WISE IT Network Enhancement Proposal &
Requirements Definition Document (RDD)
Status: Draft
Version: 1.0
| WISE Approval | |
| Role | Director |
| Name | Tsigie Haile |
| Signed |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 2/26 |
TABLE OF CONTENTS
1 INTRODUCTION………………………………………………………………………………………..3
1.1 Purpose ………………………………………………………………………………………………….3
1.2 Scope …………………………………………………………………………………………………….3
1.2.1 Assumptions ………………………………………………………………………………..3
1.2.2 Design strategy …………………………………………………………………………….4
1.2.3 Dependencies ………………………………………………………………………………4
1.2.4 Risks ………………………………………………………………………………………..4
1.2.5 Network forecast…………………………………………………………………………..4
2 DEFINITIONS ……………………………………………………………………………………………5
3 REQUIREMENTS ………………………………………………………………………………………..6
3.1 Product and General Requirements ………………………………………………………………6
3.2 Network and Service Requirements………………………………………………………………6
3.3 Security Requirements……………………………………………………………………………….7
3.4 Hardware and Cabling Requirements ……………………………………………………………7
3.5 Wireless Network Requirements…………………………………………………………………..8
3.6 BoM……………………………………………………………………………………………………….8
4 NETWORK SOLUTION…………………………………………………………………………………9
4.1 Phase1:…………………………………………………………………………………………………..9
4.2 Phase2:…………………………………………………………………………………………………..9
4.3 Network Elements …………………………………………………………………………………..12
4.3.1 Ethio-telecom Modem router: ………………………………………………………….. 12
4.3.2 Egress Router: …………………………………………………………………………… 12
4.3.3 Core (backbone) switch: ………………………………………………………………… 12
4.3.4 Aggregation (distribution) switch: ……………………………………………………… 12
4.3.5 Access switch: …………………………………………………………………………… 12
4.3.6 Firewall: …………………………………………………………………………………. 12
4.3.7 Wireless Access Point (AP):……………………………………………………………… 13
4.3.8 Server farm:……………………………………………………………………………… 13
4.4 IP addressing and VLAN …………………………………………………………………………..14
4.5 Failover Scenario…………………………………………………………………………………….15
4.6 Cabling…………………………………………………………………………………………………15
5 DOCUMENT INFORMATION ……………………………………………………………………….17
5.1 Document contact…………………………………………………………………………………..17
5.2 Sign-off………………………………………………………………………………………………..17
5.3 Change History ………………………………………………………………………………………17
Appendix 1 – Current Network Diagram and Equipment List …………………………………….18
Appendix 2 – Compliance Table ………………………………………………………………………….21
Appendix 3 – Internet Security Policy……………………………………………………………………24
Figure 1- Logical Network Topology Phase1 …………………………………………………………….9
Figure 2- Logical Network Topology Phase2 ………………………………………………………….. 10
Figure 3- Wireless Dual band Interfaces (Phase2)…………………………………………………….. 11
Figure 4- Physical Design (Phase2)…………………………………………………………………….. 11
Figure 5- Cabling Layout……………………………………………………………………………….. 16
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 3/26 |
1 Introduction
This proposal is to improve the WISE IT network infra-structure with long term network evolution
that shall improve the current limited network capacity and capability to accommodate the
expansion of the organisation and provide sophisticated information communications technologies
(IT) functions to the network and system users.
This document consists of two parts including Network Proposal and its Requirements so that
vendors and suppliers can use to make a proposal with quotes and BoM (Bill of Material).
1.1 Purpose
This document articulates the network proposal and its requirements for the WISE IT Network
Infrastructure.
The purpose of this document is to:
| | Provide High level guidance and possible network infra-structure for WISE management so that they can have an idea of their future network and systems to implement Provide the basis for pricing and solution design development for vendors |
| | |
| | Provide input into the High level design followed by Low level Design when placed an purchase order |
1.2 Scope
The project shall be delivered in two stages: Phase1 and Phase2. This document describes both
phases, captures the business requirements for long term WISE network development plan and the
items (high level) in-scope for this include:
Phase1:
SPOF Design (Short term delivery)
| | Supply, Install, Build and configure a new network and integrate into existing network with seamless migration Deliver Layer 2 and Layer 3 (capability for future) services with implementing network structure and configuration for the services through the Internet and Intranet. Provide secured network infrastructure with a server farm including Web, Access control, SMTP(Email) and DNS Upgrade existing Finance server to a new hardware platform using VMware Wireless LAN with security access to the network Network cabling as per design |
| | |
| | |
| Phase2: |
|
| Redundancy and VPN (Long term delivery) | |
| |
Introduce redundancy for Firewall, wireless and core switches Implement wired LAN in New building Implement capability for remote access (IPsec) and VPN for external users Implement server redundancy (for finance server) |
Cabling and wiring shall be professionally done by vendors as per HLD, and the IT room shall be
moved and constructed in other room as per HLD to accommodate Modem router, Core switches,
Firewalls etc.
1.2.1 Assumptions
The following assumptions have been identified for this project:
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 4/26 |
1. In response to this document, it is expected to receive the following information and
vendors are capable of sourcing the hardware within reasonable time frame;
– An Architecture design shows overall network topology diagram including network
elements, interfaces and names of NE
– High level design includes logical, physical and service design
– Bill of Material (BOM) includes item description, Make, Model and quantity
– Quote includes pricing, terms and conditions
2. Finance and budgeting will be reasonably well prepared to place order within the terms
provided by vendors.
3. The term of ‘Aggregation’ switch is used as the same meaning as ‘Distribution’ switch.
1.2.2 Design strategy
The following design strategy shall be applied (some for network operator)
– Secure network devices
– Restrict device management
– Use strong authentication
– Deploy firewalls and spread filters
– Encrypt sensitive network traffic
– Deploy intrusion detection
– Filter source addresses
– Provide redundancy
– Be prepared for security incidents
– Not Use defaults blindly
– Not Deploy services that are not needed
– Not Allow device management from anywhere
– Not Use clear text passwords in risky places
– Not Assume filtering is going to destroy performance
– Not Send important data in the clear across an untrusted network
1.2.3 Dependencies
The following dependencies have been identified for this project:
1. Budget and Finance approval
2. Approval of this proposal by relevant approvers
1.2.4 Risks
Risks and issues are registered and maintained in accordance with the Project Management Plan:
| # | Description | Mitigation |
| [1] | Lack of local financial resources | seek resources in advance |
| [2] | Lack of technical expertise in operation | Train WISE IT technician, e.g. obtaining CCNA & CCNP certification |
1.2.5 Network forecast
The following table shows the forecast of WISE IT network users:
| Year | Total No of network users | Wi-Fi access |
| 2014 | 50 | 20 |
| 2015 | 70 | 30 |
| 2016 | 100 | 50 |
| 2017 | 150 | 100 |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 5/26 |
2 Definitions
For the purpose of this RDD, the following terms are defined:
| Term | Definition |
| BoM | Bill of Material |
| CCNA | Cisco Certified Network Associate |
| CCNP | Cisco Certified Network Professional |
| CE | Customer Edge |
| CLI | Command Line Interface |
| DNS | Domain Name Server |
| FE | Fast Ethernet |
| FTP | File Transfer Protocol |
| GE | Gigabit Ethernet |
| HLD | High Level Design |
| IP | Internet Protocol |
| IPsec | Internet Protocol Security |
| IT | Information Technology |
| LLD | Low Level Design |
| NAT | Network Address Translation |
| OBI | Out-Bound Interface, i.e. Ethio-telecom interface |
| OOB | Out of Band – (OOB) Direct physical connectivity to a network element |
| QoS | Quality of Service |
| RDD | Requirements Definition Document |
| SPOF | Single Point of Failure |
| UPS | Uninterruptible Power Supply |
| URL | Uniform Resource Locator |
| VLAN | Virtual Local Area Network |
| VPN | Virtual Private Network |
| Wireless AC | Wireless Access Control |
| Wireless AP | Wireless Access Point |
| WISE | Women In Self Employment |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 6/26 |
3 Requirements
This section defines the functional and non-functional requirements to be considered for the WISE
IT network enhancement Project. (Note: these requirements are high level only and need to be
completed during the course of project progress, e.g. HLD)
3.1 Product and General Requirements
| Req. ID | Requirement Statement |
| 3.11 | The solution shall introduce Enterprise grade resilient systems for hardware and software |
| 3.12 | The solution shall provide scalable, secure and highly available design |
| 3.13 | The solution shall introduce a design (scalable) for future growth of the network based on the short and long term traffic forecast of the network |
| 3.14 | The solution shall introduce Wireless access to the network for internet and intranet traffic and users |
| 3.15 | Design document (HLD, LLD) shall include all necessary information ready to operate without any configuration but user data |
| 3.16 | IT room shall be located with proper housing and racks (in front of the director’s room) to accommodate all the network equipment, e.g. core switch, router, servers etc. with a proper size of rack, e.g. 19 inch rack. |
| 3.17 | VMware shall be used for servers |
| 3.18 | The solution shall provide current model of software and hardware |
3.2 Network and Service Requirements
| Req. ID | Requirement Statement |
| 3.21 | There shall be no Single Points of Failure for routing and switching network including cabling Note: This excludes Phase1 design |
| 3.22 | The solution shall introduce a 1Gbps (or above) ports for core switches |
| 3.23 | The solution shall support quality of service based on the nature of service and media (voice, internet, e-mail, video streaming, FTP etc) |
| 3.24 | The solution shall ensure Layer 2 and Layer 3 services can be provisioned without limitation of any hardware or software |
| 3.25 | Design document (HLD, LLD) shall include all necessary information ready to operate without any configuration but user data |
| 3.26 | The solution shall require a separate management access for network elements, e.g. separate VLAN (Layer2) and/or IP address range (Later3) |
| 3.27 | Users shall be able to access network through internet, e.g. IPsec VPN (Phase2) |
| 3.28 | Ipv4 shall be used for design and the table 1 shows the proposed IP addressing subject to Design |
| 3.29 | DHCP function shall be identified and provide Ipv4 addressing for internal networks |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 7/26 |
| Req. ID | Requirement Statement |
| 3.30 | The solution shall move the existing modem router in the new IT room along with other network elements |
3.3 Security Requirements
| Req. ID | Requirement Statement |
| 3.31 | The solution shall introduce a firewall to protect the network |
| 3.32 | Network communications shall be filtered at network boundaries that specify allowed communication traffic by type, source identifier and destination identifier |
| 3.33 | All users, this includes networksystemsapplications connecting to its own or other shall be authenticated at its own and the target systemapplication by individual user ids and passwords, or digital certificates. |
| 3.34 | All connections to network systems, carrying sensitive information such as user authentication credentials, (e.g. ID & password) shall be encrypted or otherwise secured to maintain data integrity and confidentiality |
| 3.35 | All connections and traffic to wireless LAN access will be encrypted |
| 3.36 | Corporate traffic will be protected across Internet with secured way, e.g. IPsec VPN (Phase2) |
| 3.37 | Existing Anti-Virus shall be used for PCs whilst a new Anti-Virus shall be provided by a server |
| 3.38 | Internal server farm shall be located within the LAN (i.e. behind the firewall inside network port) |
| 3.39 | Firewall shall provide different security zones including inside, outside and DMZ ports |
3.4 Hardware and Cabling Requirements
The following kinds of hardware (but not limited to depending on HLD) shall be considered for
solution design.
| Req. ID | Requirement Statement |
| 3.41 | Network egress router/Firewall is introduced for NAT, IPsec etc. |
| 3.42 | Core switches shall provide redundancy, i.e. 2x switches with Load balancing (in Phase2) |
| 3.43 | Access switches shall provide minimum 24 ports with 10/100/1000 Base-T and no redundancy required |
| 3.44 | Firewall shall provide minimum 2xGE (RJ45) and 2xGE (combo) ports for Anti-Virus, Anti Spam, URL filtering, Anti-Ddos etc |
| 3.45 | Wireless AP shall support 802.11abgn |
| 3.46 | There shall be 2 group of network zones (buildings and its annex) including: 1. Old building 2. New building Each group will have its own aggregation function(switch) which will distribute traffic into multiple access switches |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 8/26 |
| Req. ID | Requirement Statement |
| 3.47 | A new server for Web/Mail/DNS shall be introduced |
| 3.48 | Power redundancy (UPS) shall be used for all equipment in IT room (old building) except access switches |
| 3.49 | Servers(finance) shall be physically redundant with automatic backup on a daily basis |
| 3.50 | Cabling and wiring shall be professionally done with category 6 cables |
3.5 Wireless Network Requirements
| Req. ID | Requirement Statement |
| 3.51 | Wireless access users shall be able to access internet and intranet without losing the connection when the user moves location from A to B |
| 3.52 | There shall be point to point Wireless bridge/extender to be used between old and new building with dual band redundancy |
| 3.53 | There shall be full coverage of wireless access within each building and the serviced areas on WISE site |
| 3.54 | Wireless Access Controller is not required |
3.6 BoM
Bill of Material shall be provided with detailed information for phase1 and phase2 respectively.
It shall include current make, model and capacity of equipment.
If required software shall be part of each item or it will be separately listed in the BoM.
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 9/26 |
4 Network Solution
There will be two phases approach to complete the network enhancement.
Phase1 is to introduce network capability with minimum investment, whilst Phase2 is to implement
the network infra-structure with resiliency and security.
4.1 Phase1:
This is a simple network to introduce secured and resilient network design wit firewall.
There won’t be any redundancy for the firewall and core switch in this phase.
Network connection between old and new building currently has no cabling installed.
Thus, a wireless point to point shall be implemented to allow an aggregation switch of new building
to connect to the core switch. In future, new building may have its own network and it is out of
scope in this proposal.
Server Cluster
Web Mail DNS
Firewall
Aggregation switch
Old Building New Building
L2 L1 G
L2 L1 G
Core Switch
Wireless Zone (Old Building) Wireless Zone (New Building)
Internet
Wireless Access
Point
Access switch
Ethio-telecom ADSL Modem
Network Printer,
Copier, Scanner
Network Printer,
Copier, Scanner
Wired LAN
Wireless LAN
Finance
Figure 1- Logical Network Topology Phase1
4.2 Phase2:
Redundancy will be implemented for finance server, core switches and firewalls in this phase.
Also VPN for branches shall be provided along with a remote access, e.g. IPsec through Internet.
The diagram below illustrates the overall network topology:
The HLD document to be provided by a vendor shall include Physical, Logical and Service design.
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 10/26 |
Existing equipment (refer to Appendix2) shall be reused as many as possible according to the HLD
provided by vendors.
Interfaces shall be configured to provide redundancy between router, core switch and aggregation
switches.
Server Cluster (VMware)
Web Mail DNS
Firewall
Distribution
switch
Old
Building
New
Building
L2 L1 G
L2 L1 G
Wireless Zone (Old
Building)
Wireless Zone (New
Building)
Internet
Wireless
Access Point
Access switch
Ethio-telecom ADSL
Modem
Network Printer,
Copier, Scanner
Network
Printer, Copier,
Scanner
Wireless LAN Wired LAN
Egress Router
CE
Core Switch
Finance server
redundancy
Figure 2- Logical Network Topology Phase2
Wireless connection shall still be used between old and new building. In addition to Phase1
interfaces, there shall be another wireless interface between addition core switch and aggregation
(distribution) switch as per Figure3. i.e. 2x Wireless AP onto core switches with dual band, and 2x
Wireless AP onto the aggregation (distribution) switch in new building.
To provide redundancy of wireless, each core switch will connect to both wireless Aps as in Figure3.
See Failover scenario section for details.
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 11/26 |
New Building
Level1
Core Switch
Distribution/Access switch
Wireless Dual band
Old Building/
IT room
p1
p2
p1
p2
C1 C2
A1 A2
A3 A4
Level2
L1 L2
Figure 3- Wireless Dual band Interfaces (Phase2)
Figure4 illustrates the Physical design of complete network (Phase2):
F1
M1
R1
F2
C1 C2
A1 A2 D1 D2
D3 D4
A3 A4
New Building Old Building
S1 S2
Wireless Dual Band
Figure 4- Physical Design (Phase2)
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 12/26 |
4.3 Network Elements
Each network element (NE) features the following role:
4.3.1 Ethio-telecom Modem router
This allows WISE network users to access Internet through public network. This equipment is
existing and provided by the service provider (Ethio-telecom).
4.3.2 Egress Router
From the service provider’s perspective, the customer edge (CE) is the router at the customer
premises that is connected to the provider edge of a service provider IP/MPLS network. This router
will also be the egress point of the WISE network.
4.3.3 Core (backbone) switch
Its job is simply to move packets from point A to point B as fast as possible and with the least
possible manipulation.
This is a high capacity switch that is located in a wide area network (WAN) that acts as a gateway
control. It allows multiple modules to work together. A core switch can also be referred to as
backbone switch connecting aggregation switches. This will have redundancy in Phase2.
4.3.4 Aggregation (distribution) switch
The Distribution switch is where policies are applied. It’s where access-lists, or QoS, and CPUintensive routing decisions should occur (as opposed to just a default route or default gateway).
Distribution switch designs usually focus on aggregating Access devices into boxes with significant
processing resources so that policies can be applied. This switch connects to the core switch for its
network access. The old building would connect through an Ethernet cable because there is a direct
physical connectivity. The new building on the other hand won’t have a direct physical connection
to the core switch. Thus, a wireless bridge setup is used for its connection to the core switch.
Note:
Physically in this design, this switch will integrate access switch function in the same switch, whilst
connecting other access switches as an aggregation function. Thus, this switch will function as a
managed switch with different VLAN allocation on its ports.
There are two (2) switches per building are required.
4.3.5 Access switch
The Access switch is responsible for connecting devices to the network. Its defining characteristics
generally revolve around either high port density or the ability to overcome physical “last mile”
type challenges, like wireless 802.11, or remote access via modems or VPN.
Also this provides connection to network users via Ethernet port of their devices.
In this design, this switch will function as a simple interface connecting user’s device without
‘managing’ the ports.
Existing switches are also used to connect users.
4.3.6 Firewall
A firewall is a system designed to prevent unauthorized access to or from a private network. It can
be implemented in either hardware or software form, or a combination of both. Firewalls prevent
unauthorized Internet users from accessing private networks connected to the Internet, especially
intranets. All messages entering or leaving the intranet (i.e., the local network to which you are
connected) must pass through the firewall, which examines each message and blocks those that do
not meet the specified security criteria. In protecting private information, a firewall is considered a
first line of defence; it cannot, however, be considered the only such line.
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 13/26 |
Firewalls are generally designed to protect network traffic and connections, and therefore do not
attempt to authenticate individual users when determining who can access a particular computer or
network. This firewall would be used to secure the whole enterprise from outside threats. The
firewall is configured in such a manner that the only a specific type of traffic (requested by the
users like Web, Mail, etc.) will be allowed to traverse the internet. Unwanted and threatening
traffic will be denied from entering the WISE network in the first place.
The network would be segmented in to three logical regions: INSIDE, OUTSIDE and DMZ. The INSIDE
region refers to the WISE network that needs to be highly secured. The OUTSIDE region refers to the
outside world. This network is out of the control of WISE IT infrastructure and would be the least
trusted.
The third region is DMZ. This is where corporate resources like Web, Mail other services would be
placed to be accessed from the outside world.
Connection from the firewalls INSIDE interface would be connected to the core-switch’s uplink
interface. This core switch needs to route packets as fast as possible to eliminate network latency
and performance hit. This switch would interconnect the various access-layer switches in different
buildings. Network traffic from one points in the enterprise to another point in the enterprise most
likely traverses this core switch.
4.3.7 Wireless Access Point (AP)
This is a device that allows wireless devices to connect to a wired network using Wi-Fi, or related
standards. The AP usually connects to a router/switch (via a wired network) as a standalone device,
but it can also be an integral component of the router itself. In this design, it will be simply existing
wireless routers/switch currently being used. Also, a wireless LAN would be setup that provides WIFI
access to mobile users. The coverage of these signals depends on various factors like Antenna type,
physical obstacles, weather, etc. To maximize coverage area, these Wireless APs are placed on
corridor corners. Each of the floors would have one or two Wireless AP.
Note:
Between old and new building, wireless point to point will be used (without cabling due to the
difficulty of laying cables between buildings) to connect the entire new building network traffic to
the core switch. Therefore, this connection has to have redundancy (in Phase2) for stable and
resilient network access. Figure3 illustrates the interfaces providing dual band redundancy.
4.3.8 Server farm
There will be two (2) logical servers including existing financial server and new Web/Email/DNS
server. In phase1, a new physical server will accommodate existing and new servers using VMware,
which means that the existing financial server shall be migrated in the new server.
In phase2, there will be two (2) physical servers to provide redundancy.
Financial server provides applications and database for WISE finance team that separates their
network from others with redundancy function (2x) in Phase2. The other server (Microsoft Exchange)
provides internal email function with Outlook clients and Web mail function for the whole network
users.
VMware shall be used to provide multiple server function in single server hardware. E.g. financial
server function and Exchange server function in a physical server environment using VMware.
Table below shows hardware list required for each phase: refer to figure4
| ID | Name | Phase |
| M1 | Modem | 1 |
| R1 | Router (egress router) | 2 |
| F1 | Firewall | 1 |
| F2 | Firewall | 2 |
| C1 | Core Switch | 1 |
| C2 | Core Switch | 2 |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 14/26 |
| D1 | Distribution Switch | 1 |
| D2 | Distribution Switch | 1 |
| D3 | Distribution Switch | 1 |
| D4 | Distribution Switch | 1 |
| A1 | Wireless Access Point (dual band) | 1 |
| A2 | Wireless Access Point (dual band) | 2 |
| A3 | Wireless Access Point (dual band) | 1 |
| A4 | Wireless Access Point (dual band) | 2 |
| S1 | Server (main server with 32G memory) | 1 |
| S2 | Server (standby and backup server) | 2 |
| R1 | Rack1 (19 inch 46U cabinet to allow future equipment, e.g. PABX) – IT room | 1 |
| R2 | Rack2 (6U) – new building | 1 |
| Cables (Cat6) | 1 | |
| Cables (Cat6) | 2 | |
| UPS (2x) – IT room + new building | 1 |
Table 1- Hardware list
4.3.9 Network Management System
In future NMS is considered to be introduced in the network to manage network elements. It can
provide network configuration, fault, performance and security management function.
4.4 IP addressing and VLAN
IP addressing plan shall be used to accommodate current and future forecasts.
The following IP address range can be used for large and small network:
| Domain | Mask | Network | Host From | Host To | No of IP | Remarks |
| Private IP | /20 | 172.16.0.0 | 172.16.0.1 | 172.16.15.255 | 4096 | |
| Group1 | /23 | 172.16.0.0 | 172.16.0.1 | 172.16.1.254 | 508 | |
| Group2 | /23 | 172.16.2.0 | 172.16.2.1 | 172.16.3.254 | 508 | |
| /23 | 172.16.4.0 | 172.16.4.1 | 172.16.5.254 | 508 | Spare | |
| /23 | 172.16.6.0 | 172.16.6.1 | 172.16.7.254 | 508 | Spare | |
| /23 | 172.16.8.0 | 172.16.8.1 | 172.16.9.254 | 508 | Spare | |
| /23 | 172.16.10.0 | 172.16.10.1 | 172.16.11.254 | 508 | Spare | |
| /23 | 172.16.12.0 | 172.16.12.1 | 172.16.13.254 | 508 | Spare | |
| /24 | 172.16.14.0 | 172.16.14.1 | 172.16.14.254 | 254 | Spare | |
| Management | /24 | 192.168.0.0 | 192.168.0.1 | 192.168.0.254 | 254 |
Table 2 IP Addressing plan – large network
| Domain | Mask | Network | Host From | Host To | No of IP | Remarks |
| Private IP | /24 | 172.16.0.0 | 172.16.0.1 | 172.16.0.255 | 256 | |
| Group1 | /26 | 172.16.0.0 | 172.16.0.1 | 172.16.0.62 | 62 | |
| Group2 | /26 | 172.16.0.64 | 172.16.0.65 | 172.16.0.127 | 62 | |
| Group3 | /26 | 172.16.0.128 | 172.16.0.129 | 172.16.0.191 | 62 |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 15/26 |
| Group4 | /26 | 172.16.0.192 | 172.16.0.193 | 172.16.0.254 | 62 |
| Management | /26 | 192.168.0.0 | 192.168.0.1 | 192.168.0.62 | 62 |
Table 3- IP Addressing plan – small network
The following names are used for VLAN and VLAN names.
| VLAN | VLAN Name | Description |
| vlan 400 vlan 410 vlan 420 vlan 421 vlan 430 vlan 431 vlan 495 vlan 496 vlan 497 vlan 499 vlan 500 |
VLAN-400 VLAN-410 VLAN-420 VLAN-421 VLAN-430 VLAN-431 VLAN-495 VLAN-496 VLAN-497 VLAN-499 VLAN-500 |
OAM (management) Finance team Trainers Union Facilitators Spare Spare Spare Spare Spare Spare |
Table 4- VLAN names
4.5 Failover Scenario
In case that a link or a node failure has occurred between old and new building as in Figure3, there
will be failover scenarios as below:
| Failure cases | Traffic Failover to |
| Node A1 | Node A2 |
| Node A2 | Node A1 |
| Node A3 | Node A4 |
| Node A4 | Node A3 |
| Node C1 | Node C2 |
| Node C2 | Node C1 |
| Node L1 | SPOF (no failover) |
| Node L2 | SPOF (no failover) |
| Link A1-C1 | Link A1-C2 |
| Link A2-C2 | Link A2-C1 |
| Link L1-A3 | Link L1-A4 |
| Link L2-A4 | Link L2-A3 |
4.6 Cabling
Cabling will be constructed as per the example below in Figure5.
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 16/26 |
Major cabling route will follow the corridor starting from the IT room, and each room will be
connected from the main route.
Each room will have at least two (2) cables derived from the main cable, and as many as the
number of PCs or desks in the room too. For example, if the Union office has 10 desks with 7 PCs on
them, there should be 2 cables to an access switch from the main cable route in the room, and 10
cables lay from the access switch to each desk.
All cables including main and branch cables are properly fixed and ducted (e.g. PVC trunk) for
protection of cables, and also allow future capacity.
As to new building, cabling will commence from the Rack to be located in a room nearest to the IT
room in Old building. Every room will have cabling directly derived from the Distribution switches.
Below shows an example of cabling, and other building and floors are similarly constructed.
18
Director
Office
Training
Department
Old Library
Finance
Head 17
16
Finance
Finance
15
Rest Room
Research
Union Finance Union Office
19
13
20
Facilitators Facilitators
Gulele Finance ID Department
22 21
23
24
25
26
IT room
Main cabling
Branch cabling
Figure 5- Cabling Layout
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 17/26 |
5 Document Information
5.1 Document contact
For any enquiries regarding this document:
| Name: | James Kang |
| Role: | IT Advisor |
| Organisation: E-mail: Telephone: |
AVID [email protected] +251-9402-83-475 Ethiopia/+61-43-919-2855 Australia |
| Name: | Zerihun Hailu |
| Role: | IT engineer |
| Organisation: E-mail: Telephone: |
WISE [email protected] |
5.2 Sign-off
The following stakeholders are signatories and as such must sign-off and provide final acceptance of
this document:
| Organisation | Title | Name | Signature and date |
| WISE | Director | Tsigie Haile |
5.3 Change History
| ED | Date | Author | Details of Change |
| 0.1 | 13/05/2014 | James Kang | Initial draft |
| 0.2 | 14/05/2014 | James Kang | Added Appendix 2 & 3. Server redundancy included |
| 0.3 | 19/05/2014 | James Kang | Revised with Wireless dual band diagram, Failover scenarios, Physical network design and minor changes in the requirements section |
| 0.4 | 20/05/2015 | James Kang | Added Cabling layout and Hardware list |
| 1.0 | James Kang | Final Draft for approval |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 18/26 |
Appendix 1 – Current Network Diagram and Equipment List
Current network:
Internet
ADSL
Modem
24 port Switch
24 port Switch
(Internet Room)
24 port Switch
(Accountants)
8 Port Switch
8 Port Switch
IGA Office
8 Port Switch
( Training Room)
8 Port Switch
(Aga Office)
8 Port Switch
(Accountants)
Server
Exchange
Server
192.168.1.0/24
R21
R22
R23
R17
R36 R40
R19
R18
8-port switch
8-port switch
Isolated
Old building current cabling (L1):
Room No 18
Director
D-link 24 Port Switch
ZTE ADSL
modem
Internet
D-Link WIFI
Router
Training Room No 19
Department
192.168.1.0/24
192.168.1.1
192.168.1.2
D-Link Port
8 Switch
PME Officer
Room No 17 Finance head
192.168.1.3
192.168.1.16
192.168.1.4 – 6
Accountants
Research and
Partnership
Officer
192.168.1.12
Room No 16
Accountants
Union Office
Cooperative
Accountants
192.168.1.40 – 50
D-Link 24 port switch
192.168.20 – 30
Room No 15
Room No 13
ID Department
Gulele Finance
192.168.1.50 – 60
Room No 25 Room No 23 192.168.1.30 – 40
Room No 21
Room No 22
Old Library
Facilitators Facilitators
Room No 25 Room No 24
192.168.1.7
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 19/26 |
Old building current cabling (L2):
Internet Room
192.168.1.1
DHCP
192.168.1.13
Room no 36
Room no 40
IGA Department
D-link WIFI
Access Point
192.168.1.80
General Service
DHCP
Room no 39
MTS Store
D-link 24 port
Switch
To First floor
Coady Project
Officer Room no 37
Floor layout (Old building L1):
18
Director
Office
Training
Department
Old Library
Finance
Head 17
16
Finance
Finance
15
Rest Room
Research
Union Finance Union Office
19
13
20
Facilitators Facilitators
Gulele Finance ID Department
22 21
23
24
25
26
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 20/26 |
Current equipment List:
| List of WIFI Devices | ||||
| No | Type | Model | Radio Band | Standard |
| 1 | Router | D-link Dir-850 L | Dual | 802.11n |
| 2 | Access Point | D-link Dap2553 | Dual | 802.11n |
| 3 | Access Point | D-link Dap2553 | Dual | 802.11n |
| 4 | Router | CISCO EA4500 | Dual | 802.11n |
| 5 | Router | CISCO EA4500 | Dual | 802.11n |
| 6 | Router | Netgear N300 | Dual | 802.11n |
| 7 | Router | Netgear N300 | Dual | 802.11n |
| 8 | Range Extender | DAP1320 |
| List of Switches | |||
| No | Model | Ports | Room no |
| 1 | D-Link DES- 1016D | 24 | 18 |
| 2 | D-Link DES-1024D | 24 | 36 |
| 3 | D-Link DES-1024D | 24 | 24 |
| 4 | D-Link DES-1008D | 8 | 19 |
| 5 | D-Link DES-1008D | 8 | 21 |
| 6 | D-Link DES-1008D | 8 | 40 |
| 7 | D-Link 10120 | 8 | 17 |
| 8 | Mercury | 8 | 25 |
| 9 | D-Link DES-1008A | 8 | 24 |
| 10 | 3com | 8 | 26 |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 21/26 |
Appendix 2 – Compliance Table
This section should be completed by vendors to indicate compliance of their solution along with a
quote and BoM. E.g. “Comply” ©, “No Comply” (NC) or “Partial Comply” (PC). In case of “Partial
Comply” there should be description to be provided.
| Req. ID |
Requirement Statement | Comply |
| 3.11 | The solution shall introduce Enterprise grade resilient systems for hardware and software |
C, NC or PC |
| 3.12 | The solution shall provide scalable, secure and highly available design | |
| 3.13 | The solution shall introduce a design (scalable) for future growth of the network based on the short and long term traffic forecast of the network |
|
| 3.14 | The solution shall introduce Wireless access to the network for internet and intranet traffic and users |
|
| 3.15 | Design document (HLD, LLD) shall include all necessary information ready to operate without any configuration but user data |
|
| 3.16 | IT room shall be located with proper housing and racks (in front of the director’s room) to accommodate all the network equipment, e.g. core switch, router, servers etc. with a proper size of rack, e.g. 19 inch rack. |
|
| 3.17 | VMware shall be used for servers | |
| 3.18 | The solution shall provide current model of software and hardware | |
| 3.21 | There shall be no Single Points of Failure for routing and switching network including cabling Note: This excludes Phase1 design |
|
| 3.22 | The solution shall introduce a 1Gbps (or above) ports for core switches | |
| 3.23 | The solution shall support quality of service based on the nature of service and media (voice, internet, e-mail, video streaming, FTP etc) |
|
| 3.24 | The solution shall ensure Layer 2 and Layer 3 services can be provisioned without limitation of any hardware or software |
|
| 3.25 | Design document (HLD, LLD) shall include all necessary information ready to operate without any configuration but user data |
|
| 3.26 | The solution shall require a separate management access for network elements, e.g. separate VLAN (Layer2) and/or IP address range (Later3) |
|
| 3.27 | Users shall be able to access network through internet, e.g. IPsec VPN (Phase2) | |
| 3.28 | Ipv4 shall be used for design and the table 1 shows the proposed IP addressing subject to Design |
|
| 3.29 | DHCP function shall be identified and provide Ipv4 addressing for internal networks |
|
| 3.30 | The solution shall move the existing modem router in the new IT room along with other network elements |
|
| 3.31 | The solution shall introduce a firewall to protect the network |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 22/26 |
| Req. ID |
Requirement Statement | Comply |
| 3.32 | Network communications shall be filtered at network boundaries that specify allowed communication traffic by type, source identifier and destination identifier |
|
| 3.33 | All users, this includes networksystemsapplications connecting to its own or other shall be authenticated at its own and the target systemapplication by individual user ids and passwords, or digital certificates. |
|
| 3.34 | All connections to network systems, carrying sensitive information such as user authentication credentials, (e.g. ID & password) shall be encrypted or otherwise secured to maintain data integrity and confidentiality |
|
| 3.35 | All connections and traffic to wireless LAN access will be encrypted | |
| 3.36 | Corporate traffic will be protected across Internet with secured way, e.g. IPsec VPN (Phase2) |
|
| 3.37 | Existing Anti-Virus shall be used for PCs whilst a new Anti-Virus shall be provided by a server |
|
| 3.38 | Internal server farm shall be located within the LAN (i.e. behind the firewall inside network port) |
|
| 3.39 | Firewall shall provide different security zones including inside, outside and DMZ ports |
|
| 3.41 | Network egress router/Firewall is introduced for NAT, IPsec etc. | |
| 3.42 | Core switches shall provide redundancy, i.e. 2x switches with Load balancing (in Phase2) |
|
| 3.43 | Access switches shall provide minimum 24 ports with 10/100/1000 Base-T and no redundancy required |
|
| 3.44 | Firewall shall provide minimum 2xGE (RJ45) and 2xGE (combo) ports for Anti Virus, Anti-Spam, URL filtering, Anti-Ddos etc |
|
| 3.45 | Wireless AP shall support 802.11abgn | |
| 3.46 | There shall be 2 group of network zones (buildings and its annex) including: 3. Old building 4. New building Each group will have its own aggregation function(switch) which will distribute traffic into multiple access switches |
|
| 3.47 | A new server for Web/Mail/DNS shall be introduced | |
| 3.48 | Power redundancy (UPS) shall be used for all equipment in IT room (old building) except access switches |
|
| 3.49 | Servers(finance) shall be physically redundant with automatic backup on a daily basis |
|
| 3.50 | Cabling and wiring shall be professionally done with category 6 cables | |
| 3.51 | Wireless access users shall be able to access internet and intranet without losing the connection when the user moves location from A to B |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 23/26 |
| Req. ID |
Requirement Statement | Comply |
| 3.52 | There shall be point to point Wireless bridge/extender to be used between old and new building with dual band redundancy |
|
| 3.53 | There shall be full coverage of wireless access within each building and the serviced areas on WISE site |
|
| 3.54 | Wireless Access Controller is not required |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 24/26 |
Appendix 3 – Internet Security Policy
Document Control
The IT Manager of the WISE will maintain control of the document which will be reviewed every two years in
conjunction with the IT Steering Group (to be formed).
Proposed updates will be presented to the senior management for adoption according to their organizational
arrangements for approval of IT policies. Upon acceptance by WISE, the update will come into force.
Any discretionary controls added by WISE are reviewed annually; however updates may occur more frequently
if deemed necessary.
Purpose
The purpose of this policy is to establish security measures to ensure a sufficient level of protection is provided
in response to the security risks presented by Internet use within WISE.
The Internet provides access to an array of information, resources and services that provide potential
opportunities and benefits which aid and support the work of WISE. However, if Internet use within WISE is not
securely managed, it can expose WISE to risks at both a technical level (with potential damage being caused to
IT infrastructure) and an operational level (with misuse of Internet resources leading to possible reputational
damage to WISE and a loss in productivity).
Scope
This document covers the responsibilities of IT Administrators, other technical staff and general users with
regard to Internet security controls but it does not cover the matter exclusively. Other policies, best practice
guidelines, standards, and procedures may also define additional responsibilities, especially in regard to
network and server security issues.
Use of Internet and privacy issues concerning monitoring and archiving of email is covered by the IT Privacy and
Acceptable use policy.
This policy applies to all permanent and temporary staff within WISE as well as contractors and visitors who
work and/or visit WISE who have a stake in any changes occurring in WISE’s IT Service environment.
Implementing this policy is an important component of ensuring that potential threats to the overall IT security
position of WISE are managed effectively. This is particularly the case given the shared network, which has
created inter-dependency among s with respect to network security.
| 1. | Administration of Internet Access 1.1. Only authenticated users should have access to the internet from the internal networks. Access |
by visitors to the Internet is covered in the Network Infrastructure Security Policy.
1.2. All outbound Internet traffic from WISE’s network zone should pass through a web filtering
gateway. Access to sites categorised as being potentially harmful to WISE will be blocked. More
details are provided in the IT Privacy and Acceptable Use Policy.
1.3. All Internet traffic (inbound and outbound) should pass through an anti-virus gateway. At a
minimum, up-to-date anti-virus and anti-malware software should be installed and running on
workstations with Internet connectivity.
1.4. All firewalls located in WISE should be configured in accordance with the configuration guidelines
and policy recommendations provided in the Network Infrastructure Security Policy. In addition,
the following guidelines apply specifically to Internet facing firewalls:
| | Logging of all changes to the firewall configuration and installation should be performed at all times. |
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 25/26 |
| | An explicit “deny all” rule should be implemented as the last rule in the filtering configuration of Internet facing firewalls to allow for logging of rejected connection attempts to any relevant Internet services. Backup firewall configuration files stored offline should only be viewable by designated IT staff. Internet facing firewalls should use Network Address Translation (NAT) where possible when |
| | |
| |
forwarding to internal network devices.
2. External Connections
2.1. Workstations connected to the internal network should not establish a separate direct
connection (for example, through a modem, wireless connection or similar) to other external
networks (including the Internet), as per the Network Infrastructure Security Policy and the
Workstation Security Policy.
2.2. Access to internal networks from the Internet (for example, via VPN) should only be allowed for
users that have been approved for such access by WISE’s IT Manager.
2.3. It is highly recommended that workstations that connect to the internal networks via a VPN
connection do not access the internet at the same time unless it is through the VPN connection.
2.4. External connections should not be established that allow unauthorised parties to gain access to
the internal networks of WISEs. More detail is provided in the Network Infrastructure Security
Policy.
3. Internet Services
3.1. Internet services pass through a web filtering gateway and firewall. Use of internet services
categorised as being potentially harmful to WISE will be blocked. More details are provided in
the IT Privacy and Acceptable Use Policy.
3.2. FTP servers hosted by WISE that accept connections from the Internet should be located in a
DMZ. These FTP services can accept anonymous connections but in these circumstances readonly access to the server should be all that is permitted, and access to content on the server
should be restricted to non-confidential information.
3.3. A log should be created that records all requests (both inbound and outbound) for Internet
services including FTP and SSH. The generated audit logs should be reviewed on a monthly basis
by the designated IT staff of WISE.
4. Related Documentation
These additional policies will be considered to develop in future.
| 4.1. | Network Infrastructure Security Policy |
| 4.2. | IT Privacy and Acceptable Use Policy |
| 4.3. | Workstation Security Policy |
| 4.4. | IT Change Management Policy |
5. Compliance and Waivers
5.1. Compliance with this policy by users, network administrators, or others responsible for
implementation of the policy, is mandatory. Procedures are in place to monitor compliance with
this policy.
5.2. Violations of this policy may result in disciplinary action in accordance with the human resources
policies of WISE.
5.3. Requests for waivers of this policy shall be formally submitted to the Senior Manager. The
requests shall set out the justification, duration of the proposed waiver and how the increased
risk arising from the waiver will be managed. Requests will be approved by the Senior Manager
| Version | 1.0 | 21/05/2014 | |
| WISE IT! | Network Enhancement Proposal | Requirement Definition Document (RDD) | 26/26 |
of the person making the request, in consultation with the IT Manager and will be documented
in the form of a management letter.
5.4. Approved waivers shall be monitored to ensure that the conditions of the waivers are being
observed.
Definitions
Authentication: The process of identifying an individual usually based on a username and password.
Authentication is distinct from authorisation, which is the process of giving individuals access to system
objects based on their identity. Authentication merely ensures that the individual is who he or she claims
to be, but says nothing about the access privileges of the individual. Three types of factors can be used to
provide authentication: a) something you know (e.g. a password), b) something you have (e.g. a certificate
or card), and c) something you are (e.g. a fingerprint or retinal pattern). Using any two in conjunction is
known as two factor authentication.
| | Email: The electronic transmission of information through a mail protocol such as Simple Mail Transfer Protocol (SMTP). Encryption: The process by which data is re-arranged into an unreadable or unintelligible form for confidentiality, transmission or other security purposes File Transfer Protocol (FTP): A standard Internet protocol that is used to exchange files between computers on the Internet. FTP is an application protocol that uses the Internet’s TCP/IP protocols. FTP is commonly used to download programs and other files to your computer from other servers. Firewall: Security device (either hardware or software based) that is used to restrict IT access in |
| | |
| | |
| |
communication networks. They prevent computer access between networks, or networks and applications,
and only allow access to services that are expressly registered. They also keep logs of all activity, which
may be used in investigations.
Network Address Translation (NAT): A feature typically employed by firewalls/routers that interface
between external and internal facing networks. NAT allows the allocation of multiple IP addresses to
machines located in internal networks, without the existence of these machines being revealed on the
external network. Instead, only a single or small number of IP addresses are advertised to the external
network, which is then mapped by the router/firewall to the machines on the internal network.
| | Senior Manager: The person on WISE’s management committee who has responsibility for the person making the request. |
End of Document