1. PROPOSAL FOR A NEW
UNIFIED COMMUNICATIONS
NETWORK
Aperture Technologies
2. Who We Are
• Aperture Technologies is a Network design
company that started out in the founder’s
garage. Since then we have grown from a
small organization to a multi-million dollar
company that has 225,000 employees, 19
offices, located in five different countries
around the world and still growing.
3. Our Mission
• Our mission is to be able to provide other
companies with efficient, safe and reliable
networks. We help companies keep cost
down and revenues high. We specialize in
global networks and getting communications
from one end of the globe to the other.
• Since 2000 we have helped to develop
networks for companies such as Gallo
Wineries, Modesto Irrigation district, Chicago
Title Company, and Global Construction to
name a few.
4. SCOPE
• To identifying new needs of being able to
ensure that corporate has access to all
information. That real time communication is
possible for our overseas offices.
• To ensure that support to the new branches is
met. Ensure that the network meets all
needs of our 225,000 employees.
• Finally, ensuring that all information is kept
safe and secure as much as possible
5. ROLES
• Senior Management
– Ensures that the project meets the overall goal of the
companies needs to keep the company profitable.
• IT Management
– Ensures that company guide lines for the network are
being followed to keep productivity high. Helps with
implementation of policies and procedures.
• IS Management
– Ensures that all required security requirements and
precautions have are met. Develops practices for
testing and implementation. Helps to make
recommendations about security practices to follow,
as well as the development of the DRP.
6. ROLES
• Functional Management
– Helps in the overall development to ensure that functionality
across the board is met.
• IS Security Practitioners
– Responsible for putting the implementation together, testing,
documenting, and over management of the system when it goes
live. Active scanning and evaluation of the network.
• IT Technicians
– Responsible for the main installation of all network components,
initial configurations, and testing of equipment under the
direction of the IT Management.
• Security Awareness trainers
– To make sure that all end users, employees, contractors, or
person that will have a need to understand the policy contained
here in this plan based on the duty they need to perform.
7. CURRENT COMMUNICATIONS
• Old PSTN Telephones
• Still paying for international and long
distance
• Slow email for to send and gather
important information
• Still traveling for all meetings
• Throwing money away
8. PROPOSED COMMUNICATIONS
Utilizing SIP and H.323
• Implement an IP-PBX phone system
– One low monthly cost as not per call
• Instant messaging with file transfer ability
– The ability to instantly access another person
and share files quickly
• Video Conferencing
– Reduced cost of international and interstate
meetings.
9. VLAN AND WLAN
• Dynamic VLans for flexible productivity
• VLans assigned through WLan for mobile
users
• Single sign on Authentication for ESXI,
AD, and Radius.
•
10. VLAN CONFIGURATION
• Executive Offices (VLan 10): For the executive
officers and board members that need access to
resources. Located at the corporate office only.
• Marketing (VLan 16): All market research,
marketing, as well as advertising departments.
Located at the corporate office only.
• Operations (VLan 32): Operations department
• Managers (VLan 48): Area, district, and branch
managers.
• Human Resources (VLan 64): Hiring and training
personnel.
11. VLAN CONFIGURATION
• Accounting and Finance (VLan 80): All
departments that deal with money for the
company.
• VoIP (VLan 96): IP Telephones
• Video (VLan 112): All network components
that deal with teleconferencing other than the
phone system.
• Network (VLan 128): All core network
equipment, routers, firewalls switches. These
are statically assigned addresses.
12. WLAN
• For the purpose of inter-departmental meetings
and other functions, WLan will be placed on each
VLan.
• Because dynamic VLans are in use they will only
have access to the VLan assigned them.
• 802.11ac standard at 5GHz for all Wi-Fi needs.
This is backwards compatible with all other
standards before it.
• Right now 802.11ac is pushing between 1Gbps to
5Gbps pending the set up.
• This should allow mobile devices to handle any
type of multimedia streaming if needed.
13. NETWORK CONFIGURATION
• Switches
– 10GB bridge
– 10/100/100 Ethernet
• Firewalls
– unified threat management (UTM) for the core
network
• Packet filtering, malware detection, Spam, and
virus checks
– SIP/H.323 for the VoIP network
14. NETWORK CONFIGURATION
• Routers
– OSPF configurations
– SIP gateway will be OSPF, but will only route
SIP and h.323 Protocols
• OSPF allows for other vender equipment
• A dedicated line between same country
branches will be used for security and
bandwidth purposes.
15. IP Schema
Internal Network Schema
Core Network VoIP / Video
Routers 10.X.128.1-9 10.X.96.1-5
Firewalls 10.X.128.10-19 10.X.96.10-20
GB Switches 10.X.128.20-29 10.X.96.20-29
Local Switches 10.X.128.30-39 10.X.96.30-39
PBX 10.X.96.6-9
Internal Servers 10.0.128.50-69
DMZ Servers 10.0.128.70-79
18. Office Private Schema
Executive office: 10.0.0.1 10.0.15.254 The X indicates the
country Code for
the subnet
10.0.0
255.255.240.0
Dynamic
addressing unless
indicated
Marketing: 10.0.16.1 10.0.31.254
Operations: 10.X.32.1 10.X.47.254
Managers: 10.X.48.1 10.X.63.254
HR: 10.X.64.1 10.X.79.254
Accounting /
Finance:
10.X.80.1 10.X.95.254
VoIP: 10.X.96.1 10.X.111.254
Video: 10.X.112.1 10.X.127.254
Network
Equipment (static)
10.X.128.1 10.X.143.254
19. Global Private Schema
Country Office Office Subnet Country Subnets by
Office, x indicates the
subnet scheme above.
4096 Subnets
4094 host per subnet
225,000 employees
500,000 total ip
addresses estimated
for equipment and
VoIP.
Approximately 1974
employees per office
subnet.
USA Corporate 10.0.x.x
LA: 10.1.x.x
SF: 10.2.x.x
Boston: 10.3.x.x
SD: 10.4.x.x
NY: 10.5.x.x
Austria: Vienna: 10.10.x.x
Salzburg: 10.11.x.x
Inz: 10.12.x.x
Germany Berlin: 10.20.x.x
Stuttgart: 10.21.x.x
Munich: 10.22.x.x
France Paris: 10.30.x.x
Bordeaux: 10.31.x.x
Nice: 10.32.x.x
Japan Tokyo: 10.40.x.x
Sapporo: 10.41.x.x
Osaka: 10.42.x.x
20. Global Gateway Router Schema
Country Office Dedicated line ISP Gateway
USA Dedicated line
Main Router
200.200.200.1 200.200.200.2 none
Corporate 200.200.200.5 200.200.210.1
LA: 200.200.200.9 200.200.210.5
NY: 200.200.200.25 200.200.210.21
Country Office Dedicated Line ISP Gateway
Austria: Vienna: 200.200.200.29 200.200.200.30 200.200.210.25
Salzburg: 200.200.200.33 200.200.200.34 200.200.210.29
Inz: 200.200.200.37 200.200.200.38 200.200.210.33
Germany Berlin: 200.200.200.41 200.200.200.42 200.200.210.37
Stuttgart: 200.200.200.45 200.200.200.46 200.200.210.41
Munich: 200.200.200.49 200.200.200.50 200.200.210.45
21. BEST PRACTICES
• MANAGEMENT
– Management team
• Overall changes or Major changes
• Comprised of the IT management, IS
management, The CIO, as well as departmental
heads
– Implementation team
• New software, firmware or hardware
• Comprised of the IS and IT departments
22. Monitoring
• Ticketing system
– For users to report problems and issues
– Automated monitoring use as well
• Network monitor
– SolarWinds Monitoring software
– SNMP traps
23. SECURITY
• Users
– Training
– RF Badges
– Policies
• Workstation
– Antivirus
– Intrusion prevention and detection
– UPS’s
– VMware for easy workstation restoration
24. SECURITY
• LAN
– Dynamic VLans for segmentation
– Single sign on for user convenience
– IPS and IDS on all network Equipment
– All default usernames and passwords changed
• WLan
– 802.1x Enterprise WAP2 encryption
– WAP2 will work with AD and the VLan
authentication to make a single sign on for user
convenience
25. SECURITY
• LAN to Wan
– UTM Firewalls
– Default user names and passwords changed
– IPS and IDS
– Statefull packet filtering
– DMZ to be utilized
• WAN
– SLA agreement to meet company BCP
26. SECURITY
• Remote Access
– SSL VPN
– Three way Authentication
– HDD encryption on mobile devices
• Mission Critical Center
– IDS and IPS active
– Back up Servers
– Halon 1301
– Resources not used disabled
27. SECURITY
• Physical Security
– All network equipment will be locked
• Closet or room
– RF badges for access
– Cameras in place
• Entrance
• Inside areas
– Locking cabinets with tubular security locks
28. Overview
• Dynamic VLans
• DMZ implementation
• Bringing in a dedicated line for branch
offices in the same country
• VPN for cross continental communication
• The implementation of VoIP and Video
conferencing