REQUESTED BY:SEAN THORPE DATE : JUNE 20, 2010 CONTACT: MARLON MARAGH –Project Manager Email:...

DATA COMMUNICATION & NETWORKING 11- PROJECT: PROJECT DESIGN DOCUMENT

REQUESTED BY: SEAN THORPE

DATE : JUNE 20, 2010

CONTACT: MARLON MARAGH –Project Manager

Email: [email protected],

[email protected],[email protected].

Group Members

Dionne Newman - BS08-1770-IT3 Andrew Taylor - BS09-7800-IT3 Andre Palmer - BS08-6411-IT3 Marlon Maragh - BS09-8008-IT3 Sheldon Mitchell - BS09-8114-IT3 Mark Daniels - BS09-8378-IT3

PROJECT DESIGN DOCUMENT

Problem Statement: Grace Kennedy Jamaica Ltd is one of the fastest growing food distribution and

manufacturing company in Jamaica with many branches and outlets island wide, as a result client base communication among staff is becoming challenging and time consuming. The sharing of information between the organization and its clients is also being negatively impacted.

Access to information is constantly demanding and need for the process to be seamless and automated. The need to setup and deploy a secure wireless solution to afford our internal and external clients and stakeholders accessibility is a number one priority.

As a group we have decided that the designing and implementation of a wireless system would be a major benefit both to Grace Kennedy and its clients, as with every successful business the sharing of timely and accurate information is of paramount importance.

Purpose of Project Study

One of the main aim of this project is to identify the steps involved in setting up a wireless secure session and to share such services to guest users when required.

At Grace Kennedy, Customer satisfaction is of paramount importance as well as the easy access of information by employees.

Another purpose of the project study is to identify a suitable means where communication to both employees and clients cannot only be timely but also be accurate. Accurate and timely information can only lead to job satisfaction among employees and also improve the company Customer Relationship Management (CRM).

Significance of the Study

Over the past five years, the world has become increasingly mobile. As a result, traditional ways of networking the world has proven inadequate to meet the challenges posed by our new collective lifestyle. If users must be connected to a network by physical cables, their movement is dramatically reduced. Wireless connectivity, however, poses no such restriction and allows a great deal more free movement on the part of the network user.

Another significance of the study is flexibility, which can translate into rapid deployment. Wireless networks use a number of base stations to connect users to an existing network. Wireless Network facilitates the adding of nodes onto the network. Adding a user to a wireless network is a matter of configuring the infrastructure, but it does not involve running cable.

Companies like Grace Kennedy with many outlets will benefit, as the wireless network allows internet access pass the limitation of DSL into communities where high speed internet was only a dream. These companies can now communicate with each other successfully in and out of places that were too rugged for traditional cable approach.

Literature Review Document

Literature review document (rev 1.1.0)

International case Review of the Problem:

Enterprise: JFK Airport

Purpose: Check-In, Flight Information, Kiosk

Devices:Access Points

Routers

Kiosk (Virtual Machine)

Web Content Filtering

Security Protocols:Advance Encryption Standard (AES) 802.1X

Cisco Aironet

Cisco Compatible Extension wireless

Wireless Protected Access (WPA)

Literature Review Document

Local case study review of problem:

Enterprise: HiLo Food Store.

Purpose: Goods Receivables & Billing

Primary Devices:-Internal

Handheld Wireless device (Motorola symbol)

Access Points (Cisco Aironet 1200)-Access list/WPA Ent.

Wireless protocol standard 802.1X

Cisco 2950 Switch

Radius authentication server (Security)

Active Directory Authentication (ADDS)

Protocol: TCP/IP

Project name- Wireless Implementation and design

Implementation and recommendation summary (rev 1.1.0) last revised 04/07/2010.

Purpose Equipment Configuration

Active Domain Controller Windows 2008 server Windows 2008 server-: IAS;

(hardware to be spec) Radius Authentication server

Security /connectivity(edge perimeter) Cisco -ASA5000 Firewall –securing the external network

Cisco 2950 router Gateway Routing

Connectivity –internal Cisco 2950 – switch (VLAN) Vlan configuration Cisco Aeronet 1200- Access point Access list

Internal control – LAN

Security Access Point WPA 2 Ent/ TKIP RADIUS AUTHENTICATION SERVER Radius client

GRACEKENNEDY LIMITEDWIRELESS IMPLEMENTATION

CONTENTS

Project Objective Project Design Documentation Purpose of Project Study

Project objective

Steps in setting up a Wireless Secure session and how to share such wireless services to Guest

users when needed

PROJECT DESIGN DOCUMENT

GraceKennedy Jamaica Ltd is one of the fastest growing food distribution and manufacturing company in Jamaica.

The need to setup and deploy a secure wireless solution to afford our internal and external clients and stakeholders accessibility is a number one priority.

Purpose of Project Study:

One of the main aim of this project is to identify the steps involved in setting up a wireless secure session and to share such services to guest users when required.

Purpose Equipment Configuration

Active Domain Controller Windows 2008 server (hardware to be spec)

Windows 2008 server-: IAS; Radius Authentication server.

Security /connectivity(edge perimeter) Cisco -ASA5000 Firewall –securing the external network

Cisco 2950 router Gateway Routing

Connectivity -internal Cisco 2950 – switch (VLAN) Vlan configuration

Cisco Aeronet 1200- Access point Access list

Internal control – LAN

Security Access Point WPA 2 Ent/ TKIP

RADIUS AUTHENTICATION SERVER Radius client

Design methodology:- setting up the networking and security infrastructure, and

connect the different devices on your wireless network.

Step Topic

1. Install Microsoft Windows Server 2008. Installation Settings for a Wireless Network Using Windows Server 2008

2. Create a domain controller. Domain Settings for a Wireless Network

3. Configure the Dynamic Host Configuration Protocol (DHCP)

Server, create and authorize a scope.

DHCP Server Settings for a Wireless Network –Design implemented on AD

4. Use DHCP to reserve static IP addresses for your wireless

access points.

Static IP Address Settings for the Wireless Access Points

5. Configure Microsoft Active Directory for users and groups. Configuring Active Directory for a Wireless Network

6. Familiarize yourself with certificate infrastructure. Certificate Infrastructure for a Wireless Network

7. Install certificate services. Installing Certificate Services and IAS on Windows Server 2008

8. Configure certificate server templates. Configuring Certificate Server Templates with Windows Server 2008

9. Create the IAS clients.

"Add RADIUS clients."

IAS Client Settings for Windows Server 2008

10. Create remote access policies. Configuring Remote Access Policies with Windows Server 2008

11. Configure both wireless access points. Configuring the WPA-Enabled Wireless Access Point

Configuring the 802.1x Wireless Access Point

http://msdn.microsoft.com/en-us/library/ms923575.aspx


http://msdn.microsoft.com/en-us/library/aa448518.aspx













Project scope and guideWireless Design and Implementation - Site (GraceKennedy)

Last Updated :

TASK START FINISH RESPONSIBILITY STATUS

Wireless Design project implementation 07-Jun-10

1.0 Submission of Project Idea Grp Submitted

1.1 Problem Statement Sheldon

1.2 Propose of the project study Marlon

1.3 Significance of the study Andrew

Literature Review Documentation 22-Jun-10 Submitted

2.0 Internatonal Case Review of the problem Completed

2.1 Local case study Completed

2.2 Implementation of recommendations

Implementation Strategy Document 29-Jun-10Andrew

3.0 Outlines design methodoloy Completed

3.1 Illustration of network design diagram Completed

Final Presentation 20-Jul-10

4.0 Summary of project outcomes Completed

4.1 Demonstration of Simulated System Prototype Completed

4.2 Conclusions and Recommendations

Presentation

RADIUS SERVER

Diagram and layout 1.

http://technet.microsoft.com/en-us/library/Bb727019.ch14xx09_big(en-us,TechNet.10).gif

Diagram and layout 2.

GKI Int OfficeData SwitchVlan 24,20Vlan 25,40

Vlan 34(6)

Dist. OfficesSec. Switch

Vlan 26(11)

Sec. GateSec. Switch

Vlan 26(10)

MODE

STACKSPEEDDUPLXSTATMASTRRPSSYST

Catalyst 3750 SERIES

1 2 3 4 5 6 7 8 9 10 11 12

1X

2X

11X

12X

13 14 15 16 17 18 19 20 21 22 23 24

13X

14X

23X

24X

1 2 3 4


MODE

SYST

RPSMASTR

STATDUPLXSPEED

STACK

1 2 3 4 5 6 7 8 9 10 11 12

MODE

STACKSPEEDDUPLXSTATMASTRRPSSYST


1 2 3 4 5 6 7 8 9 10 11 12

1X

2X

11X

12X

13 14 15 16 17 18 19 20 21 22 23 24

13X

14X

23X

24X

1 2 3 4


MODE

SYST

RPSMASTR

STATDUPLXSPEED

STACK

1 2 3 4 5 6 7 8 9 10 11 12

Catalyst 2960G Series

MODE

SYSTRPSSTATDUPLXSPEED

1X

2X

1 2 3 4 5 6 7 8 9 10

11X

12X

11 12

13X

14X

13 14 15 16 17 18 19 20 21 22 23 24

25X

26X

25 26 27 28 29 30 31 32 33 34

35X

36X

35 36

37X

38X

37 38 39 40 41 42 43 44

43X

44X

45 46 47 48

24X

23X Second Floor

Lime Metro Vlan 10

10.40.40.2

Flow Vlan 5

172.20.20.10

Vlan 2010.19.0.1

Data Room/Backbone Network = 10.19.0.0/24 vlan20

Second Floor Network (data) = 10.19.3.0/24 vlan 23Second Floor Network (voice) = 10.21.3.0/24 vlan 33

First Floor Network (data) = 10.19.2.0/24 vlan 22First Floor Network (voice) = 10.21.2.0/24 vlan 32

Ground Floor Network (data) = 10.19.1.0/24 vlan 21Ground Floor Network (voice) = 10.21.1.0/24 vlan 31

General Warehouse Network (data) = 10.19.4.0/24 vlan 24General Warehouse Network (voice) = 10.21.4.0/24 vlan 34

Wireless network = 10.19.5.0/24 vlan 25Security Network = 10.19.6.0/24 vlan 26

Island Networks Data Network = x.x.x.x vlan 40

Vlan (20-26), Vlan (31-33) Vlan 40

Port (21,22) Port (1,2)

10.19.0.1

10.19.0.2

10.19.0.3

(10.19.0.4) all other ports vlan 23,33)

First FloorData SwitchVlan 22,20

Vlan 32(3)

Ground FloorData SwitchVlan 21,20

Vlan 31(4)

Sec. GateData SwitchVlan 24,20

Vlan 34(5)

Dist. OfficesData Switch

Vlan 24,20,25Vlan 34

(6) Ground FloorSec. Switch

Vlan 26(9)

Second FloorData SwitchVlan 23,20

Vlan 33(3)

Data Closet Data SwitchVlan 24,20

Vlan 25Vlan 34

(4)

Warehouse Office

Data SwitchVlan 24,20

Vlan 25Vlan 34

(5)

Data ClosetSec. Switch

Vlan 26(10)

WarehouseOffice

Sec. SwitchVlan 26

(11)GKI IntOffice

Sec. SwitchVlan 26

(9)Second FloorData Switch

Vlan 23Vlan 33Vlan 20(47-52)


MODE


1X

2X

1 2 3 4 5 6 7 8 9 10

11X

12X

11 12

13X

14X

13 14 15 16 17 18 19 20 21 22 23 24

25X

26X

25 26 27 28 29 30 31 32 33 34

35X

36X

35 36

37X

38X

37 38 39 40 41 42 43 44

43X

44X

45 46 47 48

24X

23X

First FloorData Switch

Vlan 22Vlan 32Vlan 20(47-52) First Floor


MODE


1X

2X

1 2 3 4 5 6 7 8 9 10

11X

12X

11 12

13X

14X

13 14 15 16 17 18 19 20 21 22 23 24

25X

26X

25 26 27 28 29 30 31 32 33 34

35X

36X

35 36

37X

38X

37 38 39 40 41 42 43 44

43X

44X

45 46 47 48

24X

23X

Ground FloorData SwitchVlan 22,20

Vlan 31(47-52)

Ground Floor




MODE


1X

2X

1 2 3 4 5 6 7 8 9 10

11X

12X

11 12

13 X

14 X

13 14 15 16 17 18 19 20 21 22 23 24

25 X

26 X

25 26 27 28 29 30 31 32 33 34

35 X

36X

35 36

37X

38X

37 38 39 40 41 42 43 44

43X

44X

45 46 47 48

24 X

23 X


MODE


1X

2X

1 2 3 4 5 6 7 8 9 10

11X

12X

11 12

13X

14X

13 14 15 16 17 18 19 20 21 22 23 24

25X

26X

25 26 27 28 29 30 31 32 33 34

35X

36X

35 36

37X

38X

37 38 39 40 41 42 43 44

43X

44X

45 46 47 48

24X

23X


MODE

SYSTRPS STATDUPLXSPEED

1 6X

19 20 21 22 23 2413 14 15 16 17 18

13X

14X

23X

24X1 6X

7 8 9 10 11 121 2 3 4 5 6

1X

2X

11X

12X


MODE


1 6X

19 20 21 22 23 2413 14 15 16 17 18

13X

14X

23X

24X1 6X

7 8 9 10 11 121 2 3 4 5 6

1X

2X

11X

12X


MODE


1 6X

19 20 21 22 23 2413 14 15 16 17 18

13X

14X

23X

24X1 6X

7 8 9 10 11 121 2 3 4 5 6

1X

2X

11X

12XData Closet

Warehouse Offices

GKI Offices

Distribution Office

(10.19.6.13)


MODE


1 6X

19 20 21 22 23 2413 14 15 16 17 18

13X

14X

23X

24X1 6X

7 8 9 10 11 121 2 3 4 5 6

1X

2X

11X

12X

Security Gate

(10.19.6.10)

(10.19.0.7) all other ports vlan 24,34


(10.19.6.14)

(10.19.6.15) Switch all ports vlan 26

(10.19.6.12)


(10.19.0.10) Switch all ports vlan 24,34


Vlan 20,24,34(25-26)

Vlan 20,24,3425

(47-52)

Vlan 20,24,3425

(47-52)

Vlan 20,24,3425,40

(23-28)

Vlan 20,24,34(24)

Island NetworkVlan 40

(21)

Vlan 25(41-46)

Vlan 25(41-46)

Vlan 25(17-20)

Grd Flr Security Section Vlan 26(33-36)(51-52)

(10.19.6.11)

Distr Security Section Vlan 26(33-36)(51-52)

W/house Security Vlan26(33-36)(51-52)

W/house Security Vlan26(27-28)

S/GateSecurity Vlan26(27-28)

New Distribution CentreDetail Network Diagram

With VLAN’s

Subnet Descriptions

IP MONITOR

CITRIX

SUMMARY

Most wireless networks are based on the IEEE® 802.11 standards. A basic wireless network consists of multiple stations communicating with radios that broadcast in either the 2.4GHz or 5GHz band (though this varies according to the locale and is also changing to enable communication in the 2.3GHz and 4.9GHz ranges).

802.11 networks are organized in two ways: in infrastructure mode one station acts as a master with all the other stations associating to it; the network is known as a BSS and the master station is termed an access point (AP). In a BSS all communication passes through the AP; even when one station wants to communicate with another wireless station messages must go through the AP. In the second form of network there is no master and stations communicate directly. This form of network is termed an IBSS and is commonly known as an ad-hoc network.

If you decide to build a wireless network, you'll need to take steps to protect it -- you don't want your competitors hitchhiking on your wireless signal. Wireless security options include:

Wired Equivalency Privacy (WEP) Wi-Fi Protected Access (WPA) Media Access Control (MAC) address

filtering


802.11 networks are organized in two ways: in infrastructure mode one station acts as a master with all the other stations associating to it; the network is known as a BSS and the master station is termed an access point (AP). In a BSS all communication passes through the AP; even when one station wants to communicate with another wireless station messages must go through the AP.


In the second form of network there is no master and stations communicate directly. This form of network is termed an IBSS and is commonly known as an ad-hoc network.


If you decide to build a wireless network, you'll need to take steps to protect it -- you don't want your competitors hitchhiking on your wireless signal. Wireless security options include:

Wired Equivalency Privacy (WEP) Wi-Fi Protected Access (WPA) Media Access Control (MAC) address

filtering


You can choose which method (or combination of methods) you want to use when you set up your wireless router. The IEEE has approved each of these security standards, but studies have proven that WEP can be broken into very easily. If you use WEP, you may consider adding Temporal Key Integrity Protocol (TKIP) to your operating system. TKIP is a wrapper with backward compatibility, which means you can add it to your existing security option without interfering with its activity.


Think of it like wrapping a bandage around a cut finger -- the bandage protects the finger without preventing it from carrying out its normal functions.


Wireless access can provide the following benefits:

Strong authentication. IEEE 802.1X was a standard that existed for Ethernet switches and was adapted to 802.11 wireless LANs to provide much stronger authentication than what was provided in the original 802.11 standard. Wireless network authentication can be based on different EAP authentication methods such as those using secure password (the user account name and password credentials)


or a digital certificate. IEEE 802.1X prevents a wireless node from joining a wireless network until the node has performed a successful authentication. Additionally, a component of mutual authentication in EAP prevents wireless users from connecting to rogue wireless access points (APs), rogue NPS servers.


Although 802.1X authenticated access is optimal for medium and large wireless LANs, it can also be used for small organizations that require strong security. An 802.1X authenticated wireless access infrastructures consists chiefly of servers running Network Policy Server (NPS) and an account database such as the Active Directory® Domain Service (AD DS) account database. IEEE 802.1X uses Extensible Authentication Protocol (EAP).


Infrastructure flexibility. In general, WLANs can extend or replace a wired infrastructure in situations where it is costly, inconvenient, or impossible to lay cables. A wireless LAN can connect the networks in two buildings that are separated by physical obstacles or financial constraints. You can also use wireless LAN technologies to create a temporary network, which is in place for only a specific amount of time.


Additionally, deploying a wireless network, in instances where a company needs to rapidly expand their workforce, can be a more efficient and cost effective alternative than installing the physical cabling required for a traditional Ethernet network. And even if no wireless infrastructure is present, wireless portable computers can still form their own ad hoc networks to communicate and share data with each other.


Mobility and productivity. Wireless access can increase productivity for employees that require mobility. Mobile users who are equipped with a portable computer can remain connected to the network. This enables the user to change locations—to meeting rooms, hallways, lobbies, cafeterias, classrooms, and so forth—and still have access to network resources.


Without wireless access, the user must carry Ethernet cabling and is restricted to working near a network jack. Wireless LAN networking is a perfect technology for environments where movement is required.


CONCLUSION

There are some fundamental prerequisites that must be met before implementing or deploying any wireless network:

Before deploying this scenario, you must first purchase and install 802.1X-capable wireless APs to provide wireless coverage in the locations you want at your site.

Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide.


Server certificates are required when you deploy the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) certificate-based authentication methods. For information about deploying server certificates, see Foundation Network Companion Guide: Deploying Server Certificates.


Server certificates and computer and user certificates are required when you deploy Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). For information about deploying user and computer certificates, see Foundation Network Companion Guide: Deploying Computer and User Certificates.


This guide uses a step-by-step approach to help you decide which design best fits your wireless access needs and to help you create a design based on the most common wireless design goals. The two scenarios are:


Wireless access by using PEAP-MS-CHAP v2 for secure password authentication. This design is well suited to small businesses and medium organizations. Secure password authentication provides strong security, and uses domain account credentials (user name and password) for client authentication.


When deploying wireless access by using PEAP-MS-CHAP v2, you can either purchase certificates from a public certification authority (CA), such as VeriSign, or deploy a private CA on your network by using Active Directory Certificate Services (AD CS).


Wireless access by using either EAP-TLS or PEAP-TLS for authentication using digital certificates. This design is well suited to medium- and enterprise-sized networks. Digital certificates provide more robust security than secure password authentication. Digital certificates are either smart cards, or certificates issued to your users and computers by the CA you deploy on your network. If your wireless solution uses either EAP-TLS or PEAP-TLS, you must deploy a private CA on your network by using AD CS.


REQUESTED BY:SEAN THORPE DATE : JUNE 20, 2010 CONTACT: MARLON MARAGH –Project Manager Email:...

Documents

Transcript of REQUESTED BY:SEAN THORPE DATE : JUNE 20, 2010 CONTACT: MARLON MARAGH –Project Manager Email:...