Thursday, September 29, 2005

Network Assigment




MOHD ZAKI SHAMSUDIN
NETWORK ENGINEER




REQUEST FOR PROPOSAL




FOR



MENTARI BIKES SDN BHD
NETWORK PLANNING SOLUTION
OCKTOBER 23, 2005

1.0 Executive Overview
A new enterprise network will be installed for the Mentari Bikes Sdn Bhd to inter-connect the main office buildings and the branches, its corporate business partners and the Internet. To secure the enterprise network from outside intruders, a secure network topology solution will be deployed. This network will be based on standard Internet protocols; therefore, interoperability between different hardware and software vendors will be seamless. To provide external communication to business partners, the network will be configured with the proper software and hardware. In addition, backup communication paths between sites will be installed and configured to minimize the risk of prolonged downtime.
A high priority for network security is required due to the sensitivity of both legal and human resource matters at Mentari Bikes. For this reason, I will install a firewall to provide a secure boundary between the enterprise network and the outside world. In addition, the firewall will provide secure network access, through the usage of a virtual private network (VPN), to employees who need access to the network from home, branch or when traveling. In the event that off-site employees cannot reach the VPN, a secondary path will be available through a remote access server. In order for Mentari Bikes Sdn Bhd to interact with external companies, the remote access server will also provide outbound connectivity to business partners.
The network will be managed to promote performance, security and availability goals. This proactive management will quickly identify potential problems and provide information to optimize network performance.

In particular, several types of network management will be incorporated into the design:
  1. measuring the network behavior and effectiveness

  2. detecting, isolating and correcting problems

  3. tracking and maintaining computer configurations

  4. tracking and analyzing security information
Based on of experience, I will be recommends the adoption of our computer and network usage policy. The policy provides guidelines concerning rights, responsibilities and procedures of proper network usage for employees. This policy will reduce the risk to Mentari Bikes Sdn Bhd from liability and potential litigation due to improper usage of the computer network by employees. By adopting this policy, Mentari Bikes protects itself and its employees.
After a few months, I assume that technologies and authorized vendor are providing secure, efficient and creative network solutions, I’m confident that the network solution provided herein will effectively satisfy Mentari Bikes business needs as presented in the Request For Proposal (RFP).

2.0 Project Goal
The goal of this project is to design, install and configure a complete enterprise network to support the business functions of the Mentari Bike’s Sdn Bhd. The main office buildings at Kuala Lumpur and Penang and the Johor Bahru will be connected by a redundant topology utilizing a wide area network solution. The new network design and implementation uses the hierarchical network design model which allows future upgrades at a minimum cost. This is important considering the company’s expectation to grow by 100% within the next years 2007.

2.1 Project Scope
The scope of this project is to install and configure all components necessary for a new three-site enterprise network. The three sites will be interconnected with a WAN using Frame Relay over T-1 communication links and backup ISDN lines. The project will affect every department in the company since each uses network applications. Given that there is no existing network in place, no plan is required for the removal of existing equipment and cables. It is outside the scope of this project to update, change or modify the existing telephone network. In addition, the ERP suite of applications has already been procured by Mentari Bikes Sdn Bhd ; therefore, It’s only responsible for designing the network to support the applications. No costs for end-user computers and servers are considered herein since it is assumed these devices are present and available at Mentari Bike’s. Although electrical power and HVAC (heating, ventilating, and air conditioning) recommendations are made herein, installation or modifications to these systems is beyond the scope of this project.

2.2 Business Goals
  1. Allow seamless communication with the warehouse to access the corporate ERP applications.

  2. Strengthen business partner communications by providing external connectivity to their ERP and CRM applications.

  3. Increase employee productivity by constructing a network solution that will allow employees to work from home and when travelling in a secure fashion (VPN).

  4. Stimulate sales and business growth through the use of a corporate website to promote the company and its line of quality furniture.

  5. Plan end-user policies for the general network, web content, e-mail and all department applications.

  6. Increase productivity and meet corporate business objectives by installing and configuring network applications for each department.

  7. For coming 2007 years already build a scalable network that must support an increase in employee size from 100 to 150.

  8. Provide training especially for IT personnel to maximize their efficiency in working with network devices.

  9. Contain network costs by building a flexible and manageable network which the IT staff and other employees can understand and utilize

2.3 Technical Goals
  1. Install Windows 2000 (already procured by Mentari Bike’s Sdn Bhd) as the network operating system.

  2. Use TCP/IP and other standardized network protocols.

  3. Provide bandwidth through a Fast Ethernet network for the ERP and other network applications to the warehouse and other enterprise locations.

  4. Connect enterprise buildings using Frame Relay WAN technology.

  5. Configure redundant ISDN communication links for the WAN to support the availability goal.

  6. Centralize the enterprise Internet connection with a router.

  7. Implement an enterprise firewall that performs NAT, VPN and packet filtering to block questionable packets.

  8. Implement a demilitarized zone that contains the FTP and SMTP servers.

  9. Outsource the corporate website to FreeServers.com.

  10. Provide efficient external company network interaction through the use of a dial-in dial-out remote access server.

  11. Design and implement VLANs for each department. Some VLANs will span the entire enterprise network.

  12. Implement a hierarchical addressing solution by employing variable length subnet masking.

  13. Use a simple classless routing protocol such as RIPv2.

  14. Utilize DHCP to dynamically allocate IP addresses.

  15. Utilize WINS and DNS for NetBIOS and domain name to IP address resolution. Configure them to stay consistent with the DHCP server.

  16. Create a scalable naming convention for the corporate domains, network hardware, and cable labeling

2.4 Availability
Availability for the network will meet or exceed the availability of the T-carriers which is certified by the telecommunication supplier at 99.97%. This translates to less than fifteen minutes of network disruption per month. ISDN lines are used as backup at each of the main office and branch buildings. Should one or more of the main office or branches T-carries be disrupted, the ISDN line will pass traffic between the campus routers, albeit at a reduced data rate. When service is restored to the T-carrier(s), then traffic is discontinued along the ISDN backup path(es) and full bandwidth is again achieved.
AC power to all routers, switches, hubs, and access devices at the three campus sites is supplied via UPS equipment. Minor local power disruptions, therefore, will not unnecessarily disrupt overall network communications.

3.0 Network Explanation & Network Reach
Employees of LFX have been categorized into one of nine "User Communities." A community is comprised of computer users that do similar tasks and therefore use similar software and network resources. The nine User Communities are:-
  1. Acct – Accounting

  2. OPS – Operations

  3. IT – Information Technology

  4. HR – Human Resources

  5. Admin – Administration

  6. Mgt – CEO, COO, CFO, CIO, and CMO

  7. Sales/Mrkg – Sales and Marketing

  8. Engrg – Design Engineering

  9. Prod – Production (only 8% require PCs)
I has identified several network applications and placed them into three categories: user applications, system applications and protocols. For specifics of the network applications including their bandwidth requirements and user communities, see the Network Applications Table appendix. In addition, see Required Servers and Usage appendix for a description of the data stores. One application, the Biztrak Business Software MSB Edition suite of applications, is an essential enterprise application that manages and organizes many phases of the business. The application was procured from Biztrak Software Associates (http://www.lillysoftware.com/products/VISUAL_manufacturing/).
The majority of "common" network devices and equipment will be locate at MIS Server Room because this building has the majority of computer users and also functions as the headquarters building. Frame Relay circuits are proposed to inter-connect the two company sites located at Penang and Johor Bahru. As backup to the primary Frame Relay circuits, each site uses an ISDN circuit. Network traffic will continue to flow, albeit at a reduced rate, across the backup circuit(s) if any of the Frame Relay circuits experiences a prolonged outage. A forth Frame Relay circuit, attached to the enterprise router at 8500 RiverTree, provides "single-point" Internet access to all branch computer users.
Circuit diversity will be attempted through the telecommunication provider so that true circuit redundancy is achieved. True circuit redundancy is not achieved since many providers have inaccurate circuit routing information and are reluctant to guarantee separate circuits
The solution proposed herein provides for significant computing flexibility regardless of a user’s location. This is the case whether located on the corporate campus or off-site using dial-in or VPN services. Although different privileges and capabilities are granted to users of different "user communities", the network infrastructure is designed such that computing capability is not restricted by point of attachment. Even limited wireless capability is provided in and around the headquarters (i.e., 8500 RiverTree). In other words, a user can do his/her assigned jobs from any Ethernet outlet or WAP.
The CIR (committed information rate) and burst ability of the T-carriers of both the WAN backbone and Internet access point are sized for an initial 77 users. In the future as new employees are added or removed, incremental changes can be made to the T-carrier’s capacity. The hardware outlined in the proposed solution is capable of handling increased capacity provided by future T-carrier upgrades.

4.0 Logical Design
ANS will deploy a hierarchical IP addressing model because it has been proven over the years to be the most flexible and secure addressing model. Please refer to the Variable Length Subnet Masking appendix while reading this section. A hierarchical model fosters good scalability and availability in the network. In addition, modularity makes the network simpler and easier to understand thereby reducing costs of network management. This will quickly become apparent when Mentari Bike’s expands its employee base by 100% in the next 2007 years.

4.1 Private IP Addressing
Using recommendations and specifications outlined in RFC1918, ANS will deploy a private addressing scheme. This is the most inexpensive method and it provides nearly unlimited network growth. The firewall will act as a NAT (network address translation) device to pass traffic from the private enterprise network to the public network. The advantages of using a private addressing scheme are several. First, the network is more secure since private network numbers are not advertised to the Internet. Second, the network is more adaptable and flexible since private addressing makes it easier to change ISPs. Finally, private addressing benefits the Internet community since each organization only needs a few of the scarce public IP addresses to function properly.

4.2 Internet Service Provided (ISP)
ANS recommends using Jaring as the enterprise ISP. Jaring will provide three public IP addresses that will be used on the enterprise router and firewall. ANS will install the Cisco 1601 router to serve as the central Internet link for the corporation. This 1601 router can handle up 2.048 Mbps and can be managed remotely with SNMP. At this time, I’m does not believe Mentari Bikes Sdn Bhd needs redundant ISP communication links due to the limited size of the company and, more importantly, its low dependency on an ISP link
4.3 Variable Length Subnet Masking
In order to support efficiency and flexibility in the use of the IP address space and to allow smooth network expansion in the future, ANS will deploy VLSM to divide the IP addresses into ranges. The subnet mask will be adjusted in a hierarchical fashion to accommodate the number of hosts on each subnet. ANS will assign blocks of addresses, not on group membership, but rather on the physical network design. This will alleviate problems when employees move from one part of the company to another.
There will be two /16 subnets for the 8500 building: one for the server farm switch (85sfswt) and one for the riser switch (85riserswt) that services floors above. These layer 3 switches from 3Com and will further segment the network. The server farm switch will be configured to place each server on its own subnet. The Perle (dial-in dial-out) device will be placed on a /27 subnet thereby allowing a maximum of 30 remote users. There will be one /24 subnet for each floor of 8500 which allows for expansion up to 254 hosts per floor. The other two buildings are configured similarily.
4.4 Wide Area Network
Three Cisco 2651 routers with the following additional components will serve as the backbone WAN (see the Network Topology Diagram appendix):
I’m recommends that a classless routing protocol such as RIPv2 be used. First, variable-length subnet masking (VLSM - see above) can be used. Second, a classless routing protocol supports discontiguous subnets; something that will be deployed to support the multiple physical locations of the human resources (HR) and administration (ADMIN) department. Third, since the experience of the IT staff is limited, RIPv2 is easy to learn and understand. Finally, even though distance-vector protocols such as RIPv2 are bandwidth intensive, the size of the enterprise routing tables will be small given that super netting and route aggregation will be utilized.
I’m also recommends that Frame Relay be deployed as the WAN technology to connect the three corporate buildings. To meet network availability goals, ANS strongly recommends ISDN BRI backup communication links to the Frame Relay WAN. Since the routers support Dial-on-Demand Routing, they will be configured to activate the backup ISDN link when the Frame Relay WAN is unavailable. In addition, DDR will allow the ISDN link to remain idle which prevents unnecessary telecommunications costs. ANS recommends that the Frame Relay T1 and ISDN service be purchased from Frontier Internet (http://www.wic.net/dedicatedaccess.php).
Other solutions to connect the three buildings which were investigated but not selected due to high cost, high maintenance, or unnecessary complexity include:

  • A line of sight laser to connect 8500 and 5500.

  • An underground cable to connect 8500 and 5500.

  • A radio frequency to connect all three locations.

4.5 Dynamic Host Configuration Protocol
IP addresses will be dynamically allocated to hosts using DHCP. Servers will not request an IP address from DHCP since they will be configured with a static IP address. I’m will deploy one DHCP server at each building location to reduce the amount of network traffic across the WAN (see the Network Topology Diagram appendix). By using an 802.1Q compliant NIC, such as the 3Com Ether Link 10/100 NIC the DHCP server will be configured to be on all the VLANs in the building. This way, the DHCP server will respond to the appropriate VLAN when serving a dynamic IP address. DHCP will perform DNS updates since this method is more secure and reduces management time. DHCP will also supply the DNS and gateway addresses to the client (see Host/Device Naming section below). Clearly, the advantage of DHCP is to reduce administrative overhead in managing and maintaining a TCP/IP network
4.6 Host/Device Naming
ANS believes that a hierarchical and meaningful naming model is the most beneficial for network management and user productivity. Although these names may suggest location and abilities of a particular device, the implementation of the private IP schema will circumvent this exposure. Below are the recommendations that ANS proposes for the naming of network hardware (see Network Topology Diagram Appendix):

  • routers end with 'rtr'

  • switches end with 'swt'

  • the enterprise router is named 'entrtr'

  • the building routers are prefixed with the building address (i.e. 8500rtr).

  • devices at 8500 start with 85

  • devices at 5500 start with 55

  • devices at 1209 start with 12

  • the firewall is named 85firertr

  • switches that connect the server farms are labeled with 'sf'

  • switches for each building floor are labeled 'f1', 'f2', etc… (e.g., 85f1swt)

  • switches connecting building floor switches are labeled 'riser' (e.g., 85riserswt)

  • hubs are named in consecutive order like '55hub1', '55hub2', etc…
The names of servers will represent the name of the application that they service. For example, the DHCP, WINS, and DNS servers will be called DHCP1, WINS1, and DNS1 respectively at the 8500 location. At the 5500 and 1209 location, they are suffixed with '2' and '3' respectively. In addition, the server that houses all the Visual Manufacturing modules except for the core application will be called VM1. One exception to this rule is the DB1 server that will house the Visual Manufacturing core application and the SQL Server database to power it.
I’m recommends that names of end user machines be chosen by the end user. End users will apply for names to the IT department who will then centrally manage the implementation of the chosen name. Users can request name changes if they have a good reason for doing so. By letting the end user be involved with the computer naming, it fosters a sense of individuality and enjoyment in employees. In addition, it relieves the IT department from having to spend quality time thinking up names for many computers.

4.6.1 Windows Internet Naming Service

I’m will use the WINS software that comes integrated with Microsoft Windows 2000. I’m will place a WINS server in each building since WINS servers cannot handle multiple subnets. After receiving the WINS server address from DHCP during boot up, the host will contact the WINS server to make sure its own name is unique. In addition, WINS will receive requests from the DNS server to resolve NetBIOS names. I’m recommends that the WINS servers are replicated on a regular schedule such as once per day, preferably during the early morning hours.
Even though WINS is not required on an all Windows 2000 network, I’m is not recommending the enforcement of a policy that restricts the attachment of a non Win2K computer. In this event, WINS will be required to allow for the proper functioning of the network.
4.6.2 Domain Name Service

As for WINS, ANS will use the DNS software that comes integrated with Microsoft Windows 2000. ANS recommends that a DNS server be placed in the 8500 and 5500 building locations. Placing a DNS server at 1209 is not justified since there are a small number of computers at that location. 1209 hosts will contact the DNS server at 8500 for name resolution. The 8500 DNS and 5500 DNS will serve as the primary and secondary zone, respectively. Replication of the DNS servers will occur on a regular basis such as once per day, preferably during the early morning hours. ANS will configure the 5500 DNS server to forward unresolvable requests to the 8500 DNS server. The DNS server at 8500 will forward any unresolvable requests to the DNS server at the ISP. The MX record of each DNS will be configured with the IP address of the enterprise mail server (SMTP1).
To provide reliability and redundancy in the network, each host will be automatically configured by DHCP (see DHCP section above) with the two DNS server IP addresses. In order to keep DNS up to date since DHCP is dynamically allocating IP addresses, the DNS server will be updated by DHCP (see DHCP section above). For security purposes, both DNS servers will be located behind the enterprise firewall.

4.6.3 Domain Controllers

I’m recommends that two domains be configured for the Mentari Bikes enterprise network. The domain located at 8500 will be called Queenanne and the other domain at 5500 will be called Baroque. The names are meaningful since they represent furniture styles but can be changed as necessary. A separate domain at 1209 is not needed since there are a small number of hosts at this location; therefore, ANS will configure that hosts at 1209 will share the 8500 domain. As a result, when 1209 hosts boot up, they will contact the primary domain controller at 8500. Hosts at 8500 and 5500 contact their respective domain controllers which keeps the traffic local to the building and not on the WAN. The primary domain controllers at 8500 and 5500 will be replicated once per day in the early morning hours.


5.0 Network Security (Physical and Firewall)
Physical security cannot be overlooked without risking significant downtime or destruction to network operations. So that only authorized personnel can access the hardware and telecommunication circuits comprising the computer network, all wiring closets and the IT Equipment Room must be secured under lock and key at all times. Not only will this prevent unintentional disruptions resulting from "patch" mistakes made by good intentioned users, it will also greatly reduce the risk of a malicious act.
It is highly recommended that all telecommunication demarcation points be located in either the IT Equipment Room or in one of the wiring closets. These network connection points are among the most vulnerable "single-point" failures which need to be protected from accidental or malicious disruption.
The network security policy adopted by Mentari Bikes should include, as a minimum, elements of the following:

  • Guest accounts will be disabled

  • Three log-in attempts before the account is disabled

  • Regular password changes (no longer than 6 months)

  • Passwords should not be less than eight characters

  • Logs should be analyzed by IT every month

  • Absolutely no personal PC modem are permitted (major breech)
A firewall will be deployed at the edge of the enterprise network. The firewall will deny all private IP address requests from the external network and reject attachments (e.g., .exe, .com, .bat and visual basic scripts) that are known to frequently harbor viruses. The firewall will segregate the network into two parts: the trusted and the optional network. The firewall will route packets to the optional network when they are destined for the SMTP and FTP server on port 25 and 21, respectively. The trusted network is secured by the deployment of a private addressing scheme (discussed above in the Logical Design section). This proven secure network topology is crucial to the protection of the enterprise network.
The Firebox 1000 is competitively priced for a medium sized business. It is an ideal solution since it performs NAT and comes with an exceptional GUI that is easy to learn and configure. The firewall is interoperable with many protocols including SNMP (http://www.watchguard.com/products/firebox1000.asp). All the interfaces (trusted, optional and external) are independently monitored and can be managed remotely. Since the Firebox doesn't come with a hard-drive, the risk of disk failure is removed. Additionally, the firewall is rack-mountable and comes with a 1 year warranty.
Finally, no security management solution would not be complete without virus protection software. An optimal solution is the Symantec Norton AntiVirus Enterprise edition (http://www.symantec.com/). Client software will be installed on all computers in the network and will be configured to automatically receive updates when they become available.

6.0 Network Management

I’m believes that good network management design is important to help your organization achieve its availability, performance and security goals. I’m will deploy three types of network management:
  1. Performance management - measuring the network behavior and effectiveness

  2. Fault management - detecting, isolating and correcting problems

  3. Configuration management - tracking and maintaining computer configurations
I’m believes that the functionality and simplicity of the network management protocol SNMP will suffice for the Mentari Bikes Sdn. In addition, all of the devices in the network are SNMP compliant. I’m recommends an in-band network management architecture that utilizes a centralized monitoring system.
Mentari Bikes wishes the network to be efficiently operated and consistently available. HP OpenView, as the leading software in network management software market, is recommended because of its good performance, easy to use GUI and reliable technical support. HP Open View will be utilized as the central software system and will reside on the DHCP1 server at the 8500 location.
The minimum needed package to fulfill Mentari Bikes requirement is OpenView Network Node Management (NNM). Because Mentari will have no more than 200 network users, the best choice is NNM 250 for Windows NT, which can support up to 250 nodes’ management. The main features include:
  1. Manages switched layer 2 environments as well as routed layer 3 environments

  2. Provides an enhanced web user interface with dynamic views

  3. Shows a filtered view of the entire environment for management of large networks

  4. Supports heterogeneous switched network management (LAN and WAN)

  5. Launches targeted views from events for rapid problem resolution

  6. Provides views of protocols running on top of the network, for example, OSPF
7.0 Website Management
ANS recommends that the enterprise website be outsourced to a third party, FreeServers.com, due to the relative inexperience of the IT staff. This will enable LFX Consortium to effectively leverage their IT resources for other critical network tasks. FreeServers.com provides a proven record of accomplishment in security and reliability. FreeServers is the 10th largest web property on the Internet as it currently hosts approximately 1 million websites (http://www.freeservers.com/news/press_releases/million.html). In addition, LFX can incorporate several different CGI scripts created by FreeServers.com into the corporate website. The scripts include a guestbook, counter and a statistics utility and others. Their Professional Statistics packages provide access to reporting for any day, month and year (http://www.freeservers.com/cgi-bin/show_me?wrap=1&page=stats_compare) at no additional cost.
FreeServers.com works seamlessly with Microsoft FrontPage so any daily updates such as a change in the company's product lines and new releases can be published immediately to the website. FreeServers.com comes with a SiteBuilder utility that makes constructing a web site easy. They have many layout styles that can be edited for personalization. To make management easy, any changes and modifications to the corporate website can be done any time from any computer. It is the responsibility of the LFX Consortium to create and design their own website. In addition, your enterprise can obtain the URL address, www.lfxconsortium.com.
In brief, some features include:

  • 500MB space

  • Priority customer support

  • No advertisements

  • Form E-mailer

  • FTP access

  • Website search utility
7.0 Wireless Initiative
LFX wishes to have a limited wireless network to allow the five members of the Braintrust to roam throughout the 8500 RiverTree site, and also onto the surrounding 60 feet perimeter. One wireless access point (WAP) and five PC cards will be required for the 802.11 based system. The WAP will be positioned on the third floor adjacent to the wiring closet in 8500 RiverTree to provide the best radio reception.
ANS recommends the DWL-1000AP Wireless LAN Access Point from Dlink (http://www.dlink.com/products/wireless/dwl1000ap/SpecsTable.htm). The specifications for the access point are:

  • Indoor range per cell approximately 35 to 100 meters.

  • Outdoor range per cell approximately 100 to 300 meters.

  • Throughput: is 5.03 Mbps.

8.0 External Company Network Interaction & VPN

Telecommuting is becoming more practical with today’s technological advances. Interaction from outside the campus will permit telecommuting employees to access services like: email, distribution lists, the company Intranet, and ERP software.
Two primary methods are proposed to provide for interaction with the main computer network from outside the company campus. First, VPN capability will be available for up to twelve concurrent users (15% of the 77 PC-using employees out of 100 total people). Access capacity can be increased in the future by adding more bandwidth to the initially planned Internet T1 carrier. Dial-in service will be offered via a Perle (http://www.perle.com/products/data_sheets/access_servers/BR_833IS_US.pdf) concentrator using four BRI ISDN lines provided through the PSTN (public switched telephone network). The Perle access device can support eight BRI ISDN lines, but only four will be used initially. As for the WAN above, Frontier Internet is a good choice for the Perle ISDN communication lines.
So employees are able to access company resources and maintain a high level of productivity, a VPN (virtual private network) is incorporated into this design. It is anticipated that no more than fifteen percent of computer users (12 initially) will have the need for this extension of the physical network. Mostly, Sales/Mrkg personnel will use this capability as an extension of their office while traveling. This VPN uses the Internet as a segment backbone and therefore requires sufficient bandwidth to perform satisfactorily. Approximately 25 Kbps is the expected demand for each VPN session when using Terminal Services to achieve a remote desktop. This 300 Kbps network load has been calculated (25 Kbps x 12 users) not to be excessive for the proposed Internet access bandwidth of 1.54 Mbps.
In the event the primary T-carrier Internet link becomes unavailable, the Perle dial-in concentrator can be used as the backup link for VPN users. Attachment capacity as well as data rate will be severely reduced in this backup mode, however.
RADIUS and IAS together perform the centralized connection authentication, authorization, and accounting for dial-in and VPN remote access.
The FireBox/Watchguard product (discussed in the Security section above) has VPN functionality built-in to the firewall product. Not only does this provide adequate network security with management tools, but it also provided the recording of VPN utilization statistics.
MPPE (Microsoft point-to-point) used with PPTP (point-to-point tunneling protocol) is the protocol being proposed here because it is widely adopted by most of the Internet community.
9.0 End User Policies and Guidelines
Mentari Bikes Sdn Bhd. must rely on its computer network to accomplish day-to-day business activities. To insure the company’s electronic resources are used properly, an Acceptable Computer & Network Usage Policy must be established. Users of the company’s resources must be made aware of their responsibilities regarding:

  • Right & Responsibilities

  • Unacceptable Conduct

  • Employment Termination

  • Privacy

  • Enforcement.
A recommended policy document appears as the Acceptable Computer & Network Usage Policy appendix. If this exact policy is not adopted by Mentari Bikes, a similar one should be developed to protect both employees and the employer.

10.0 User Bandwidth Statistics

All the employees in the company contribute to the traffic on the network when using their business applications. Additionally, network bandwidth is consumed by other system applications and protocols that the end user never sees. Please refer to the User Community Bandwidth Table appendix to see an analysis of the busiest circuits. The bandwidth (kbps) usage is per user except for protocols such as RIPv2, Frame Relay LMI and GVRP which are user independent.
10.1 Master Browser
When each computer boots up, it communicates its NetBIOS name to the master browser in a broadcast packet. The host receives the master browser name and a backup name for use when the master browser cannot be reached. Also, the host sends an update about its status every 12 minutes which further consumes network bandwidth. Finally, every time a user clicks on the network neighborhood icon, the host contacts the master browser for a list of services on the network. We estimate that the average bandwidth per user is 0.5 kbps.
10.2 Primary Domain Controller, DNS and WINS

There will be two primary domains: one at 8500 and one at 5500. A host communicates with the PDC to log onto the network and receives a system identifier (SID). Hosts at the 1209 building will use the WAN each time to log onto the network since there is no PDC at 1209. The PDC, DNS and WINS at each site will perform replication and full synchronization (PDCs) every 24 hours. It is estimated that the average bandwidth per user for the domain controller is 0.5 kbps. In addition, ANS estimates that on average the bandwidth consumed during replication is 0.5 kbps

10.3 Routing Protocol - RIPv2

The routing protocol, RIPv2, will not use much bandwidth due to the routers having a limited number of routing table entries. This results from using VLSM and supernetting throughout the network. Therefore, RIPv2 will use little bandwidth when sending its routing table to other routers. It is estimated that the average bandwidth is 0.5 kbps for each router.

10.4 Frame Relay LMI

The bandwidth usage of Frame Relay comes from the Local Management Interface (LMI) protocol. The LMI lets DTEs know what routes are available. Since the WAN will be simple and small, LMI will use a small amount of bandwidth. The estimate the bandwidth for each router is 0.5kbps
10.5 Group VLAN Resolution Protocol
Switches require a way to learn about the VLAN architecture of the network. This is accomplished by GVRP. Since the size of the network is relatively small, ANS estimates that the bandwidth usage for the GVRP protocol is 0.5 kbps.
11.0 Physical Requirements (Storage, Power, Cabling, Cooling)
One entire room, IT Equipment Room, and four equipment closets will be required to house network components for the office. The equipment closet on each separate floor will service network outlets on that floor.
HVAC (heating-ventilating-air-conditioning) for the IT Equipment Room will require special consideration by the physical plant personnel of LFX. It is recommended that the ambient temperature of the room be maintained at 68 degrees Fahrenheit with relative humidity in the range of 25% to 85% (non condensing). Equipment housed in the wiring closets will need proper ventilation to prevent excessive heat build-up in the confined space. The temperature in each closet should not exceed 80 degree Fahrenheit.
Wiring closets will be established in each of the three buildings. For the headquarters building, one small wiring closet will be placed on each of the three floors. Nineteen-inch wide racks are proposed for each of the five device storage locations. Six foot tall floor-style racks will be used in the IT Equipment Room and wall mount racks will be used in the wiring closets. Housed in the racks will be all network communication equipment to include power distribution outlets, patch panels, cable mounts, uninterruptible power supplies (UPS), routers, switches, and hubs.
To provide the cleanest AC power possible, each location will be supplied with isolated 120 volt circuits supplied directly from the building’s main power distribution panels. The following circuit sizes will be required:

  • 8500 – four 120 VAC 20 Amp circuits

  • 5500 -- two 120 VAC 20 Amp circuits

  • 1209 – two 120 VAC 20 Amp circuits
Category 5e cabling will be supplied to all offices as well as used to inter-connect on-site routers and switches. Two outlets (opposite one another) will be installed in each office to accommodate positioning of furniture and to allow for future expansion. One Ethernet outlet will be provided for each of the open space cubicles. Being that the cubicle area must remain flexible, ceiling-to-floor wireways by Panduit will be used to service four-cubicle clusters for both AC and Ethernet.
To keep with an organized distribution of network cabling, computers on a particular floor will be supplied from the wiring closet on that same floor. In other words, there will be no between-floor connections other that the riser connections. Four runs of category 5e will be installed from the central riser switch (i.e., 85riserswt) to each floor switch (namely, 85f1swt, 85f2swt, 85f3swt).
All category 5e Ethernet circuits on the campus will be neatly terminated to patch panels servicing each respective floor. By using patch panels at all equipment closets, a neat and orderly wiring scheme can be easily maintained. As IT personnel see the need to activate or de-activate Ethernet circuits, patch cables can be quickly added or removed. Only the Ethernet circuits which are actively in use will remain "patched-in" at the switches and hubs. For security purposes, jacks which are unused in any of the buildings will be disconnected at the patch panel until such time as the IT personnel need them. This small measure prevents the unauthorized connection of PCs to the campus network.
A complete network topology diagram showing all major devices (i.e., routers, switches, hubs, servers, and access devices) can be found in the appendix Network Topology Diagram. The proposed positioning of equipment and network outlets is shown in the Circuit/Equipment Floor Plan Drawings appendix. Notice that circuits which are currently activated have a label adjacent to their outlet. Outlets which are not "patch-in" have only a circuit identifier adjacent to them. These are all made available for easy future expansion. See the Devices/VLANs/Circuits appendix for point-to-point wiring details and circuit numbering details. The Circuit/Equipment Floor Plan Drawings appendix illustrates Ethernet outlet and device placement.

12.0 File Backups and Disaster Recovery

Few issues are more important to a well managed computer network than reliable and readily available file backups. As simple and painless as it is to follow a backup schedule, many companies still do not manage this process thoroughly. In the event of a lost file and the absence of a RAID (redundant array of inexpensive drives), one sure-fire method of recovery is the tape backup.
It is recommended that a centrally located utility, Backup Exec running on the File2 server, be employed as the means of backup and recovery for the entire network. This utility will be configured to do either full or incremental tape backups daily (off peak) of all user files stored on file servers. Network users must be encouraged to store critical files on a server which is backed-up. Namely, servers File1 and File2 are positioned for day-to-day file storage.
A series of ten revolving tapes will be used. In case of total facility destruction, the previous day’s tape must be stored off-site under the System Administrator’s control. On the last day of each month, the tape will be held indefinitely and a brand new tape will be added to the tape pool. This ensures complete continuity of file storage from year-to-year. Close consultation with the Accounting department is required to determine which day of the month should be saved at the "indefinite hold." This is necessary if the final period-end data is to be collected for the archive.
Tapes stored on-site must be stored in a locked media safe to protect against theft and fire damage (only isolated flames, however). This includes storage of all licensed media, drivers, and operating systems. Retired media recording equipment should never be destroyed when it is displaced by newer technology. Should an emergency recovery operation from out-dated media be required, this retired equipment may be necessary to perform the data restoration. The System Administrator must be held responsible for this, simple, but critical backup task.
File Backup/Recovery is only a subset of a complete disaster recovery plan. The outline provided above will provide a basis to recover from a devastating disaster whereby all the physical premises are destroyed (e.g., fire, flood, tornado, etc.). However, ANS highly recommends a written plan be developed by LFX which specifically describes the details of re-establishing a hardware "platform" to "re-deploy" all functionality from backup sources after a disaster. This plan is absolutely critical to reestablishing business should a tragedy befall LFX. Although developing such a plan is beyond the scope of this RFP, ANS can assist with the creation of such a disaster recovery plan.
Appendix
Acceptable Computer Network Usage Policy
I. Introduction
Mentari Bikes Sdn Bhd relies on its computer network to accomplish day-to-day business activities. To insure the company’s electronic resources are used properly, this Acceptable Computer & Network Usage Policy was established. As a User of these resources, you are responsible for reading and understanding this document.
Definitions:
The term Network refers to the entire Mentari Bike computer network. Specifically, Network refers to, but is not limited to: file servers, workstations, PC’s, mail servers, laptops, software, data files, hubs, routers, cables, and all internal and external computer and communication equipment.
The term User refers to all currently active employees who use the Network.
II. Rights and Responsibilities
Computers and networks provide access to resources on-site and off-site, as well as the ability to communicate with other users worldwide. Such open access is a privilege and requires that individual users act responsibly. Users must respect the rights of other users, respect the integrity of the systems and related physical resources, and observe all relevant laws, regulations, and contractual obligations. Since electronic information is volatile and easily reproduced, Users must exercise care in acknowledging and respecting the work of others through strict adherence to software licensing agreements and copyright laws.
Occasional, limited, appropriate personal use of the Network is permitted if the use does not (1) interfere with the user's work performance; (2) interfere with any other user's work performance; (3) have undue impact on the operation of the Network; or (4) violate any other provision of this policy.
III. Unacceptable Conduct
Conduct which violates this policy includes, but is not limited to the activities in the following list:
  1. Unauthorized use of another person’s computer account.

  2. Using the Network to gain unauthorized access to any computer systems.

  3. Connecting unauthorized equipment to the Network.

  4. Installing unauthorized software (screen savers, too) on computers. Consult MIS personnel with questions regarding authorized software.

  5. Unauthorized attempts to circumvent data protection schemes or uncover security loopholes. This includes creating and/or running programs that are designed to identify security loopholes and/or decrypt intentionally secure data.

  6. Knowingly or carelessly performing an act that will interfere with the normal operation of computers, printers, peripherals, or the Network.

  7. Knowingly or carelessly running or installing a program intended to damage or to place excessive load on a computer system or the Network. This includes, but is not limited to, programs known as computer viruses, Trojan Horses, and worms.

  8. Deliberately wasting/overloading computing resources, such as printing too many copies of a document.

  9. Violating terms of applicable software licensing agreements or copyright laws.

  10. Violating copyright laws and their fair use provisions through inappropriate reproduction or dissemination of copyrighted text, images, etc.

  11. Using company resources for commercial activity such as creating products or services for sale.

  12. Using electronic mail to harass or threaten others. This includes sending repeated, unwanted e-mail to another User.

  13. Initiating or propagating electronic chain letters.

  14. Inappropriate mass mailing. This includes multiple mailings to newsgroups, mailing lists, or individuals, e.g. "spamming," "flooding," or "bombing."

  15. Forging the identity of a user or machine in an electronic communication.

  16. Transmitting or reproducing materials that are slanderous or defamatory in nature.

  17. Displaying or printing obscene, lewd, or sexually harassing images or text.

  18. Attempting to monitor or tamper with another User's electronic communications, or reading, copying, changing, or deleting another User's files or software without the explicit agreement of the owner.
IV. Employment Terminations
IT personnel will perform the follow steps immediately (No exceptions) upon an employee’s termination:
  1. Recover company-owned computers/accessories

  2. Deactivate any and all user accounts

  3. Remove dial-in and VPN privileges

  4. Protect critical company files/backups

  5. Personal files can only be retrieved by IT personnel

  6. Escort the employee so as not to have access to company computers
V. Privacy
The computers and computer accounts given to Users are to assist them in performance of their jobs. Users should not have an expectation of privacy in anything they create, store, send, or receive on the Network. The Network is owned and operated by the company to support business related activities.
VI. Enforcement
Minor infractions of this policy, when accidental, such as consuming excessive resources or overloading computer systems, are generally resolved informally by the MIS Department. This may be done through electronic mail or in-person discussion and education.
Repeated minor infractions or misconduct, which is more serious, may result in the temporary or permanent loss of computer access privileges or the modification of those privileges. More serious violations include, but are not limited to unauthorized use of computer resources, attempt to steal data, unauthorized use or copying of licensed software, repeated harassment, or threatening behavior. In addition, offenders may be referred to their manager/supervisor for further action.

posted by ~ The Jinggo ~ at 12:24 AM

0 Comments:

Post a Comment

<< Home