure of Network shares per PC or ServerSetup and Configure of network shares per Mac (Apple)

BIBLIOGRAPHY

REFERENCES

Anon, (2016). [online] Available at: http://www.hp.com/rnd/pdf_html/wirelessLANsite_assessment.html [Accessed 10 Apr. 2016].

Azure.microsoft.com. (2016). Microsoft Azure: Cloud Computing Platform and Services. [online] Available at: https://azure.microsoft.com/en-gb/? [Accessed 10 Apr. 2016].

Blog.buildingautomationmonthly.com. (2016). [online] Available at: http://blog.buildingautomationmonthly.com/wp-content/uploads/2013/05/OSI-Model.png [Accessed 9 Apr. 2016].

Citrix.com. (2016). Licensing Basics. [online] Available at: https://www.citrix.com/buy/licensing.html [Accessed 10 Apr. 2016].

Citrix.com. (2016). XenDesktop VDI Virtual Desktop Infrastructure. [online] Available at: https://www.citrix.com/products/xendesktop/overview.html [Accessed 10 Apr. 2016].

Fortinet.com. (2016). FortiGuard-Security-Services.pdf. [online] Available at: http://www.fortinet.com/sites/default/files/productdatasheets/FortiGuard-Security-Services.pdf [Accessed 6 Apr. 2016].

Sage.ie. (2016). Sage 50 Accounts Professional Detailed Information. [online] Available at: http://www.sage.ie/software-and-services/accounting-and-finance/sage-50-accounts-professional/detailed-information [Accessed 4 Apr. 2016].

Sage.ie. (2016). Sage HR: Software to simplify running human resources. [online] Available at: http://www.sage.ie/software-and-services/hr/sage-hr [Accessed 4 Apr. 2016].

Sage.ie. (2016). Sage Pay: Accept online payments securely and easily. [online] Available at: http://www.sage.ie/software-and-services/payments/sage-pay-online-payments [Accessed 4 Apr. 2016].

Shop.sage.ie. (2016). Sage CRM Cloud Professional | CRM Software | Sage Ireland Store. [online] Available at: https://shop.sage.ie/sage-crm-cloud-professional.aspx [Accessed 4 Apr. 2016].

Shop.sage.ie. (2016). Sage Micropay Professional | Payroll Software | Sage Ireland Store. [online] Available at: https://shop.sage.ie/micropay-professional.aspx [Accessed 4 Apr. 2016].

Vodafone.ie. (2016). One Net Express for Your Business | Vodafone Ireland. [online] Available at: http://www.vodafone.ie/small-business/phones-plans/one-net-express/?gclid=Cj0KEQjwoYi4BRDF_PHHu6rI7NMBEiQAKZ-JuFeGopAV3LE08XraJLhHPtx_frmo4mO7NmOzPEz17IEaAqUa8P8HAQ&gclsrc=aw.ds [Accessed 5 Apr. 2016].

YouTube. (2016). Cisco QoS: Design and Best Practices for Enterprise Networks. [online] Available at: https://www.youtube.com/watch?v=xePZcobaJUY [Accessed 9 Apr. 2016].

YouTube. (2016). Deploying MVRP Learning Byte. [online] Available at: https://www.youtube.com/watch?v=C-JkzYbGPBk [Accessed 4 Apr. 2016].

Date post:	13-Apr-2017
Category:	Documents
Upload:	lee-trieu
View:	271 times
Download:	1 times

Network and Communications Management

Documents