What is shown above is the network diagram for the Network Administration Capstone. The senior project had us using what we learned in our previous courses at Morrisville and create a fully functional “corporate” network with everything integrated.
How we accomplished the tasks set for us were up to us, we decided to go above and beyond and put 110% into this project.
Router / Firewall
For the Edge Router and Firewall, we chose to use something other than a traditional firewall. Open source software is becoming more popular in the business world – servers, desktops and software packages are making their way into organizations. There are also many open source network appliances avaiable.
PF Sense is a free OpenBSD based distribution customized to provide routing, network address translation (NAT), firewall, intrusion detection, intrusion prevention and captive portal … among other features. Needless to say it fit all of our needs and it was all in one device!
PF Sense features a webGUI after initial configuration from the command line. It was very simple to set up our WAN, LAN, DMZ and Guest wireless networks with PF Sense
Network with emulated WAN Link
The network requirements for this project were 3 VLANs at two locations connected by a serial cable (WAN Link). The 3 VLANs were Sales, Administration and Engineering. We drecided that using a class B private address (172.16.x.x) with 22 host bits (255.255.252.0 subnet mask) would provide our theoretical organization enough addresses per subnet.
The DHCP and DNS Server resided on the Management VLAN at both locations. For the “Morrisville” office, both services were provided by the Active Directory Domain Controller. At the “New York City” location, we alternated between having these services provided by a Linux server or read only Domain Controller.
Active Directory is everywhere; almost every organization uses AD for their directory services. A large part of this project was getting Active Directory up and running.
Because Active Directory is extremely reliant on DNS, we had to make sure we got the DNS settings correct. We had to do some troubleshooting at different points in the project to get all of our computers and servers to “talk to each other”.
Below are some AD and Group Policy work
- Install Software from Group Policy
- Set up a print server
- Assigned users to pertinent groups
- Assigned computers to groups
- Windows Server Update Service (WSUS), see below
- Control access to Network Attached Storage (NAS), see below
Windows Server Update Services (WSUS)
WSUS is an available software package for Windows Server 2003 and 2008. The function of this is to centrally administer updates to AD Domain computers and distribute from one central location on the network. Instead of having 50 computers downloading a major service pack, it is downloaded to the WSUS server and then administered to the client computers.
WSUS also allows for updates to be tested on a small number of computers before updates are released organization wide. This feature is particularly useful in testing software compatibility issues … an update will break a test computer instead of every computer in the organization!
While WSUS will be in my how-to section, I will give a brief outline of what we did
- Install WSUS Role
- Create Groups for Computer
- Configure GPO for WSUS in Group Policy Management, apply it to groups or organizational units
- Import Groups into WSUS
- Synchronize Updates
- Approve and send out updates
Microsoft Exchange is another popular software package. Because it integrates so well with Active Directory, it is extremely useful as an email application. We worked with multiple versions of MS Exchange on this project, including 2003, 2007, and 2010 beta.
After joining the Exchange server to the domain, setup was fairly straight forward. The important things to note are we had to install the prerequisites listed on TechNet and set up a domain account with the following privileges: Administrator, Domain Administrator, Enterprise Administrator, Schema Administrator and Local Administrator (only on the Exchange server). Very little troubleshooting was needed on the Exchange install.
To get the webmail (OWA) accessible by webmail.domain, we added host records and aliases in the DNS management.
Network Attached Storage (NAS)
A Network Attached Storage is just that – an appliance, or dedicated computer with the specific purpose of storing data on the network. There can be many possibilities for setting up a NAS and what to use the NAS for. The NAS in this project was set up to receive backups using Symantec Backup Exec (see below) and set up fileshares for each organization.
Instead of using the ubiquitous Windows Server for the NAS, we thought outside of the box into a solution that could save an organization money. Again, the solution was Open Source Software! Openfiler was our NAS choice.
I will say that Openfiler did not provide some of the more advanced features of Windows 2003 or 2008, but it was able to do what we needed. In particular, it lacked the ability to give file share permissions to individual users (groups, we could!).
Using a built-in integration feature, we were able to seamlessly integrate the Openfiler unit into our active directory. However, we could not access it by hostname.
Troubleshooting: The problem was Openfiler, a Linux machine was running a Static IP address and not fully joined to the domain like a Windows PC would be. The name record did not show up in DNS Management. At first, we made an alias for it … but that did not work. What we needed was an A record in DNS. This “maps” the IP to the hostname and gives us what we need.
Troubleshooting: After creating the right record, we still had problems with it trying to authenticate to the NAS instead of domain controller. Some research lead me to discover that we had to have a WINS server. After setting up a WINS server on the domain controller, we were fully functional!
Next, fileshares followed and we were backing up and retrieving files from our NAS.
Symantec Backup Exec
Another popular business tool is Symantec Backup Exec. This is a very popular backup program. While we were unable to use the advanced features like tape backup (limited by trial version), I was able to gain some first hand experience working with Backup Exec.
All of our servers were backed up to the NAS. Best Practice: Had we been doing a backup-to-disk for an organization, backing up to just a NAS would not be enough. We would have to back up to some portable media and have some backups stored off site.
Virtual Private Network (VPN)
Mobility and telecommuting are growing in popularity. More workers are working from home. To do so, these employees need to utilize a VPN to gain internal access to their corporate networks from home.
There are many types of VPN that can be used. Hardware appliances such as a Cisco VPN can be used, open source software VPN (openvPN) and Windows Server VPN can be used. Since the network already had a large Active Directory implementation, we decided that using Network Policy Server (formerly RRAS) in Windows Server 2008 would work great and integrate very easily. We were correct. This was very quick and straightforward to set up.
To test this, I used the VPN to gain access to our network from my dorm room … and then could work from the comfort of my room.
Troubleshooting: Not only does port 1723 have to be forwarded, but GRE has to be forwarded. GRE is its own protocol and needs to be forwarded as a whole … GRE is not a port for TCP or UDP. To do this, we had to make sure our router supported GRE. Some DD-WRT distributions support GRE.
802.1x (RADIUS) Wireless Authentication
Wireless is another technology becoming popular in organizations. Whether a business wants to allow its users to move around the office freely or is saving money by not running and terminating cable, its usage is definitely increasing.
Wireless is inherently insecure. EVERY packet (or frame!) is transmitted in EVERY direction, thus leaving wireless open to “sniffing” and intruders picking up sensitive. There have been security protocols, WEP, WPA, WPA2 developed to combat this.
Authenticating clients on a wireless network can be done a number of ways. A pre-shared key (WPA-PSK, Home) can be distributed among users. This is seen more of a “home” way of connecting. We set up our Wireless using RADIUS authenticating against our domain controller. Users that were joined to the domain were able to connect to our wireless using their domain user account and password. We could apply this setting to individual users or groups of users.