Professional Documents
Culture Documents
Management of Networks & Telecommunication Systems (LIS4482) Sam Levine, Christopher Dick, Andrew Dentzau, Daniel Cohen, & Jason Lee December 9th, 2010
administrative workstations. The first logical network connects two patient databases and one backup patient database. The second logical network connects two business databases and one backup business database.
Workstation Configurations (Hardware, Software): Hardware and software configurations are to be managed exclusively by the IT Department. Any unauthorized modification of software packages or hardware configuration is subject to official reprimand. Network Device Placement: Network devices will be located in access restricted sections of working areas. Switches are located in ceiling access areas, along with cable bundles. Cable drops are provided in each room for the authorized number of connections. Environmental Issues: The office is moving towards a green stance, and as such all trash will be recycled when possible. Also, paper is to be used as little as possible for business transactions. The goal of the office is to be as environmentally sound as possible. Power: All computers are to be shut down or placed in standby mode each day after close of business on weekdays. On the weekend all computers are to be left in standby mode for hardware and software maintenance. Patching: Patching is to be managed through the centralized patch server. Patches are to be thoroughly tested on VM ware images of deployed hardware configurations before deployment. Patches are to be performed over the weekends on Saturday, after close of business.
4.2 Account Use Network accounts must be implemented in a standard fashion and utilized consistently across the organization. The following policies apply to account use: Accounts must be created using a standard format (i.e., firstnamelastname, or firstinitiallastname, etc.)
Accounts must be password protected Accounts must be for individuals only and account sharing and group accounts are not permitted User accounts must not be given administrator or 'root' access unless this is necessary to perform his or her job function Occasionally guests will have a legitimate business need for access to the corporate network. When a reasonable need is demonstrated, temporary guest access is allowed. This access, however, must be severely restricted to only those resources that the guest needs at that time, and disabled when the guest's work is completed Individuals requiring access to confidential data must have an individual, distinct account. This account may be subject to additional monitoring or auditing at the discretion of the IT Manager or executive team, or as required by applicable regulations or third-party agreements
4.3 Account Termination When managing network and user accounts, it is important to stay in communication with the Human Resources department so that when an employee no longer works at the company, that employee's account can be disabled. Human Resources must create a process to notify the IT Manager in the event of a staffing change, which includes employment termination, employment suspension, or a change of job function (promotion, demotion, suspension, etc.). 4.4 Authentication User machines must be configured to request authentication against the domain at startup. If the domain is not available or authentication for some reason cannot occur, then the machine should not be permitted to access the network. 4.5 Firewall Our company will operate a perimeter firewall between the internal network and the Internet in order to create a secure environment for computers and network resources. The firewall will perform the following security measures: Block unwanted traffic as determined by the firewall rule set Access control between the trusted internal network and the untrusted external networks Log traffic to and from the internal network Provide virtual private network (VPN) connectivity Hide vulnerable internal systems from the Internet Provide robust authentication
4.6 Use of Passwords When accessing the network locally, username and password is an acceptable means of authentication. Usernames must be consistent with the requirements set forth in this document, and passwords must conform to the company's Password Policy.
4.7 Remote Network Access Remote access to the network can be provided for convenience to users but this comes at some risk to security. For that reason, the company encourages additional scrutiny of users remotely accessing the network. The company's standards dictate that username and password is an acceptable means of authentication as long as appropriate policies are followed. Remote access must adhere to the Remote Access Policy. 4.8 Screensaver Passwords Screensaver passwords offer an easy way to strengthen security by removing the opportunity for a malicious user, curious employee, or intruder to access network resources through an idle computer. For this reason screensaver passwords are required to be activated after 15 minutes of inactivity. 4.9 Minimum Configuration for Access Any system connecting to the network can have a serious impact on the security of the entire network. A vulnerability, virus, or other malware may be inadvertently introduced in this manner. For this reason, users must strictly adhere to corporate standards with regard to antivirus software and patch levels on their machines. Users must not be permitted network access if these standards are not met. This policy will be enforced with product that provides network admission control. 4.10 Encryption Industry best practices state that username and password combinations must never be sent as plain text. If this information were intercepted, it could result in a serious security incident. Therefore, authentication credentials must be encrypted during transmission across any network, whether the transmission occurs internal to the company network or across a public network such as the Internet. 4.11 IDS We will also implement IDS software which will establish intrusion detection and security monitoring to protect resources and data on the organizational network. This will: Increase the level of security by actively searching for signs of unauthorized intrusion. Prevent or detect the confidentiality of organizational data on the network. Preserve the integrity of organizational data on the network. Prevent unauthorized use of organizational systems. Keep hosts and network resources available to authorized users. Increase security by detecting weaknesses in systems and network design early.
4.12 Failed Log-ins Repeated log-in failures can indicate an attempt to 'crack' a password and surreptitiously access a network account. In order to guard against password-guessing and brute-force attempts, the company must lock a user's account after 3 unsuccessful log-ins. This can be
implemented as a time-based lockout or require a manual reset, at the discretion of the IT Manager. In order to protect against account guessing, when logon failures occur the error message transmitted to the user must not indicate specifically whether the account name or password were incorrect. The error can be as simple as "the username and/or password you supplied were incorrect." 4.13 Non-Business Hours While some security can be gained by removing account access capabilities during nonbusiness hours, the company does not mandate time-of-day lockouts. This may be either to encourage working remotely, or because the company's business requires all-hours access. 4.14 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed. 5.0 Enforcement This policy will be enforced by the IT Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.
Budget (ALL)
Use VPN router Proxy server DNS server Hard drives for: Proxy servers (2), DNS servers (4), database servers (30), web servers (10), mail server (10), file server (5), active directory server (5) Server software for: web servers (2), (2) mail servers, file server, and active directory server Network router Network switch Software for the databases 6 database servers, 2 web servers, 2 email servers, 1 file server, 1 active directory server Wireless Access Points Wired network cabling Item Name LINKSYS 10/100 16PT VPN RTR CISCO CE-510A-80GB-K9 Proxy Server D-Link DNS-323 2-Bay Network Attached Storage Enclosure OCZ VERTEX 2 EX SERIES SATA II 2.5" SSD (200 GB) # 2 2 2 81 Price/Item $406.78 $833.14 $149.98 $4,076.09 Total Price $813.56 $1,666.28 $299.96 $330,163.00
$1,098.99
$6,593.94
Cisco Systems Cisco 891 Gigabit EN Security Router Router HP J8164A#ABA 26-Port Network Switch Microsoft SQL Server 2008 R2 Developer Edition HP ProLiant ML350 G6 Base - Server - tower - 5U - 2-way - 1 x Xeon E5520 / 2.26 GHz - RAM 6 GB - SAS hot-swap 2.5" Cisco 1941 Security Router - wireless router Cat5e UTP Stranded, In-Wall Rated (CM), 350MHz 1000FT Bulk 24AWG Cable
2 7 6 9
2 4
$1,919.99 $63.70
$3,839.98 $254.80
RJ45 CAT5 Modular Plug for Round Stranded Cable (50 pieces) Cables To Go 10997 APW Bolt-down Relay Rack
10 2
$6.20 $148.99
$62.00 $297.98
Assets already owned PCs, Printers, & AV equipment UPS (Uninterruptible Power Supply) 3 APC - Smart-UPS 750VA Battery Backup and Power Conditioner System 8 McAfee VirusScan Enterprise for PCs and server TOTAL $514.60 $4,116.80 $314.99 $944.97
Figure 1.
Figure 2.
Figure 2.