ACCRAM INC

Zyxco Inc.

Network Assessment

Overview

This document is intended to provide an overall technical assessment of the current PC networking infrastructure at the Zyxco Inc. main office.  In addition, this document will provide recommendations for the environment based on that assessment. 

In order to best serve this dual purpose, the document is divided into several sections to represent the major infrastructure components in the environment.  Each section is further subdivided to show specific technical details.  Each subsection is comprised of two major components:

• Analysis – A technical assessment of the current configuration, highlighting strengths and deficiencies

• Recommendations – Recommendations for improvements to the current configuration based on best practices and the overall direction of the IT infrastructure.

At the end of this document you will find several appendices containing the raw data collected through on-site evaluations and interviews of interested parties.  This raw data is the basis for all analysis and recommendations made in this document.

Network Infrastructure

The network infrastructure is loosely defined as “all of the components that let computers communicate”.  The word ‘communicate’ means many things to computers; saving a file to the network server, accessing a database, sending email or even surfing the web are all forms of computer communication.

Generally speaking, Network Infrastructure components include but are not limited to the following:

• Network wiring including LAN and WAN connections

• Network devices such as switches, routers, hubs, bridges and firewalls

Network Topology

Analysis

The Local Area Network at Zyxco is flat, containing only one logical IP segment.  All network connections are made via CAT-5 twisted pair on 10 Mb/s or 10/100 Ethernet hubs.  The topology is basically star-bus as illustrated below.

Figure 1 - Star-Bus Topology

The star-bus topology is generally accepted as a standard configuration for Ethernet over twisted pair networks, however the use of hub rather than switch technology is an area for concern. 

The use of hubs throughout the environment creates a single collision domain for the entire network.  Overall network performance decreases proportionally to the number of systems active on the network as well as to the level of that activity.  This situation is analogous to a large crowded room in which everyone is shouting at once. 

To further exacerbate the problem, all hub interconnects are made at line speed using ‘uplink’ ports.  This will result in poor performance for those network computers located farthest from the servers in terms of hub interconnects as illustrated in Figure 2 below. 

Figure 2 - Network Degradation

It is likely in this configuration that network packets are being dropped during heavy network load resulting in multiple retransmissions.  The end result is poor network performance and slow server response times.

Recommendations

Maintain the star-bus topology using Ethernet over twisted-pair.  Replace all hub devices with switch technology to reduce the amount of collision/retransmit packets.

Utilize corporate or enterprise level switches with faster than line speed interconnects for the core network backbone.  This will eliminate the line speed bottleneck as traffic moves across the switch fabric.

Internet Connectivity

Analysis

Internet connectivity for the site is achieved through a dedicated T-1 or Frame-Relay leased circuit terminated by a Cisco 1720 series router with an internal T-1 DSU/CSU WAN Interface Card as illustrated below.

Figure 3 - Internet Connectivity

A Sonic Wall firewall appliance provides NAT overload services for desktop clients as well as static one-to-one NAT translations for specific network services such as the Exchange email server.  The Sonic Wall is also configured for port filtering and stateful packet inspection to help increase Internet security.

Recommendations

This configuration is generally sound with respect to the method of Internet connectivity.  As mentioned before however, network hubs should be replaced with switch technology to minimize collisions and increase network performance.

Bandwidth utilization for this connection should also be monitored during peak usage, especially during high volume seasons to validate firewall performance under high inbound load conditions.

NOS Environment

The ‘NOS’ or Network Operating System Environment is made up of the desktop and server operating systems, user and group configuration as well as all objects that make up what is commonly called the ‘network’.  In Windows based network environments, there is typically an NT domain model to provide various network services to desktop end users.

NT Domain Topology

Analysis

The NT Domain topology consists of a single mixed mode Active Directory domain with NT 4.0 BDC.  The domain is configured in only one site and thus there is no WAN replication topology to consider.

Figure 4 - Current Domain Topology

It appears that he Active Directory was upgraded from a single NT 4.0 domain in order to provide the required foundation for the installation of Microsoft Exchange Server 2000.

With few exceptions, desktops throughout the environment are Windows NT 4.0 Workstation and members of the domain.  Access is provided through Domain User account and Security group permissions.  Group based logon scripts provide network drive mapping to file shares located on network servers.

Recommendations

Migrate to a Native Mode Active Directory domain based on Windows 2000 Server.  Take advantage of Multi-Master Domain controllers.  Implement group policy objects as needed to reduce administration of groups and users.

NOS Security

Analysis

Network security is a fairly wide ranging topic covering everything from server configuration to network hardware and protocol configuration all the way to physical access and lock-types on doors.  For the purposes of this document, we are concerned with three main areas of OS level security:

• Password Policy

• Account Policy

• Network Resource Policy

Password Policy

There is currently no password policy in place to define minimum password length, maximum password age or complexity requirements.  As such, passwords for network users are generally very weak and easily guessable, consisting mainly of dictionary words.  Additionally, there is no account lockout policy in place to limit the effectiveness of brute-force type attacks.

This configuration poses a security risk as it is easy for a malicious hacker to gain access to sensitive files by guessing a user password, or using a simple ‘brute-force’ hacking tool to derive the password by quickly trying multiple combinations in a short period of time.

Account Policy

There is no account policy in place to define allowed network access times or to further secure the environment by removing last-logged-on user names from the desktop.  The Administrator account is still active and named Administrator with full rights.

This security risk allows a malicious user – perhaps posing as a member of the night-time cleaning crew to have unfettered access after hours when their presence won’t be called into question.  In addition, this configuration gives the malicious user half of the information needed to hack into the system; the Username.

Network Resources

User rights are based on security group membership of their network account.  This is generally the best practice for assigning user rights as it makes administration of similar groups of users easier.  Many servers however have open share points to the root of local hard drives. 

Recommendations

Implement a network password policy requiring at least the following:

• Minimum password length of 6 characters

• Minimum password complexity requirement of Alpha-Numeric

• Maximum password age of 45 days

The administrator account should be renamed to something other than administrator.  To increase security, after renaming the administrator account, set the password to be very strong – 16 characters, mixed case, alphanumeric with special characters – and store the password in a locked safe with limited access.  A second Domain Administrator account should be created, with a fairly strong password, for use during normal day-to-day operations.  This allows for ease in disabling the daily administration account should it become compromised.

A network account policy should be created to limit logon hours for the general user population to normal business hours.  Additionally, the last-logged-in username should be removed from the desktop and desktop profiles should not be cached.

All network file server access should be closely controlled through the use of specific share points and security group rights assignment.  The root level share points should be removed from all servers, leaving the hidden administrative shares (such as C$) in place.  This will still allow administrative access to resources by Network Administrators while removing the potential threat of a ‘network browser’ attack.

Server Analysis

Zyxserv1

Installed Applications

• IIS (Outlook Web Access)

• Exchange Server 2000

• DHCP Server Service

• DNS Server Service

• WINS Server Service

• Symantec Anti-Virus Corporate edition

Assessment

This system is overloaded, performing most of the required network services for the environment.  Hard drive capacity is at minimum acceptable levels for the system and boot partitions.  Large server load, or natural growth of data stored on the drive through use may cause a system failure resulting in system downtime and potential loss of data

The system is outside of the manufacturer’s warranty period.  Hardware failures requiring parts replacement will be considerably expensive assuming suitable replacement parts will even be available.

Recommendations

Replace this server with modern equipment or distribute some of the server load to other more modern platforms with sufficient system resources to handle the additional load.  Exchange Server 2000 in particular should be installed on a server that performs no other network services for the environment.

ZYXS-FS

 Installed Applications 

• Veritas Backup Exec 9.0

  • DDS 4 20/40 DAT tape drive

• File Server

  • Departmental file shares

  • General Data file shares

  • Private User file shares

 Assessment

While this system is currently out of warranty, it does have sufficient system resources to provide the role of File and Print server.  There are however some concerns with regard to the tape backup: 

• The current DDS 20/40 DAT drive does not have sufficient capacity to perform a full backup of the entire environment

• Backup jobs will run slowly on this platform due to system resource limitations.  Large backup or restore jobs may not run completely in the time allotted

Recommendations

I recommend leaving this server in place to perform the role of File and Print server.  The current tape drive system should be replaced with a larger unit capable of performing a full backup of the entire environment.  The backup server role should be migrated to a more modern platform, preferably a multiprocessor server.

Zyxserv2

Installed Applications 

• Historical UPS shipping data

• Historical Cyma Accounting Data

• Current Aperture system data

Assessment

This system just meets the Microsoft Minimum System Requirements for installation of Windows 2000 Server.  As a result, system performance will suffer under any appreciable server load such as multiple simultaneous user connections.  Ultimately, this will result in poor user experience and may result in loss of data due to a system failure while overloaded. 

 Hard drive capacity is at minimum acceptable levels for the system and boot partitions.  Large server load, or natural growth of data stored on the drive through use may cause a system failure resulting in system downtime and potential loss of data

 The system is outside of the manufacturer’s warranty period.  Hardware failures requiring parts replacement will be considerably expensive assuming suitable replacement parts will even be available.

 The NT 4.0 operating system has been deprecated by Microsoft.  Additional support for this OS is not available, nor will future updates, service packs or security updates be available.

 The root directory of all system hard drives is an open share to the network.  This poses a potential security concern as vital Operating System files are directly accessible via the network. 

Recommendations

Replace this server with modern equipment, or migrate the role of this server to a more modern platform with sufficient system resources to handle the additional load.  Consider migrating necessary historical data to offline storage such as demand access tape drives to conserve hard drive capacity.

Marketing

Installed Applications

• IIS (Default install – Server Stopped)

• 4D Server service

• Timbuktu for remote administration

Assessment

This system just meets the Microsoft Minimum System Requirements for installation of Windows 2000 Server.  As a result, system performance will suffer under any appreciable server load such as multiple simultaneous user connections.  Ultimately, this will result in poor user experience and may result in loss of data due to a system failure while overloaded. 

 Hard drive capacity is at minimum acceptable levels for the system and boot partitions.  Large server load, or natural growth of data stored on the drive through use may cause a system failure resulting in system downtime and potential loss of data

 The system is outside of the manufacturer’s warranty period.  Hardware failures requiring parts replacement will be considerably expensive assuming suitable replacement parts will even be available.

 The NT 4.0 operating system has been deprecated by Microsoft.  Additional support for this OS is not available, nor will future updates, service packs or security updates be available.

 The root directory of all system hard drives is an open share to the network.  This poses a potential security concern as vital Operating System files are directly accessible via the network.

Recommendations

Replace this server with modern equipment, or migrate the role of this server to a more modern platform with sufficient system resources to handle the additional load.  Consider migrating necessary historical data to offline storage such as demand access tape drives to conserve hard drive capacity.

NetCommerce