Desert View Security - Monmouth County Vocational School
Download
Report
Transcript Desert View Security - Monmouth County Vocational School
Desert View TCS
By Charlene Cooley
and
Dan Austin
User Requirements
7- to 10-year projected life
– 100% WAN growth
– 1,000% LAN growth
Speed
– 1 Mbps for workstations
– 100 Mbps for servers
Exclusively TCP/IP
User Requirements (cont.)
Frame Relay for WAN transport
2 LANs per building
– student/curriculum
– administrative
Switched LAN infrastructure
User Requirements (cont.)
Classrooms
– 24 workstations per classroom
– 4 cable runs per classroom
– switches located in lockable cabinets
File designation is enterprise or
workgroup
User Requirements (cont.)
DNS & E-mail
– master servers at district office
– distributed DNS servers in each building
– each building has a host for DNS & E-mail,
and a directory of staff & students
Topology Requirements
Redundant paths between regional
servers
Administrative server must be
accessible to teachers and staff in each
building
Library server must be available to
entire network
Static IP for administrative hosts
DHCP for student/curriculum hosts
Security Requirements
General
– no access from Internet to intranet
– 2 physical LAN structures
– double firewall
Access Control Lists
– prevent access from student/curriculum
network to administrative network (with
certain exceptions)
LAN Cabling
NETWORK DESIGN
EXAMPLES
DESERT VIEW
Desert View
Classroom Network Example
Administrative
Netw ork
Backbone
Frame Relay
(1.54 Mbps)
100 Base-T
Cisco 2514
CSU/DSU
100 Base-T
Cisco Catalyst 1900
(Teachers)
Application Server
DHCP Server
100 Base-T
100 Base-T
100 Base-T
Library Server
100 Base-T
100 Base-T
Catalyst 1900
Classroom 1
Catalyst 1900
Classroom 2
100 Base-T
100 Base-T
100 Base-T
Catalyst 1900
Classroom 3
Catalyst 1900
Classroom 4
Catalyst 1900
Library
Desert View
Administrative Network Example
Classroom
Netw ork
Backbone
Frame Relay
(1.54 Mbps)
100 Base-T
Cisco 2514
CSU/DSU
100 Base-T
DNS Server
100 Base-T
Administrative Server
100 Base-T
Cisco Catalyst 1900
100 Base-T
100 Base-T
Netw ork Management Server
100 Base-T
Catalyst 5000
E-mail Server
100 Base-T
100 Base-T 100 Base-T
100 Base-T
Admin 1
Admin 2
Admin 3
100 Base-T 100 Base-T
Admin 4
Admin 5
Admin 6
Desert View
District Network Example
Internet
(POP)
Backbone
Frame Relay
(1.54 Mbps)
Frame Relay
(1.54 Mbps)
Cisco 2514
CSU/DSU
CSU/DSU
100 Base-T
Administrative Server
DNS Server
100 Base-T
100 Base-T
100 Base-T
100 Base-T
Master Network
Management Server
100 Base-T
Catalyst 5000
E-mail Server
Application Server
100 Base-T
100 Base-T 100 Base-T
100 Base-T 100 Base-T
100 Base-T
Admin
1
Admin
2
Admin
3
Admin
4
Admin
5
Admin
6
WAN OVERVIEW
DESERT VIEW
FRAME RELAY WAN CONNECTIONS
S1-DLCI
400
S0-DLCI
100
Cisco 2514
Serial Links
District Of f ice
T1-1.544
Mbps
T1-1.544
Mbps
S0-DLCI
200
Cisco 2514
Serial Links
Regional Hub One
S0-DLCI
300
T1-1.544
Mbps
S1-DLCI
500
S1-DLCI
600
Cisco 2514
Serial Links
Regional Hub Two
IP ADDRESSING SCHEME
AND NAMING
CONVENTION
DESERT VIEW
IP Addressing Scheme
for Desert View
Class B Address of 128.0.0.0/22
62 subnets
– Administrative subnets
– Curriculum subnets
– WAN subnets
– Internet subnet
DHCP Servers will hold curriculum
addresses
Naming Convention
Administrators
– building name/{office|classroom} number
Curriculum
– building name/classroom number
Network Management
SNMP traps on network nodes
CSWI Resource Manager & Campus
Network Management Software
District Office
– master server collects information from
regional hubs
Regional Hubs
– will collect information from schools that
are attached
DESERT VIEW SECURITY
DESERT VIEW
ACLs
Standard ACL Applied to District Office
Network (Incoming)
Standard ACL Applied to Administrative
Networks (Incoming)
Extended ACL Applied to Classroom
Network (Outgoing)
Desert View
IP Addressing Scheme
District Of f ice
Internet - 128.0.4.0/22
Backbone - 128.0.8.0/22
Administrativ e - 128.012.0/22
Internet
Frame Relay
Building 1
Backbone - 128.0.16.0/22
Classroom - 128.0.20.0/22
Administrativ e - 128.0.24.0/22
Building 2
Backbone - 128.0.28.0/22
Classroom - 128.0.32.0/22
Administrativ e - 128.0.36.0/22
ACLs
District Office
Access-list 1 permit 128.0.24.0
0.0.3.255
Access-list 1 permit 128.0.36.0
0.0.3.255
Access-list 1 deny any any
Apply to E0
ip access-group 1 in
ACLs
Building 1
Access-list 2 permit 128.0.12.0
.0.0.3.255
Access-list 2 permit 128.0.36.0
0.0.3.255
Access-list 2 deny any any
Apply to E1
ip access-group 2 in
ACLs
Building 1 (Con’t)
Access-list 101 permit tcp 128.0.20.0
0.0.3.255 eq smtp
Access-list 101 permit udp 128.0.20.0
0.0.3.255 eq DNS
Access-list 101 deny any any
Apply to E0
ip Access-group 101 out
ACLs
Building 2
Access-list 3 permit 128.0.12.0
.0.0.3.255
Access-list 3 permit 128.0.24.0
0.0.3.255
Access-list 3 deny any any
Apply to E1
ip access-group 3 in
ACLs
Building 2 (Con’t)
Access-list 102 permit tcp 128.0.32.0
0.0.3.255 eq smtp
Access-list 102 permit udp 128.0.32.0
0.0.3.255 eq DNS
Access-list 102 deny any any
Apply to E0
ip Access-group 102 out
QUESTIONS?
DESERT VIEW