Remote Working System Project.pdf

8/20/2019 Remote Working System Project.pdf

1/50

Written by Jonathan Camilleri 1

Remote Working System Project


2/50


Introduction ..............................................................................................................................3

Business environment..............................................................................................................3 IT Environment.........................................................................................................................4

Requirements...........................................................................................................................6

Network setup ......................................................................................................................6

Internet connectivity for remote workers ...........................................................................6

Authentication and connection..........................................................................................7 Electronic mail ..................................................................................................................8

Presentations....................................................................................................................8 Common security threats and the impact on the business ................................................9

Benefits and weaknesses of telecommuting.......................................................................11 Benefits for the company ................................................................................................11

Drawbacks for the company............................................................................................11 Benefits for employees ...................................................................................................12 Drawbacks for employees...............................................................................................12

Trade Union Issues.........................................................................................................13 Budgeted costs...................................................................................................................14

Technical design and deployment..........................................................................................23 VPN Overview ................................................................................................................24

IP Sec Overview .............................................................................................................24

Client connection ............................................................................................................24 Server authentication and connection.............................................................................25

Project plan.....................................................................................................................27 Responsibilities and duties.....................................................................................................33

Business and service management ................................................................................33 Network Management and Security ................................................................................33

Project management.......................................................................................................33

Conclusion and recommendations .....................................................................................34 Appendix A - Technical specifications ................................................................................35

References and bibliography..............................................................................................50


3/50


Introduction

This document describes the requirement, analysis and implementation plan for the setup ofnetwork access for sales staff operating remotely in order to provide the best possible serviceto current and potential customers. This will be achieved by providing:

1. Secure remote access to its sales force operating from mobile client computers andwireless devices;

2. Access to electronic mail;3. Access to updated customer and transaction information through client software

installed on the remote workstations which queries the central database;4. Access for the client software installed on remote workstations to be able to carry out

online and offline sales transactions. Synchronisation of offline transactions can becarried out remotely or directly at the head office.

5. Suitable office applications installed on the remote workstations to enable the salesforce to display presentations on the various products to customers, report to thecompany’s management and carry out the general office duties as necessary.

6. Backup of remote workstations to run overnight when the network is not being used.This will be done either through a scheduled automated backup script or manually bythe users, depending on the available technologies.

7. Training to the sales force and network administrators, in view of the proposed setupwith guidelines on security concerns and appropriate usage of the equipmentprovided to reduce exposing the company’s integrity at risk, as far as possible.

Business environmentGarner Insurance Ltd., herein referred to as “the company”, is one of Malta’s leadinginsurance companies established since 1999, offering various insurance products atcompetitive prices intended to cover its personal and business customers on various risks atdifferent levels. Although relatively new to the market, the company has managed to doubleits profits over the last 5 years, notwithstanding fierce competition with companies that aremore established locally.

The company’s workforce employs than 300 personnel, including a sales team of 156. This isexpected to increase to 400 employees over the next 5 years according to the currentbusiness plan.

Table 1 - Sales force projections

2005 2010

Seniorsales staff

60 100

Normalsales staff

156 300


4/50


In addition to substantial investment in advertising and promotion, the targets set by seniormanagement focus on the ability and competency of its sales force to promote its products.One of the sales distribution channels is to sell directly to its customers, on a door-to-doorselling policy.

Senior sales staff have over 5 years experience in direct sales and insurance, providingsupport and supervision to the sales staff.

Normal sales staff are given extensive and continuous training on the company’s productsand are expected to perform their duties within the company’s sales objectives:1. Seek potential customers in order to attract them into buying the company’s products;2. Ensure customer satisfaction to ensure customer loyalty;3. Liaise directly with senior sales staff providing feedback obtained through customer

feedback. In turn senior sales staff analyse feedback and provide management withrecommendations to further increase the company’s local market, and,

4. Seek support from senior sales staff to enable them to close sales within thecompany’s sales guidelines.

IT EnvironmentThe company network at the Head Office is a client-server setup. Description of the mainservers:

Table 2 - Server InformationServer name Main function Description

Giorgio SQL server Database server hosting a MS SQL 2000central database for the company’s coresystem. The system holds product,customer, transaction, audit andmanagement information and is a criticalelement in the running of the business.

Alberto E-mail server Electronic mail is stored centrally for allusers. E-mail addressing format is [email protected] . Each mailboxhas a maximum allocated size of 200Mb.

When exceeding this size the user cantransfer the information for a pre-agreedlocation for archiving, after erasing irrelevantcorrespondence. The mail server runsSendmail’s Mailstream Manager.

Edmundo Intranet server This server is used as an Intranet serverhosting access to the company’s coresystem and used within the company.

Juan Active Directory Server This is currently the Windows ActiveDirectory server used to authenticate andallocate network resources to the users.

Carlo File / application server This server hosts files for users to store fileswithin user directories in order to ensure thatthe files are backed up regularly. Users areresponsible for the backup of files hosted onworkstations.


5/50


Server names are not used in this diagram for illustration purposes.

Figure 1 – Current Head Office network overview


6/50


All server disks are installed with RAID level 1 (mirroring) to avoid redundancy in case offailure. Windows 2000 Server is installed on all servers.

A full backup is taken every Sunday, whilst incremental backups are taken daily on DLTtapes, during non-operational hours. Weekly backups are sent for safe keeping to an off-sitelocation in agreement with a service provider. The company is in the process of reviewing itsmaintenance agreement and in order to provide replacement of any equipment within the

server farm.

A spare server is already available as a replacement. Due to expected heavier loads on theSQL Server, the company is currently investigating the possibility of configuring this server tobe used in conjunction with the current database server as an active / failover cluster. Thiswould require upgrading the OS on the database servers to Windows Advanced Server 2000in order to provide this functionality. The company is also evaluating the risks associated withnot having spare servers at the premises so as not to have redundant servers on thepremises.

The company’s website is hosted on a domain hosted by a service provider and maintainedby a specialized marketing company.

It is company’s procedure to retain at least 1 spare computer for each 10 used by its

employees. This policy also applies for desktops, laptops and desk printers. Other spareequipment, such as scanners, networking equipment, cables and parts are held by the ITsection. Spare PDAs will be purchased as standby equipment on a 1 to 10 basis.

Duplicate equipment shall be purchased for essential networking equipment (e.g. VPNconcentrators, switches, firewalls), and where possible configured so as not to be leftredundant. However, the main purpose is to have failover equipment to prevent that thecompany’s communication lines are interrupted in the case that the equipment is faulty.Ideally the switchover should be transparent to the local and remote users, so as not todisrupt the daily running of the business.

Remote workers using laptops shall be able to login to the company’s core system by loggingin to the Web server and carrying out transactions normally.

User-interface software for Personal Digital Assistants is still being developed. Testing will bedone before the installation of the software during the pilot stage of this project. Whilstsoftware errors may result at any phase, the client software that will be installed shall be theaccepted final version of the software that will be used.

Requirements

Network setup

Internet connectivity for remote workers

Remote users will connect to the head office network be establishing a Virtual Private

Network with the company network via Internet access.

Remote workers using laptops shall connect from home through a broadband internetconnection. They can also connect to the internet through a GPRS connection if they are notat home. Users with PDAs shall connect through a GPRS connection. This shall be useful tokeep communication lines open whilst remote workers are travelling, on training, whilstattending meetings and conferences and to keep in touch with their colleagues duringextended vacation periods.


7/50


Wireless technology offers a wider bandwidth than GPRS connection and this could provide abetter alternative for connecting laptops. However, this technology would be more expensivecompared to GPRS, since this is a relatively new technology in Malta. Moreover, GPRSconnection on laptops is only being considered as a backup communication line, since it isexpected that the employees will use mainly their home connection. Management has to takepreventive measures to avoid possible abuse leading to increased communication costs.

The company has to ensure that costs on the usage of GPRS connections are kept to aminimum, by applying and enforcing a set of guidelines for remote teleworkers:

• Where possible connection that is paid periodically (e.g. connection to ISP) is to beused and GPRS connection is used only where the connection to Internet is notavailable at a cheaper price e.g. attending conferences or while travelling ‘on theroad’ especially abroad. The mobile operator has to be contacted beforehand forcorrect usage of the device using ‘roaming’ services while abroad.

• Installation of Internet traffic monitoring software that reports usage statistics to thenetwork administrator for monitoring.

• E-mails are ideally downloaded once or twice a day, except for urgentcommunications, rather than continuously.

• Attachments are downloaded through the broadband Internet connection, sincecharges are not applicable by download size, or else at the Head Office.

• GPRS connection should not be used for personal interests, although it may begenerally accepted that some communication is done on a personal level (e.g. tokeep in touch with colleagues), as long as this is acceptable by management.

• Multimedia files including pictures, music files, videos are not to be downloadedexcept where strictly necessary.

The mobile operator and internet service provider shall provide a reliable connection toInternet for the remote workers. On the other hand the company is responsible for themaintenance and integrity of the internal network and the equipment owned (or leased).

Authentication and connection

The VPN Server hardware shall authenticate the user and send unencrypted authenticationinformation to the MS Active Directory Server. Traffic is filtered by internal firewall and routed

to the Server Farm VLAN, by the switch connected to the internal network.

Once a user is authenticated a VPN tunnel is created and the user is connected to theinternal network. Each user will be able to access the same resources locally and remotely,with the exception of peripherals that are only used at Head Office such as scanners, faxesand printers.

The VPN Server shall have a static host or IP address since it will be accessed from allremote connections.

IPSec protocol over VPN shall be used since it has the advantage of essentially making theremote computer part of the corporate network. Applications run without ‘awareness’ that anyencryption or Internet routing is happening. It can be a drawback, in that any securityexposure on the remote computer becomes a risk to the corporate network. Various security

controls can be configured centrally to reduce this risk.

Data will be encrypted using 168-bit 3DES algorithm, which has to be supported by the VPNserver. As the name implies, 3DES uses three stages of DES and suffices for mostapplications. In 2001, National Institute of Standards and Technology replaced DES by AES(Advanced Encryption Standard), which is hoped to remain strong enough for the next 10 to20 years. However, 168-bit 3DES is considered to be sufficiently secure for remote tele-working.


8/50


The internal firewall shall be configured to allow traffic only from the public mailserver and theVPN concentrator (i.e. authentication and data passed once the session has beenestablished).

Electronic mail

E-mail within the company’s LAN is transferred by the e-mail server on Alberto. E-mailreceived on this server addressed to mailboxes within the company’s LAN is transferred tothose addresses on the LAN. E-mail addressed to other e-mail addresses is forwarded to themail server of the Internet Service Provider used by the company.

E-mail from outside the company’s LAN can be received on the e-mail server not connecteddirectly to the company’s LAN (known as the Demilitarized Zone - DMZ) where it is scannedfor viruses and spam e-mail using appropriate software and then automatically forwarded tothe e-mail server within the company’s LAN. Once the data has been transferred within theLAN, the e-mails are then erased permanently from the e-mail server within the DMZ zone.

This option shall entail the procurement of:1. A server with disks supporting RAID level 1 (mirroring) inline with current practice,

backup hardware and backup management software;

2. Installation of Operating System, e-mail server software, anti-virus and spam-filteringsoftware including software licenses;

3. Setup and configuration of the network connection to the company’s network;4. Configuration of the e-mail server within the DMZ zone to relay e-mails to the server

within the internal network.5. Testing for connectivity, security before the end-user testing within the project plan;6. Maintenance and support agreements for the above.

Presentations

Presentations are done by Sales staff and management from time to time. A number ofoverhead projectors are held at the company’s premises, to be used by Senior Sales staff tocarry out presentations when required. This is particularly useful when meeting corporatecustomers or carrying out presentations to students.

Ten projectors and appropriate software licenses shall be purchased and held at Head Office.When presentations are to be done, the staff is to contact IT Department for the usage of aprojector and installation of software to be able to display presentations.


9/50


Common security threats and the impact on the business

Common network threats include:

• Packet sniffers. A packet sniffer is a legitimate management tool that can beabused by hackers to capture data transmitted over a network, such as usernames

and passwords.• IP spoofing. An IP spoofing attack occurs when a hacker inside or outside a network

impersonates a trusted computer to gain access to network information.

• Denial of service. Perhaps the most widely publicized form of attack, can beinitiated using programs that are available for downloading on the Internet. Theyfocus on making a service unavailable for normal use, often by exhausting a resourceon the network, operating system, or application.

• Spam. Another growing threat to network operations is spam, or unsolicited mass e-mail, which slows mail servers, overruns storage space, and reduces userproductivity by clogging individual mailboxes.

• Man-in-the-middle attack. A man-in-the-middle attack is initiated by hackers whohave access to network packets that move across a wired or wireless network. Duringthis attack, hackers hijack a network session to gain access to private networkresources, steal information, or analyze traffic to learn about a network and its users.

• Viruses, Trojan horses, and worms. End-user PCs and workstations areespecially vulnerable to viruses and Trojan horse attacks. Viruses are malicioussoftware code that is attached to another program to execute an unwanted functionon a user's PC. Trojan horse attacks are similar to viruses, but disguise theapplication to look like something else. Worms are malicious programs that replicatethemselves.

• Hypertext Transfer Protocol (HTTP) exploits. HTTP attacks use a Web serverapplication to perform malicious activities by exploiting the relatively insecure accessto company Web servers. If attackers can take control of the Web server to performmalicious activities, they can access resources that would otherwise be unavailable.

• Application layer attacks. Hackers can initiate application layer attacks usingseveral different methods. One of the most common is exploiting well-knownweaknesses in software that are commonly found on servers, such as sendmail,HTTP, and File Transfer Protocol (FTP), to gain access to a computer with a highlevel of administrative access.

Network security breaches can be devastating, costing significant loss of revenue,productivity, and business, not to mention the expenses involved in repairing damage. Smallorganizations are especially vulnerable because they often lack the staff and budget neededto respond effectively to a security breach. The impact to businesses can be significant,including:

• Loss of customer revenue. When a customer attempts to access resources thecompany's Web site only to find that it has been hacked, they will likely take theirbusiness elsewhere.

• Loss of customer confidence. Customers are understandably reluctant to shareprivate information with a company that cannot protect it.

• Liability due to fraud. Credit card fraud has become increasingly prevalent.Customers who use a credit card to purchase goods or services on an e-commercesite are entrusting the company with confidential information. Fraud and identity theftdue to network breaches expose the organization to liability risks that can threaten itsvery survival.


10/50


Server names are not used in this diagram for illustration purposes.

Figure 2 - Remote connection overview


11/50


Benefits and weaknesses of telecommuting

Improvements in technology improve employee productivity, create operational efficienciesand reduce costs. Teleworking allows workers to keep in touch with the company and at thesame time, perform their duties with a more flexible schedule.

Benefits for the company

1. Reduced Cost. Employees can focus on more strategic tasks that generaterevenue. Information is updated in real-time and the ability to execute transactions(e.g. quotes, look up customer information, query the central database) into thehands of the employees who initiate them, reduces the need for intermediarypersonnel. This way organizations can scale rapidly while keeping the rate of supportstaff growth much lower than the growth rate of the overall workforce and business.For example, a salesman does not need to call up head office in order to check uponqueries done by the customer on existing policies. E-mails are a relativelyinexpensive and effective way to communicate given the amount of communicationthat goes through the business on a daily basis. Employers can save on space andlighting at the head office.

2. Empowered Employees. Employees can use the Internet to get timely, accurateinformation on demand, regardless of their locations, with the use of schedulingsoftware available on the market. Employees who are empowered with information,guidelines, key metrics, and decision-making responsibility can react dynamically. Incustomer-facing roles, for example, empowered employees can dramatically improvecustomer interaction quality by promptly and knowledgeably addressing issues, ratherthan by handing tasks and decisions off to a superior.

3. Improved Productivity. Transactions can be effected at source, without having todiscuss with other departments. Less paperwork is involved due to the availability ofsoft copies of documents, online forms etc. Transfer of data is faster and moresecure than relying on the employee handling in all the required documents when hegoes to the office. Transactions are more accurate since there is a lesser chance of

documents missing ‘along the way’ or information copied incorrectly, especially withregards handwritten forms.4. Improved work conditions. In addition to being an incentive for new employees,

skilled employees can be retained by offering them more flexible conditions, includingtelecommuting.

Drawbacks for the company

1. Maintenance issues. Installing and configuring equipment in remote locations canbe cumbersome and expensive. On the other hand support can be given remotely bysupport staff and users can be trained to provide information to a support helpdesk,

and enough information to enable them to provide first line of support. Anyoneworking at home would some ability to deal with equipment faults and minor softwareproblems.


12/50


2. Employer-employee relationship. Existing managers may resist moves towards

telecommuting because of the fear that their positions may become redundant, or thatthey cannot monitor the time spent by employees while working. Remote workershave to be able to motivate themselves to work without supervision. Althoughsecurity settings can be done to avoid this, the company still relies on the employees’personal responsibility so as not to abuse from the company’s assets to their

personal advantage. This includes usage of the equipment provided andcommunication lines (Internet, GPRS connection) for personal use (which could beacceptable if used reasonably). The company should recommend proper guidelinesand monitor its employees that fall outside of the established parameters. Preferably,employees are pre-advised of such restrictions, since this would achieve some levelof self-discipline from employees.

Benefits for employees1. Less travelling time. Employees do not have to travel everyday to go to work, thus

more time to meet customers, report to the company and more time for their personalinterests. This would be greatly appreciated by employees residing or who want toreside and work in Gozo, thus less travelling expenses incurred to travel by shipeveryday.

2. Flexibility. Work can be organized in a flexible manner, as long as the performance

standards are met. Work activities can be fitted around other activities foremployees. For example, one can start working after taking children to school, anddoing the household chores.

Drawbacks for employees1. Less time to socialize. Less time socializing with their colleagues at coffee breaks

or during office hours. The employee may feel detached from the company from asocial point of view. The company may organize regular social activities to enableemployees to get together out of the office, such sports activities, dinners andcompetitions. It is useful to spend some time at the office, say every week or whenmeetings are held. This provides an opportunity to make informal suggestions and

bounce ideas off people.2. Isolation. Isolated employees may be exploited, or fear they are exploited, in anenvironment where they can’t easily get support from co-workers or unions.

3. Space and security. It is necessary to have space available at home to setupcomputers. For security reasons the employee has to ensure that it is physicallysecure and make proper use of equipment to avoid information being lost, stolen ordisclosed to unauthorized persons. Appropriate training will guide employees to theproper usage of equipment and software.


13/50


Trade Union Issues

In view of issues that may arise with the workers’ trade unions, the following guidelines arerecommended by MSF Information Technology Professionals Association (UK):

1. Teleworkers should be employees of an enterprise and not deemed self-employed.2. To avoid isolation, contracts of employment should require home workers to

periodically attend the office.3. There should be a separate room available at home for teleworking, a separate

telephone and payment for additional costs such as heating and lighting.4. There should be regular meetings between teleworkers and the provision of

electronic mail and telephone links with other teleworkers, all to be provided at theemployer's expense.

5. There should be regular weekly liaison discussions between a teleworker and his orher supervisor / manager.

6. Teleworkers should enjoy the same rates of pay and employment benefits as officebased workers including child care provision and family leave. There should be adefined number of working hours. They should be included in career developmentand appraisal schemes including training opportunities.

7. All computer equipment should be provided, paid for and serviced by the employer

who will be responsible for installation, maintenance, insurance and compliance withhealth and safety requirements. The employer should also accept legal responsibilityfor any accident or injury.

8. Teleworkers should have access to trade union representation and be able to attendmeetings within working hours. Health and safety advisors and trade unionrepresentatives should be able to visit teleworkers.

9. Telecommuting should be voluntary with a right to return to working from the office.


14/50

Written by Jonathan Camilleri

Budgeted costs

Costs are expected to include substantial capital investment as well as recurrent expenditure, especially with regards connbe in place to keep costs at a minimum, particularly where the company is charged on the usage as in the case of the GPR

Budgeted expense with current sales force

Description Recurrentexpenditure

Note Qty Unit Currencyquoted

Cost perunit

ServersE-mail Server

IBM X-Series 346 7 1 pcs USD 16,136.0

Firewall server

IBM X-Series 346 7 1 pcs USD 16,136.0

Installation and configuration (includingsoftware) 9 24

man-hours

Maintenance and support (10%) Yes 10

Sub-total


15/50


Connectivity

GPRS Access fee (annual) Yes 156 users MTL 60.0Mobile Connect Card (GPRS connection forlaptops) 8 60 users MTL 93.0GPRS Connection - PDA users Yes 3 156 users MTL 504.0GPRS Connection - Laptop users Yes 11 60 users MTL 42.0

ADSL Internet Connection

(512Kb download / 128 Kb upload) Yes 60 users MTL 378.0Installation charges 5 60 users MTL 50.0Modem deposit (refundable) 4 60 users MTL 50.0

Installation and configuration9, 13 66 laptops

2 man-hours

Maintenance and support Yes

Sub-total


16/50





Cost perunit

Networking equipment

Cisco PIX 515E Security Applianceincluding chassis, restricted license,software, 3 10/100 interfaces, 64 Mb RAM,

10 desktop and 1 server license of CiscoSecurity Agent, CiscowWorks VMS Basic

Failover Active/Active Software license

Encryption license - 168 bit 3DES 8 2 pcs USD 4,591.0

Ethernet cabling and sockets 8 1000 mtrs

Installation and configuration9 80

man-hours

Maintenance and support Yes 10

Sub-total


17/50





Cost perunit

Connectivity

GPRS Access fee (annual) Yes 156 users MTL 60.0Mobile Connect Card (GPRS connection

for laptops) 8 60 users MTL 93.0GPRS Connection - PDA users Yes 3, 19 156 users MTL 504.0GPRS Connection - Laptop users

Yes 11, 19 60 users MTL 42.0

ADSL Internet Connection

(512Kb download / 128 Kb upload) Yes 19 60 users MTL 378.0Installation charges 5 60 users MTL 50.0Modem deposit (refundable) 4 60 users MTL 50.0

Installation and configuration9, 13 66 laptops

2 man-hours

Maintenance and support Yes

Sub-total


18/50





Cost perunit

Client equipment and software

Dell Inspiron 1150

Microsoft Office 2003 including Word,

Excel and Outlook.Norton Internet Security 2005 - 15 month see note 16Dell All-in-one Inkjet 922C Printer

30 day Online Security Training

Standard support package and coveragainst accidents Yes1 Year Collect and Return Warranty 13, 14 66 pcs GBP 709.0

ADSL Modem (provided by ISP) 15 66 pcs MTL 0.0

HP iPAQ H6340 170 pcs MTL 315.0

Epson Powerlite S1 projectors 10 pcs USD 899.0Microsoft Powerpoint 2003 10 licenses USD 162.9

Cisco VPN 3000 Client Software - Laptops 66 licenses USD 37.9


19/50




Cost perunit

AnthaVPN v5.0 VPN Client - PDAs 18 170 licenses USD 69.0Client for accessing database 236 licenses MTL 15.0

Installation and configuration9 80

man-hours MTL 5.0

Training 9 40 hours MTL 5.0Testing

9 120man-hours MTL 5.0

Maintenance and support Yes 10

Sub-total


20/50





Cost perunit

Network and Security ManagementSoftware

Checkpoint Express C1 Firewall software(up to 500 users) 1 licenses USD 15,000.0

Checkpoint Express Update and Supportpack (up to 500 users) Yes 1 licenses USD 6,750.0

Installation and configuration200

man-hours 5.0

Maintenance and support 10,17

Sub-total

Total MTL


21/50


Notes and assumptions

1. Prices quoted are indicative and have been included for budgeting purposes.

2. Prices originally quoted in foreign currency are converted to local currency at anominal exchange rate.

3. PDA users shall use GPRS connection daily, whilst laptop users shall use GPRSconnection when Internet connection is not available.

Table 3 - GPRS usage (size)

GPRS usage per user

PDAusers

Laptopusers

Mb perweek

Electronic mail 2

Company's core system (queries) 3

Browsing the Internet and other 16

Number of weeks in a year 52

Expected download through GPRSconnection (yearly)

312 150

• Connection charge (post-paid) is Lm 2 per Mb transferred.

• GPRS connection reaches typical speeds of 40Kbps, up to 45Kbps.

• Monthly service charge is Lm 5 per month, if payable by Direct DebitMandate, and includes a bundle of 5Mb.

4. ADSL Modem deposit is refundable upon termination of service.5. This charge may be waivered if the company negotiates the possibility of doing the

installations using its own technical resources. Prices and fees have not yet beennegotiated in view of bulk purchasing.

6. Recurrent annual expenditure expected.7. Unless a maintenance agreement is negotiated to cover for the risk it is calculatedthat failover equipment will be purchased.

8. Price to be confirmed by supplier.9. Approximate cost per man-hour is calculated at Lm 5 per hour during normal working

hours and does not include second line of support. A working week is calculated tohave 40 working hours.

10. Maintenance and support calculated as 10% of hardware purchase price. Quotes stillto be confirmed by supplier.

11. Connection charge for Mobile Connect Card under 'Everyday Plan' is Lm7.50monthly, including 10Mb and Lm 0.70 per Mb of data.

12. Delivery within 2 to 4 weeks.13. Includes spare equipment for replacement.14. Included in ISP package (see Connectivity).

15. Renewal of subscription will require extension of software license from Symantec.16. Support for Checkpoint software already included in purchase.17. First line of support provided by service providers.18. Tape cartridges, ink cartridges and other consumables will be required for these

products.19. Static external IP addresses are to be purchased from the GPRS provider and ISP in

order for security reasons.

Purchases for laptops are expected to increase in 2010 when sales force is increased by 400.If the current scenario is kept, total PDAs to be held in stock shall increase to 330, whilst thenumber of laptops shall increase to 170, including spare laptops held.


22/50


Price variations in cost using current prices for installing remote connections as per Table 1(pg. 3) would be as follows:Description Approx Cost

MTLIncrease /Decrease in cost**

Servers nc

Networking Equipment nc

Connectivity 220,000 76% increase

Client equipment and software 194,000 79% increaseNetwork and Security Management Software nc

** Compared to cost incurred with current sales force.

Since computer equipment prices change continually it is difficult to predict the cost that willbe incurred in five years time, however it additional equipment, software and connectivitycharges (wireless and internet) shall be required for new remote teleworkers.


23/50


Technical design and deployment

The following diagram illustrates the setup proposed including specific products that will beused. For detailed technical specifications see Appendix A (page 35).

OnVol (ISP)Vodafone Malta

(mobile operator)

Internet

Dell

Inspiron 1150

HP iPAQ H6340

Head Office Internal Network

SQL Server

E-mail server

Web / Intranet server

Server farm VLAN1

File / Application server

Head Office Workstations VLAN2

` ` `

GPRS connectionGPRS connection

Domain Controller

VPN Authentication Server

Switch

Laptop -

roaming

Dell Inkjet922CDell

Inspiron 1150

ADSL Modem

Laptop from

home

SQL Server (failover)

Cisco

PIX Security Appliance

515E

DMZ Zone

IBM X

Series 346Public Mailserver

Cisco 830

Series Router

Dell Inkjet

922C

DMZ Zone VLAN

Checkpoint

express

running on

IBM X

Series 346

server

Firewall

VPN Server

Figure 3 - Network setup - product specifications


24/50


VPN Overview

A Virtual Private Network is a network that is connected to the Internet, but uses encryption toscramble all the data sent through the Internet so the entire network is "virtually" private.Virtual Private Networking provides four critical functions to ensure security for data:

• Authentication. Ensuring that the data originates at the source that it claims.

• Access Control. Restricting unauthorized users from gaining admission to thenetwork.

• Confidentiality. Preventing anyone from reading or copying data as it travels acrossthe Internet.

• Data Integrity. Ensuring that nobody tampers with data as it travels across theInternet.

Tunnelling allows senders to encapsulate data in IP packets that hide the underlying routingand switching infrastructure of the internet from both senders and receivers. Theseencapsulated packets can be protected against ‘snooping’ by outsiders by encrypting datatransferred.

IP Sec Overview

IPSec is often considered the best VPN solution for IP environments, as it includes strongsecurity measures, particularly encryption, authentication and key management. Encryptionis the processing and altering data so only the intended recipient can read or use it. Therecipient of the encrypted data must have the proper decryption key and program to decipherthe data back to its original form. Keys are used to authenticate users and devices (PDAsand laptops) when connecting to the VPN Server.

Client connection

The user shall connect to Internet through the Windows dial-up interface and the VPN clientshall be configured with the settings to connect to the corporate VPN server.

Description Comments

Client IP Address External IP address. Assigned by the ISP whenestablishing the connection toInternet.

Static IP addresses can be used forclients to enable filtering of theauthorized IP addresses on theVPN server.

Server IP Address vpn.garner.com.mt ORIP address allocated

External IP address of the VPNServer.

This should have a static IPaddress since users will beauthenticating through thisconnection. A fixed host, e.g.vpn.garner.com.mt shall be used


25/50


Description Comments

Authentication Digital Certificates shall beused to authenticate clients.These shall be installed andconfigured during the clientsetup.

Encryption Data shall be encrypted using168-bit 3DES through theVPN tunnel established.Protocol for communication isIPSec.

Firewall software shall be installed on the laptops. For the time being the software bundledwith the hardware being recommended can be used and during the evaluation.

Split tunnelling shall be disabled, since the laptop computers are intended to be used toconnect to the company network. Should the user be authorized to use the laptop on, say,his personal home network, it should be only used when disconnected from the company

network.

Figure 4 - Illustration of VPN Tunnel

Server authentication and connection

Connections from the Internet are filtered through the router and the external firewall.

Internet Edge Firewall and VPN Authentication Server

Cisco PIX 515E shall be set up as the firewall on the perimeter of the network, protecting theDMZ zone from the Internet.

The firewall is intended for Small-to-Medium Business and Enterprise environments andprovides up to 188 Mbps of firewall throughput with the ability to handle 125,000 simultaneoussessions. More economical models using similar technology provide up to 20 Mbps offirewall throughput and 16 Mbps of 3DES VPN throughput.

Connections originating from remote clients are filtered by the firewall, which protects theinternal network from external threats

• Control over instant messaging, peer-to-peer file sharing and tunnelling applicationsto protect network bandwidth;

• Protection services from forms of attacks including denial-of-service (DOS),fragmented attacks, replay attacks, and malformed packet attacks.

The device shall also be used to authenticate remote users, using the Windows ActiveDirectory server as the authentication server. The user shall then be able to accessresources allocated to them.


26/50


Internal IP addresses are masqueraded from the public network as an external IP address.

Digital certificates can be revoked by the administrator if suspected to have beencompromised. The user can be given a new certificate to be able to authenticate.

Public e-mail server

The e-mail server within the Demilitarized Zone shall be configured for the following functions:

• Scanning of e-mail for viruses and filtered for ‘spam’ using Sendmail’s scanningengines.

• Transmission of e-mail to external e-mail addresses. External refers to e-mailsaddressed to which have been transmitted since they are not hosted on thecompany’s internal e-mail server.

• Receiving of e-mails from external e-mail addresses. The public mail server, shall beconfigured to relay e-mails addressed to e-mail addresses pertaining to thecompany’s LAN (e.g. [email protected]) to the internal e-mail server. E-mails for other addresses, which are received from within the company’s internal e-mail addresses are routed to the provider’s e-mail server for transmission.

Internal firewall

Checkpoint Express (software) shall be used to accept connections coming only from deviceson the DMZ Zone VLAN. It shall also allow VPN tunnel connections, which have beenauthenticated by the external firewall, to be made for the remote users to connect to theinternal network. The purpose of the internal firewall using different technology is that onefirewall may have bugs that would allow a malicious attacker to bypass the external firewall.The firewall protecting the internal network is an extra security layer to reduce this risk, sincehackers are continually finding new ways of penetrating networks.

Before Checkpoint is installed, the underlying OS must be secured for the highest securitylevel possible, particularly by disabling unnecessary services and applying security patchesregularly.

The DMZ zone cannot contain anything the company cannot bear to loose, particularly criticalbusiness data. The purpose of establishing an ‘island’ is to be aware of attempted breachesof security before they reach the internal network.

The firewall server shall be installed over Microsoft Server 2003. Although the general trendis to go for Unix-based Operating Systems, such as Red Hat Linux, the Operating System isbeing recommended with a view to use the server for applications currently in use that useWindows-based technology.

Most of the time, security measures and protection are a reactive measure rather than aproactive measure.

Further recommendations

Up to 10 network segments can be allocated to each user and this provides the possibility offurther splitting the internal network into separate VLANs for each department e.g. VLAN2afor Motor Insurance, VLAN2b for Life Insurance, VLAN3 for Administration, VLAN4 forNetwork Management Staff etc. This has the advantage of adding more internal security andimproving network performance. Moreover, one of the PCs within the LAN could be used tostore all the users’ files (for that section) rather than a centralized server.

Currently the business does not have a disaster recovery server (standby) for the File / Application server (Carlo) and Active Directory server (Juan) – see figure 1 on page 5. Theserver being purchased can possibly be used as a disaster recovery machine for these criticalmachines.


27/50


Project plan

Set-up and configuration of the remote working system, including selection of suppliers,installation of equipment and software and testing should take less than four months, withinthe proposed scenario.

1. Project approval

An overview of the project plan shall be delivered by the Network Manager to the company’ssenior management.

Once the project is approved a Project Team is selected, and it is also decided whetherexternal resources shall be required to assist the Network Team within the requiredtimeframe.

The Project Team shall consist of a number of persons from the following departmentssections, the number of people depending on the focus of the task in hand, as is beingrecommended:

• Project Coordinator

• IT (Hardware) Team

• IT (Software) Team

• IT Support Team

• Financing Department

Budget and schedule for the resources required shall be monitored to ensure that it isdelivered on time and on budget.

The Human Resources Department shall pre-advise the staff involved of the impendingchanges as soon as the project is approved, in order to gather feedback and liaise with theProject Team.

Expected duration: 2 weeks

2. Selection of suppliers – hardware

Quotations from different suppliers shall be gathered for the hardware required . Currentcompany policy recommends taking quotes from at least three distributors. The Project Teamshall require mainly resources from the IT (Hardware) Team. The suppliers concerned shallbe informed of the decision taken.

Expected duration: 1 week

3. Selection of software - suppliers and packages

Quotations for the software required shall be gathered for the software packages required.

Software bundled with hardware shall be discussed at this stage. The Project Team shallrequire mainly resources from the IS (Software) Team. The accepted supplier shall beinformed of the decision taken.



28/50


4. Purchasing orders for server and networking equipment

Once a decision has been taken for the equipment to be purchased the networking equipmentshall be ordered, according to the specifications required as gathered in the previous twotasks. This shall include ordering software related to the network connectivity andmanagement (e.g. VPN Client and Server Software).

The Project Team shall require resources from the IT Hardware) Team, IS (Software) Teamand mainly from the Financing Department with regards accountability and budgeting. Itshould be noted that the capital expense involved is substantial.

5. Purchasing orders for laptops and PDAs

Laptops, PDAs and equipment to be attached to remote clients shall be ordered.

The Project Team shall require resources from the IT Hardware) Team, IS (Software) Teamand mainly from the Financing Department.


6. Negotiate and conclude agreements with ISP


7. Negotiation of hardware and maintenance agreements

Hardware maintenance agreements shall be reviewed and discussed with the providers. TheProject Team shall required resources from the IT (Hardware) Team and from the FinancingDepartment.


8. Acceptance of client software for PDAs

Client software for the company’s core system should be tested and ideally accepted by thecompany at this stage. The Project Team shall require liaison with the developers or softwaresupport staff with for the installation and configuration of the software. It is expected thatsufficient technical documentation shall be provided, to guide installation, configuration andfirst-hand troubleshooting without requiring third party intervention. Ideally, soft-copies of therequired documentation is made available to the IS/IT Department of the company.

Expected duration: 2 – 3 days


An Internet Service Provider shall be selected and arrangements made for the provision ofInternet connectivity service for remote teleworkers. It may be appropriate to consider thecurrent service agreement at this stage. The Project Team shall require resources from theNetwork Team and from the Financing Department.


29/50


9. Equipment received and confirmed

Servers and networking equipment is received, confirmed to comply with the specificationsand quality checked.

The Project Team shall require resources from the IT (Hardware) Team.

Expected duration: 2-3 days.

10. Laptops and PDAs received and confirmed

Laptops, printers and PDAs are received, confirmed to comply with the specifications andquality checked. A sample check of the equipment that shall be used in the pilot testingshould be appropriate for the scope.

The Project Team shall require resources from the IT (Hardware) Team.


11. Installation and configuration of E-mail server

This shall involve the installation of Operating System, software applications, electronic mailserver, configuration and testing as a stand-alone server in the laboratory.

The Project Team shall require resources from the IT (Hardware) Team and IS (Software)Team.


12. Laboratory setup of network equipment and preliminary testing

Security Appliance (VPN Server), firewalls, networks and switches configured and initiallytested at the laboratory.

The Project Team shall require resources from the IT (Hardware) Team and the NetworkTeam.

Expected duration: 2 weeks.

13. Installation and configuration of DMZ zone

Demilitarized Zone set-up, configured and initially tested. The network segment shall not beconnected at this stage.

The Project Team shall require resources from the Network Team.

Expected duration: 1 week.


30/50


14. Migration to new network setup

Any critical issues relating to connectivity and security have to be solved before initiation ofthis stage. This includes connectivity to the Internet and configuration of the networkequipment. Ideally this shall be done over a weekend, during non-operational hours, so asnot to disrupt operations.

Issues have to be dealt with in a way to avoid minimum disconnection during operationalhours. Hence, this stage might require temporary solutions and the actual solution discussedover the coming week and implemented over the next available weekend or non-workingdays.

The Project Team shall require resources from the Network Team.

Expected duration: 2 days.

15. Pilot testing

Installation of Operating System (if required) or upgrades, VPN Client software, ClientSoftware for the company’s core system and office applications shall be done on a sample of5 laptops and 5 PDAs. Testing shall include:

• Connectivity and acceptable traffic.

• Testing of all applications used by remote teleworkers.

• Testing of connectivity to network points at Head Office in order to synchronize off-line information.

• Penetration testing.

• Sample performance testing, especially at peak hours.

The Project Team shall require resources from the IT (Hardware) Team, IT (Software) Team,Network Team, the Internet Service Provider, the Mobile Operator and users who shall carryout the testing and provide feedback to the Project Team, in order to move on to the nextstage.


16. Software installation on clients

Installation of all required software and configuration changes made to laptops, PDAs andservers and equipment on the network, including spare equipment to be held at thecompany’s premises. Installation procedures and guidelines should be updated before thisstage.

Installation can be done by copying hard disk images from a standard set of clients with pre-installed software and configurations already set-up to make the process more efficient.

The Project Team shall require resources from the IT (Software) Team and Network Team.



31/50


17. Training

Laptops and PDAs can be distributed to the current remote workers and a short trainingcourse organized to introduce the new way of working to the employees. This shall include abriefing on connecting remotely, changes in working procedures and any changes in workingconditions.

IT support Staff shall be given an overview of the changes implemented and supplementedwith the necessary technical documentation.

The Project Team shall require resources from Human Resources Department, IT (Support)Team and obviously the users themselves.

Expected duration: 1 week.

18. Live

Once the users are generally satisfied with the new setup, feedback shall be gathered fromusers and support staff, to be collated and included in the final report for management. Itwould be safe to plan an IS Audit at this stage.


32/50


Timeline

Week

1

Week

2

Week

3

Week

4

Week

5

Week

6

Week

7

Week

8

Week

9

Week

10Task

1 Project approval by management

2 Selection of suppliers - hardware

3 Selection of software - suppliers and packages

4 Purchasing orders for server and networking equipment

5 Purchasing orders for laptops and PDAs

6 Negotiate and conclude agreements with ISP and mobile operator

7 Negotiation of hardware and maintenance agreements

8 Acceptance of client software for PDAs

9 Equipment received and confirmed

10 Laptops and PDAs received and confirmed

11 Installation and configuration of e-mail server 12 Laboratory setup of network equipment and preliminary testing

13 Installation and configuration of DMZ zone

14 Migration to new network setup

15 Pilot test

16 Software installation on clients

17 Training

18 Live

Activities

Managerial

Administrative / Technical

Technical

AdministrativeLive

Figure 5 – Schedule (overview)


33/50


Responsibilities and duties

The Network Manager is currently responsible for the data and voice communication withinthe company and for communication between the company and external entities. Thisincludes data and voice communication.

Business and service management

Communication technology supports the business in reducing the distance between variouspersons. The Network Manager takes an active part in the review of the IT/IS strategy and toimplement the approved proposals according to the allocated budget.

Network Management and Security

Currently the Network Team has the following objectives:

• Administration and allocation of network resources

• Monitoring and security of the internal network

• Securing the network from external and internal threats, including also physical

threats.• Collaboration with other departments, providing support where necessary.

• Liaison with IS/IT department and collaboration on technology related projects.

The Network Manager is currently responsible for maintaining the network up and running toa satisfactory level of performance, particularly during business hours. This is done throughthe use of appropriate Network Management Software to monitor and control the network,implementation, monitoring and reviewing the Security Policy to protect the informationrunning over the network. In view of this implementation the Network Manager shall beresponsible for the reliability and integrity of the connections made through the publicnetwork.

Staff have to ensure that they comply with the policies and follow the guidelines issued fromtime by the IS/IT Department, including recommendations from the Networking Team.

With the availability of remote connections, it has to be ensured that the network issatisfactory even after business running.

The Network Manager also co-ordinates the Network Team in order to fulfil their objectives,providing leadership support and guidance where required.

Project management

The project shall be monitored by the Network Manager or his delegate and he shall takeactive part in the project to gather and use the project resources.

Decisions including choosing the appropriate suppliers and providers will require his inputduring the initial stages of the project, particularly with regards network equipment and their

maintenance, connectivity and security.

Negotiation with suppliers of networking equipment and connectivity shall require his directintervention in order to guide management to the most appropriate options available on themarket. He shall liaise closely with other departments throughout this project in order toobtain the best possible package for the remote teleworking system.


34/50


Conclusion and recommendations

It may be considered to set-up a Web server within the DMZ zone, whilst keeping the Intranetserver within the internal network. Given the substantial investment in security and networkinfrastructure, the company shall have greater control over the maintenance of the data.

In view of current trends and proven cost-benefit savings from other business scenarios,management may consider the option of implementing VOIP to replace the current PABXtechnology.

It is recommended that a review assessment is effected six months after implementation toassess network performance and reliability, security, gather feedback from remote workers onthe impact of this change to their lifestyle and enable management to analyse the benefitsgained by this scenario. This can be done by planning an IS Audit to support the NetworkTeam in identifying possible weaknesses.


35/50


Appendix A - Technical specifications

IBM X Series 346

Table 4 - IBM X Series 346 Technical Specifications

Server / Client Server

Software / Hardware Hardware

Purpose Servers on which firewall andpublic mailserver are to beinstalled.

Specifications purchased allowsfor further uses of the server (see

Further recommendations onprevious page).

Processors Two Dual 2.8 Ghz Mhz with 800 Mhz front-side bus.1Mb L2 Cache Intel Xeon Processor

Memory 1GB PC2-3200 (2 x 512 Mb) ECC DDR2SDRAM RDIMM Kit

Controller Integrated Dual-Channel Ultra-320 SCSIController

Diskette drive IBM 1.44” 3.5” diskette drive

Optical drive IBM 8X DVD-ROM Ultrabay Slim Drive

Ethernet Dual integrated 10/100/1000 Mbps Ethernet

System Management System Management Processor

Power Supply 625 Watt Hot-Swap Power-Supply


36/50


Operating System Windows Server 2003 Enterprise Edition

Storage adapter Serve RAID 7k controller

Primary array (RAID level 1) Primary Array 36GB 15K U320 SCSI HSOption

Secondary array (RAID level 1) Primary Array 36GB 15K U320 SCSI HSOption.

External Tape drive IBM 160/320Gb SDLT Tape Drive

Keyboard IBM USB Keyboard with UltraNav – USEnglish

Uninterruptable Power Supply APC 2U Smart UPS 1400 RMB

Weight and dimensions Weight 64 lbsHeight 3.36”Width 17.5”

Depth 27.5”

Features Power-on password, privileged accesspassword, selectable boot, Unattended start-up.

Support 3 year Remote Technical Support forxSeries, IBM Director, Windows and Linux.

(Source: IBM Corporation, USA)


37/50


Dell Inspiron 1150

Table 5 - Dell Inspiron 1150 Technical Specifications

Server / Client Client


Purpose Laptop used by remoteteleworkers.

Processor Intel Celeron Processor 2.4Ghz

Display 15” XGA

Support service Standard Package Basic and cover againstaccidents.30 Day Online Security Training.

USB/ Parallel Cables USB 2.0 Printer Cable

Memory 512 Mb 266Mhz DDR RAM (2 x 256Mb)

Hard drive 40Gb (5400 rpm) ULTRA ATA-100 HardDrive

Optical drive Fixed Internal 8x DVD Drive and software

Modem Internal 56k v.92 Capable Fax Modem1

Network Interface Integrated 10/100 Fast Ethernet NetworkCard

2

Primary Battery 8 Cell 65Whr LI-ION Primary Battery

Power supply D-Series 65W AC Adapter

Keyboard Dell keyboard with touchpad

Security Software Norton Internet Security 2005 15 month trialversion.


38/50


39/50


Dell Printer 922

Table 6 - Dell Printer 922 Technical Specifications

Server / Client ClientSoftware / Hardware Hardware (peripheral)

Purpose Printer used by laptop users.

Media Type Transparencies, Photo Paper, Standard Paper,Card Stock, Labels.

Printer Type Inkjet Color Printer

Depth Operating: 17.5", Closed: 12.7"

Features Dell Ink Management System™, Borderless

printing

Height Operating: 11.4", Closed: 6.6"

Weight 10 lbs

Connectivity Technology Cable

Dimensions (WxDxH): Operating: 17.2" x 17.5" x 11.4", Closed: 17.2" x12.7" x 6.6"

Max Speed: Monochrome: Up to 19 ppm , Color: Up to 14 ppm

Media Feeder(s): 100 pages

Operating System Microsoft® Windows® 2000/XP

Support 1-Year Advanced Exchange Service; 1-Year 24x7toll-free tech support

Included Power Adapter, Standard Capacity ColorCartridge, Standard Capacity MonochromeCartridge, Placemat, Sample Dell

™ Premium

Photo Paper Pack, Owners manual, ConsumablesRecycle/Return Plastic Bag, Hardware RecycleProgram Label.

Max Resolution Color 4800x1200 dpi


40/50


Port(s) Total (Free) / Connector Type USBTotal Media Capacity Input Tray: 100 pages, Output Tray: 50 pages

Copying Speed Monochrome: Up to 12 cpm, Color: Up to 8 cpm

(Source: Dell, United Kingdom)


41/50


Cisco PIX 515E Security Appliance

Table 7 - Cisco PIX 515E Technical SpecificationsServer / Client Server


Purpose Internet edge firewall. Theappliance includes software formanaging and configuration ofsecurity and accounting.

Features Benefit

Reliable and Expandable Security Appliance

Purpose-BuiltSecurity Appliance

• Uses a proprietary, hardened operating system that eliminates the securityrisks associated with general-purpose operating systems

• Combines Cisco product quality with no moving parts to provide a highlyreliable security platform

Fast EthernetExpansion Options

• Supports easy installation of additional network interfaces two PCIexpansion slots

• Supports expansion cards including single-port Fast Ethernet and four-port

Fast Ethernet cards

Hardware VPNAcceleration

• Delivers high speed VPN services through the addition of either a VPN Accelerator Card (VAC) or a VPN Accelerator Card+ (VAC+)-Unrestricted(UR), Failover (FO) and Failover-Active/Active (FO-AA) models haveintegrated hardware VPN acceleration services

Integration withLeading Third-PartySolutions

• Supports the broad range of Cisco Technology Developer partnersolutions that provide URL filtering, content filtering, virus protection,scalable remote management, and more

IndustryCertifications andEvaluations

• Earned numerous leading industry certifications and evaluations,including:

–Common Criteria Evaluated Assurance Level 4 (EAL4)

–ICSA Labs Firewall 4.0 Certification, Corporate RSSP Category

–Network Equipment Building Standards (NEBS) Level-3 Compliant


42/50


Advanced Firewall Services

StatefulInspectionFirewall

• Provides wide-range of perimeter network security services to preventunauthorized network access

• Delivers robust stateful inspection firewall services which track the state of allnetwork communications

• Provides flexible access-control capabilities for more than 100 predefinedapplications, services, and protocols, with the ability to define customapplications and services

• Supports inbound/outbound ACLs for interfaces, time-based ACLs, and per-user/per-group policies for improved control over network and applicationusage

• Simplifies management of security policies by giving administrators the abilityto create re-usable network and service object groups that can be referencedby multiple security policies, simplifying initial policy definition and ongoingpolicy maintenance

Advanced

Application andProtocolInspection

• Integrates 30 specialized inspection engines that provide rich applicationcontrol and security services for protocols such as Hypertext Transfer Protocol(HTTP), File Transfer Protocol (FTP), Extended Simple Mail Transfer Protocol(ESMTP), Domain Name System (DNS), Simple Network ManagementProtocol (SNMP), Internet Control Message Protocol (ICMP), SQL*Net,Network File System (NFS), H.323 Versions 1-4, Session Initiation Protocol(SIP), Cisco Skinny Client Control Protocol (SCCP), Real-Time StreamingProtocol (RTSP), GPRS Tunneling Protocol (GTP), Internet Locator Service(ILS), Sun Remote Procedure Call (RPC), and many more

Modular PolicyFramework

• Provides a powerful, highly flexible framework for defining f low- or class-basedpolicies, enabling administrators to identify a network flow or class based on avariety of conditions, and then apply a set of customizable services to eachflow/class

• Improves control over applications by introducing ability to have flow- or class-specific firewall/inspection policies, QoS policies, connection limits, connectiontimers, and more

Security Contexts

• Enables creation of multiple security contexts (virtual firewalls) within a single

Cisco PIX Security Appliance, with each context having its own set of securitypolicies, logical interfaces, and administrative domain

• Supports one licensed level of security contexts: 5 (maximum number ofsecurity contexts supported based on model of Cisco PIX Security Appliance)

• Provides businesses a convenient way of consolidating multiple firewalls into asingle physical appliance or failover pair, yet retaining the ability to manageeach of these virtual instances separately

• Enables service providers to deliver resilient multi-tenant firewall services witha pair of redundant appliances

Layer 2Transparent

Firewall

• Supports deployment of a Cisco PIX Security Appliance in a secure Layer 2bridging mode, providing rich Layer 2-7 firewall security services for theprotected network while remaining "invisible" to devices on each side of it

• Simplifies Cisco PIX Security Appliance deployments in existing network

environments by not requiring businesses to re-address the protectednetworks

• Supports creation of Layer 2 security perimeters by enforcing administratordefined Ethertype-based access control policies for Layer 2 network traff ic


43/50


Multi-Vector AttackProtection

• Provides wealth of advanced attack protection services to defendbusinesses from many popular forms of attacks, including denial-of-service (DoS) attacks, fragmented attacks, replay attacks, andmalformed packet attacks

• Delivers advanced TCP stream reassembly and traffic normalizationservices to assist in detecting hidden application and protocol layer

attacks• Integrates with Cisco Network Intrusion Prevention System (IPS)

solutions to identify and dynamically block or shun hostile networknodes

Authentication,Authorization,and Accounting (AAA)Support

• Integrates with popular AAA services via TACACS+ and RADIUS, withsupport for redundant servers for increased AAA services resiliency

• Provides highly flexible user and administrator authentication services,dynamic per-user/per-group policies, and administrator privilegecontrol through tight integration with Cisco Secure Access ControlServer (ACS)

Robust IPSec VPN Services

Cisco Easy VPN Server 1

• Delivers feature-rich remote access VPN concentrator services for upto 2000 remote software- or hardware-based VPN clients

• Pushes VPN policy dynamically to Cisco Easy VPN Remote-enabledsolutions (such as the Cisco VPN Client) upon connection, helping toensure that the latest corporate VPN security policies are used

• Performs VPN client security posture checks when a VPN connectionattempt is received, including enforcing usage of authorized host-based security products (such as the Cisco Security Agent) andverifying its version number and status prior to letting the remote useraccess the corporate network

• Provides administrators precise control over what different types ofVPN clients (software client, router, VPN 3002, and PIX) are allowed toconnect based on type of client, operating system installed, andversion of VPN client software

• Supports automatic software updates of Cisco VPN Clients and Cisco3002 Hardware VPN Clients, with the ability to trigger updates whenVPN connections are established, or on-demand for currentlyconnected VPN clients

• Extends VPN reach into environments using NAT or Port AddressTranslation (PAT), via support of a variety of TCP and UDP-basedNAT traversal methods including the Internet Engineering Task Force(IETF) draft standard

Cisco VPN Client

• Includes a free unlimited license for the highly acclaimed, industry-leading Cisco VPN Client

• Available on wide-range of platforms including Microsoft Windows 98,ME, NT, 2000, XP; Sun Solaris; Intel-based Linux distributions; and Apple Macintosh OS X

• Provides many innovative features including dynamic security policydownloading from Cisco Easy VPN Server-enabled products,

automatic failover to backup Easy VPN Servers, administratorcustomizable distributions, and more

• Integrates with the award-winning Cisco Security Agent (CSA) forcomprehensive endpoint security


44/50


Native Integrationwith Popular UserAuthenticationServices

• Provides convenient method for authenticating VPN users through nativeintegration with popular authentication services including Microsoft ActiveDirectory, Microsoft Windows Domains, Kerberos, LDAP, and RSASecurID (without requiring a separate RADIUS/TACACS+ server to act asan intermediary)

X.509 Certificate andCRL Support

• Supports Simple Certificate Enrollment Protocol (SCEP)-basedenrollment and manual enrollment with leading X.509 solutions fromBaltimore, Cisco, Entrust, iPlanet/Netscape, Microsoft, RSA, and VeriSign

• Interoperates with large-scale Public Key Infrastructure (PKI)deployments through n-tiered certificate hierarchy support

Resilient Architecture

Active/Active and

Active/StandbyStateful Failover

• Ensures resilient network protection for businesses through the award-winning high availability services provided by certain models of Cisco PIX515E Security Appliances

• Supports Active/Standby failover services as a cost-effective highavailability solution, where one failover pair member operates in hot-standby mode acting as a complete redundant system that maintainscurrent session state information for the active unit

• Delivers advanced Active/Active failover services where both Cisco PIXSecurity Appliances in a failover pair actively pass network trafficsimultaneously and share state information bi-directionally, enablingsupport for asymmetric routing environments and effectively doubling thethroughput of the failover pair for bursty network traffic conditions

• Supports long-distance failover enabling geographic separation of failoverpair members, providing another layer of protection

VPN Stateful Failover

• Maximizes VPN connection uptime with new Active/Standby statefulfailover for VPN connections

• Synchronizes all security association (SA) state information and sessionkey material between failover pair members, providing a highly resilientVPN solution

This feature is available on Unrestricted (UR), Failover (FO), and

Failover-Active/Active (FO-AA) models only.

Zero-DowntimeSoftware Upgrades

• Enables businesses to perform software maintenance release upgradeson Cisco PIX Security Appliance failover pairs without impacting networkuptime or connections through the support of state-sharing betweenmixed Cisco PIX Security Appliance Software versions (running version7.0(1) or higher)

Intelligent Networking Services

VLAN-Based Virtual

Interfaces

• Provides increased flexibility when defining security policies and easesoverall integration into switched network environments by supporting thecreation of logical interfaces based on IEEE 802.1q VLAN tags, and thecreation of security policies based on these virtual interfaces

• Supports multiple virtual interfaces on a single physical interface throughVLAN trunking, with support for multiple VLAN trunks per Cisco PIXSecurity Appliance

• Supports up to 25 total VLANs on Cisco PIX 515E Security Appliances

QoS Services

• Delivers per-flow, policy-based QoS services, with support for LLQ andtraffic policing for prioritizing latency-sensitive network traffic and limitingbandwidth usage of administrator-specified applications

• Enables businesses to have end-to-end QoS policies for their extendednetwork


45/50


46/50


(monitoring only, read-only access to configuration, VPN administrator,firewall/NAT administrator, etc.)

• Uses either the internal administrator database or outside sources viaTACACS+, such as Cisco Secure ACS

SNMP and SyslogSupport

• Provide remote monitoring and logging capabilities, with integration intoCisco and third-party management applications

• Supports Cisco IPSec Flow Monitoring SNMP MIB, providing a wealth ofVPN flow statistics including tunnel uptime, bytes/packets transferred, andmore

(source: CISCO PIX515E Security Appliance Data Sheet)

Notes1. AnthaVPN Client v5.0 supports Cisco products, as confirmed by Worldnet21, supplier

and reseller for AnthaSoft.


47/50


Cisco VPN Client

Figure 6 - CISCO VPN Client logon screen

Server / Client ClientSoftware / Hardware Software

Purpose VPN Client installed on laptops

Features Description

OperatingSystem

Windows 98, Windows NT, Windows ME, Windows 2000, Windows XP

Connectiontypes

• async serial PPP

• Internet-attached Ethernet

Protocol IP

Tunnelprotocol

IPSec

Windows NTFeature

Description

Passwordexpirationinformation

Password expiration information when authenticating through a RADIUSserver that references an NT user database. When you log in, the VPNConcentrator sends a message that your password has expired and asks youto enter a new one and then confirm it. On a Release 3.5 or higher VPN Client,the prompt asks you to enter and verify a password.

Start beforelogon

The ability to establish a VPN connection before logging on to a Windows NTplatform, which includes Windows NT 4.0, Windows 2000, and Windows XPsystems.

Automatic VPNdisconnect onlogoff

The ability to enable or disable automatic disconnect when logging off aWindows NT platform. Disabling this feature allows for roaming profilesynchronization.

(Source: Cisco VPN Client User Guide.)


48/50


Check Point Express

Server / Client Server

Software / Hardware Software

Purpose Internal network firewall software.

Checkpoint software package includes:

VPN-1 Express gateway Protection for business communications overthe Internet using VPN technology.

VPN-1 SecureRemote Protection for remote access VPN users.

This feature will not be used since Cisco VPNclient shall be used for clients.

Firewall 1 Market leading, enterprise-class security.

Firewall-1 supports more than 150 pre-defined applications, services and protocols.

SmartDefense Integrated network and application level-attack protection.

Actively protects organizations from knownand unknown network and application-levelattacks, using Stateful Inspection and Application Intelligence

TM.

SmartCenter Centralized Management for all aspects of

security.

System requirements

Operating System Supported on Windows 2000 Server.

Disk space VPN-1 ExpressSmartCenter ExpressSmartDashBoardSecurePlatform

300 Mb300 Mb100 Mb4G

Memory VPN-1 ExpressSmartCenter ExpressSmartDashBoard

SecurePlatform

128Mb128Mb128Mb

Recommended 512Mb

(source: Check Point Express Data Sheet)


49/50


50/50

References and bibliography

1. Cisco Systems Inc. Website address: www.cisco.com.2. Checkpoint Software Technologies Ltd. Website: www.checkpoint.com.3. Failover Clustering Support. Source: Microsoft Developer Network. Web address:

msdn.microsoft.com.4. Microsoft Windows 2000 – Active Directory. Web address:

www.microsoft.com/windows2000/technologies/.5. Teleworking – Code of Practice for employees, written by Peter Skyte. European

Telework Online. Website: http://www.eto.org.uk/.6. Information Technology Professionals Association (UK). Website: http://www.amicus-

itpa.org/.7. Dell United Kingdom. Website address:

http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen 8. IBM Corporation, United States. Website address: www.ibm.com.9. The Virtual LAN Technology Report written by John Freeman, senior consultant at

Decisys Inc. Published 1996.10. Di-ve.com. Web Portal. Website address: www.di-ve.com.11. Times of Malta Online Edition. Website address: www.timesofmalta.com.12. CNet.com web portal. Hardware reviews and evaluation software. Website address:

www.cnet.com.

13. Network World Fusion Web Portal. Website address: www.nwfusion.com.14. Encyclopedia of Networking 2nd Edition written by Werner Feibel. Published by

Sybex 1996. ISBN: 0-7821-1829-1.15. Vodafone, Malta. Mobile Operator. Website address: http://www.vodafone.com.mt.16. Video On Line Ltd, Malta. Internet Service Provider. Website address:

http://www.onvol.net.17. AnthaSoft, software development company, secured by Certicom Inc. Website

address: http://www.anthavpn.com/antha/en/index.html.18. L2TP/IPSec Application Development. Source: Microsoft Developer Network. Web

address: msdn.microsoft.com.19. Sendmail Ltd, United Kingdom. Website address: http://www.sendmail.com.20. RFC 821 – Simple Mail Transfer Protocol, written by Jonathan Postel in August 1982.

Internet FAQ Archives. Website address: http://www.faqs.org/rfcs.21. IBM Corporation. Website: www.ibm.com.

22. Worldnet21 Technology Ltd., Ireland. Website: www.worldnet21.com.23. International Engineering Consortium. Website: www.iec.org.

Documents

Remote Working System Project.pdf