Network and Systems Analysis

gayheadavonΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 10 μήνες)

113 εμφανίσεις



1


Bridge Capital Corporation

Network and Systems Analysis





















Prepared by:

Gregory T. Pulos II

Network Engineering Consultant


Version 1.0


BCC Network and Systems Analysis

2

10/28/2013



TABLE OF CONTENTS


I.

NETWOR
K ANALYSIS

................................
................................
................................
................................
..................

3

A.

S
COPE

................................
................................
................................
................................
................................
.........

3

B.

I
NFRASTRUCTURE

................................
................................
................................
................................
.......................

3

1.

Current Topology Design

Limitations
................................
................................
................................
.................

3

2.

Initial Network Design

................................
................................
................................
................................
...........

4

3.

Current Network Design

................................
................................
................................
................................
.......

5

4.

Topology Bottlenecks
................................
................................
................................
................................
..............

5

5.

Required Network Design
................................
................................
................................
................................
......

6

6.

Switch and Router Configuration

................................
................................
................................
.........................

6

C.

P
ROTOCOLS

................................
................................
................................
................................
...............................

8

1.

Currently Running Protocols

................................
................................
................................
...............................

8

2.

Unnecessary Protocols

................................
................................
................................
................................
...........

8

D.

D
ATA
T
RAFFIC
................................
................................
................................
................................
..........................

9

1.

Local Traffic

................................
................................
................................
................................
.............................

9

2.

Network Utilization

................................
................................
................................
................................
...............

10

3.

Internet Traffic
................................
................................
................................
................................
.......................

11

4.

Data Loss

................................
................................
................................
................................
................................
.

12

E.

N
ETWORK
S
ECURITY

................................
................................
................................
................................
............

15

1.

Internet Security
................................
................................
................................
................................
....................

15

2.

Email Security

................................
................................
................................
................................
........................

18

3.

Remote Access Security
................................
................................
................................
................................
.......

19

F.

A
DMINISTRATION
................................
................................
................................
................................
..................

20

1.

HelpDesk

................................
................................
................................
................................
................................
.

21

2.

Network Tools

................................
................................
................................
................................
........................

21

3.

System Tools
................................
................................
................................
................................
...........................

21

II.

SYSTEMS ANALYSIS

................................
................................
................................
................................
.............
22

A.

S
ERVERS AND
W
ORKSTATIONS

................................
................................
................................
...........................

22

1.

Windows Servers

................................
................................
................................
................................
...................

22

2.

Fax Servers

................................
................................
................................
................................
.............................

27

3.

Email Servers

................................
................................
................................
................................
.........................

28

4.

SQL Servers

................................
................................
................................
................................
...........................

28

5.

Web Servers

................................
................................
................................
................................
...........................

29

6.

Workstations
................................
................................
................................
................................
..........................

31

B.

S
YSTEMS
S
ECURIT
Y
................................
................................
................................
................................
...............

31

1.

Server/Domain Security
................................
................................
................................
................................
.......

32

2.

Application Security
................................
................................
................................
................................
..............

32

3.

AntiVi
rus Security
................................
................................
................................
................................
................

32

4.

Data Backup Security

................................
................................
................................
................................
...........

32

C.

C
OLLOCATION

................................
................................
................................
................................
........................

34

III.

EXEC
UTIVE SUMMARY
................................
................................
................................
................................
..........
35



BCC Network and Systems Analysis

3

10/28/2013


I.

Network Analysis



A.

Scope


This document will detail problems that have been identified during the initial BCC
Network and Systems. This document will also describe the required tasks for resolving
the pro
blems identified as well as recommend solutions for a more stable and available
data communications environment.


B.

Infrastructure

1.

Current Topology Design Limitations


The initial infrastructure analysis revealed many areas of network design that
are causing

data bottlenecks, packet loss and severe network delays on a
constant basis.


These problems are limiting network operation and productivity. Continued
growth and scalability of BCC data communications will not be possible until the
network topology is mo
dified and reconfigured using industry specifications.


Topology redesign points that must be considered are listed below:




Increase Inter
-
Building Link Capacities



Remove Shared Bandwidth Media



Increase Traffic Aggregation Point Capacity



Implement and Util
ize Current Data Lines i.e.: idle T1’s



Configure STP for optimal convergence and better network
performance. i.e.: portfast



Change ISP link from Frame Relay to dedicated T1(s)





BCC Network and Systems Analysis

4

10/28/2013


2.

Initial Network Design


The diagram below shows the initial network topolog
y as it was when this
analysis began, including link sizes, port connections and device information.




This initial network design has been improved upon only slightly since this analysis
began. There are many more issues to ad
dress and links to reconfigure to create a more

efficient data communications environment that can continue to grow and scale to BCC
system needs.


The current problems and design issues are documented in the following sections.


!

One thing that must be a
ddressed is the Internet link that is Frame Relay. With the
current size and expected growth of BCC, the Internet link should be changed from a
Frame Relay link(s) to dedicated T1 leased line(s).

BCC Network and Systems Analysis

5

10/28/2013


3.

Current Network Design


The diagram below shows the current

network topology including link sizes, port
connections and device information.



4.

Topology Bottlenecks


Topology bottlenecks are those connection points that do not provide enough
bandwidth available for the aggregated user ses
sions that are to traverse those
points. In other words, it’s a 1
-
lane road where a 4
-
lane highway is required.
The traffic (data) begins to immediately back up and cause severe delays across
the entire infrastructure ultimately breaking down the data comm
unications
system and halting all data processing.


These severe delays and traffic loss are currently happening at levels that are
evident in the consistent intermittent losses of network availability.


The topology bottlenecks that currently exist are as

follows:





BCC Network to the Firewall (firewall inadequate for BCC)



Firewall Connection to the Internet Router (only 10mb / half
duplex, must replace firewall with an adequate device)



Bldg. 91 to Bldg. 81 Fiber Link (only 100mb / half duplex)



Bldg. 81 Ed
ge Switch to Linksys Hub (remove hub)



Bldg. 91 Core Switch to Linksys Hub (remove hub)



Internet link is Frame Relay and should be full T1(s)


BCC Network and Systems Analysis

6

10/28/2013


5.

Required Network Design



The diagram below shows the required network topology that is needed to
support the cur
rent user base. Expected growth will require higher capacity
network switches.






6.

Switch and Router Configuration


The BCC network switches are not configured for optimal use and efficiency.
The need for the switches, the core

of the data processing of BCC, to be
correctly configured for optimal efficiency is evident in the network delays and
outages currently experienced.


There are a few points to consider when configuring switching in an internet
-
work where more than one int
ernetworking device is present. Many factors
contribute to the overall stability, proficiency and availability of the network.
Current trouble spots in the BCC switching environment are mentioned below.


BCC Network and Systems Analysis

7

10/28/2013



A list of switch configuration issues is as follow
s:





Server connections must be 100mb / Full Duplex.



Inter
-
Switch connections must be 100mb / Full Duplex at the
minimum. (recommend 1GB or at least 200mb / Full Duplex)



Etherchannel links should be created to support heavy Inter
-
Building communications. (
requires additional fiber strands)



Etherchannel bundles not requiring multiple VLAN operation
should be removed from TRUNK status.



Spanning Tree Protocol PortFast should be configured for user/
server connections. (only keep STP running on network Loop or
inter
-
switch connections)



Spanning Tree Root Bridge should be configured as the Core
5509 switch. (currently auto
-
elected to the 81 bldg. 5505)



Switches IOS should be upgraded. The current version 4.5.12
should be upgraded to 6.4.5.


Along with the correct

switching configuration, any routers residing on the
network must also be configured for optimal data processing efficiency.


A list of Internet router configuration issues is as follows:




Password encryption should be enabled. (this is a device that
sits

on the edge of the BCC world and the rest of the data
world. Password security must be a priority)



Ethernet connection should be 100mb / Full Duplex



Remove all secondary addressing from the Ethernet port.



Remove configuration information for hardware not
installed in
the router. (configuration for a device not installed could lead to
boot up problems)



Remove routing protocols that are running. (currently RIP is
running and should not be. No routing protocols should be
running on Network Border devices unle
ss needed for inter
-
gateway communications as in redundant links to an ISP)



Remove static route entries not required for operation.
(currently a static route exists for a non
-
existent link)



Router IOS should be upgraded. The current version 12.0.6
should b
e upgraded to the 12.3.1a
-
mz version.


A correctly configured and maintained switched and routed environment will
have the capacity to handle the current data loads as well as remain scalable for
growth without encountering added or visible network delay.


An incorrectly configured and maintained switched and routed environment will
not scale with growth or allow for additional services to be added to the network
without severe degradation in data processing, as currently seen in the BCC
environment.





BCC Network and Systems Analysis

8

10/28/2013


C.

P
rotocols


Protocols on a network are used to define the rules of communication of the network and

the devices that use it.


Specific protocols should be used only when they are required. There should never be a
protocol running, or talking, on a network un
less it is required to accomplish a task or
service the network provides.

1.

Currently Running Protocols


The protocol of choice for BCC is IP, Internet Protocol, aka TCP/IP. This protocol
provides support for all of the services of all of BCC’s data communic
ation
systems. There is currently no need for any other protocols in the BCC
environment.


There are however other protocols running on the BCC network that should not
be used and are using network resources that are needed by other systems.


2.

Unnecessary P
rotocols


The list of unnecessary protocols running on the BCC network is as
follows:




IPX



IPX is a Novell Netware proprietary protocol and prone to constant broadcasting
of available services and device lookup information. This protocol is not used by
a
ny systems in use by BCC. This protocol should be removed, or un
-
configured,
in all devices that currently have it configured and running.


The list of devices, by MAC address, that are currently configured to
talk IPX is as follows:




0800.1115.B7CD



0000.7
46F.2282



0010.DC2D.F94A



0060.B092.19BB



000B.DB2D.3754


The above listed devices should be determined as to what they are and then
manually reconfigure them so IPX is not running.


There are no other protocols configured that shouldn’t be in the BCC
environ
ment.



BCC Network and Systems Analysis

9

10/28/2013



D.

Data Traffic


The term ‘Traffic’ describes any data communication that takes place on the BCC Local
Area or Wide Area Networks.


A traffic analysis shows trends in traffic flow, resource utilization, peak/idle traffic
periods, source & destinatio
n of heavily used devices/services and overall network
performance.


Performance and scalability of the network is wholly dependant on the traffic types and
flows across the network.


1.

Local Traffic


Scenario:

In the case of BCC, the local traffic flows and

amounts are such that
the network itself is not able to keep up

with the communications of all the
devices resulting in a
300
-
400% data loss from the network

than the
network is successfully processing. In other words, for every 10 packets of data
the BCC

network processes, 30
-
40 packets of data have been dropped from the
network resulting in those having to re
-
communicate the same data
. (It’s like
asking an employee to fax a letter 5 times. Only once out of the 5 attempts did
the employee actually complet
e the task.)


!

Data loss is severely degrading the performance and scalability of the network
as well as end user productivity by 75% and more.


!

There is no room for growth or capacity to add additional systems to the BCC
network without further degradi
ng the data communications environment.


!

The 3Com Voice Over IP solution soon to be implemented at BCC will not be
successful in the current environment.


Correction of traffic problems will greatly increase the performance and
scalability of the networ
k as well as visibly increase end user productivity.



BCC Network and Systems Analysis

10

10/28/2013


2.

Network Utilization


The following graph depicts a ‘snapshot’ of the BCC network Utilization problems
that are consistent throughout the network, all day, every day. The graph shows
the average Utiliz
ation on any given day at any given time.


These are not the ‘worst
-
case’ details as seen intermittently every day. The
worst
-
case scenario traffic issues that have been seen commonly bring the BCC
network to a crawl if not a complete halt and should be ad
dressed immediately.


Figure 1.


BCC Network Utilization




!

The utilization of the BCC network is sporadically high. This leaves zero room for
network recovery during normal heavy use times. This causes continuous, intermittent
network failures where i
n many instances network operation is at a stand still.


!

The extremely high utilization also prevents the network from growing further in size
or number of services it provides.


!

Any further network growth will continue to degrade network operation an
d
performance.





BCC Network and Systems Analysis

11

10/28/2013

!

Sub
-
optimal configuration of devices ranging from the workstation PC, Switches,
Firewall and the Internet Router all contribute to the high utilization, unstable
environment that exists today. i.e.: Port Duplexing and Port Speed should
be
predetermined and set accordingly for all network attached devices. This currently is not
the case on the BCC network.


!

It is not uncommon for the BCC network to reach utilizations well above 50% many
times in a single day. A 50% utilized Ethernet net
work is considered saturated due to the
large amounts of overhead the protocols use, especially at the level of utilization the
network hits regularly. Network outages or extreme slowness is the result and is
common on the BCC network.


!

Inter
-
Building co
nnections must be Full Duplex and as high capacity as possible. This
currently is not the case on the BCC network.


3.

Internet Traffic


Internet based traffic accounts an estimated 72% of the data traffic generated
or supported by the BCC network.


Currently

a lot of business critical services provided by the BCC network use the
Internet as a medium. These services include Email, Loan Energizer, Qualifier,
Web Site, Fax and SQL services. This is a sub
-
optimal configuration.


The amount of traffic generated to

traverse the Internet connection is greater
than the capabilities of two devices that create this link. The devices that are
crippled by the amount of BCC Internet traffic are the Accelerated Networks
Internet Companion firewall and the Frame Relay circui
t to the ISP.


!
Statistics of traffic gathered on both sides of the firewall indicate that the
firewall is a major contributor to lost data on the network as well as the Internet
delays and outages commonly seen every day.


!

The firewall is failing in tw
o places:

1)

The outbound data from the local area network destined
for the Internet.

The firewall is not able to keep up with the
required bandwidth or the amount of sessions required to maintain
consistent user connectivity throughout the company.

2)

The inbo
und data from the Internet router destined for the
local area network.

The firewall does not provide enough
bandwidth for inbound traffic from the Internet router.


NOTE:

The A.C.I.N firewall is severely hampering network productivity and
should be replac
ed ASAP with a device capable of providing the services
required by the BCC systems.



NOTE:

BCC currently has (2) data circuits from a telco to an ISP. One of these
circuits is currently not even used and is disconnected from any BCC hardware.

BCC Network and Systems Analysis

12

10/28/2013

This circui
t should be put into use to help relieve some of the Internet based
traffic problems as well as provide for a redundant link to the Internet incase
one of the two circuits fails.


!

This non
-
use of a single circuit is costing BCC over $1100.00 per month.


4.

Data Loss


The BCC network is currently experiencing an average data drop or loss of
approximately 75


80%. This includes the data loss from the local area network
as well as the data loss from the Internet based traffic.


This very high percentage of dat
a dropped from the network shows the
inefficiency of the network in its current configuration. To remedy the situation
would show an increase in network efficiency and productivity of

approximately 300% or more plus the added benefit of being able to scal
e to
network growth demands.


The following graph shows the extremely high rate of data loss on the BCC
network.


Figure 2.


BCC Network Packet Drops per Second




The above graph displays the packets of data dropped every second from the BCC
network.


BCC Network and Systems Analysis

13

10/28/2013



!

It should be known that the number of packets dropped by the network is
approximately 300
-
400% higher than the number of packets processed by the

network. This is the worst
-
case scenario for any data communications environment and
must be avoided for e
ven the lowest capacity networks.


Many factors contribute to the dropping of data from the BCC network as
listed:




Incorrectly configured devices (port duplexing and speed)



Daisy chained network connectivity (chaining a hub from the switch for
more than 2

users. There are two major examples in the BCC
environment)



Inadequate link sizes between the network core and edge switches
(between the buildings and inter
-
switch links)



Inadequate devices that are over utilized for their function (A.N. I.C.
Firewall is

not to support over 5
-
10 users but is currently supporting
120+ users)



All users attempting to access the same services from the same devices
at the same time all of the time (bridgecap.com supporting all system
processes, email, fax, SQL backend and web
activity for BCC)


Q: What will repairing these issues and the network configuration
provide?


A:

This provides a stable, capable network for new services such as VoIP. This
also creates faster response times for local user requests for network services
as

well as an increased response time for Internet based communication.
Additionally, this will provide for a scalable network that will grow with the
changing technology needs as the BCC enterprise grows.


Below are some statistics gathered from the Interne
t router to illustrate the
traffic problems associated with the firewall and the Frame Relay link.


Figure 3.


Internet Link PVC Packet Statistics


PVC Statistics for interface Serial0/0 (Frame Relay DTE)

DLCI = 500, DLCI USAGE = LOCAL, PVC STATUS = ACTIV
E, INTERFACE = Serial0/0.1



input pkts 3306675 output pkts 3045821 in bytes 1063780420


out bytes 325220577 dropped pkts 0
in FECN pkts 174500


in BECN pkts 0 out FECN pkts 0 out BECN pkts 0


in DE pkts 0

out DE pkts 0


out bcast pkts 151 out bcast bytes 45458


pvc create time 02:28:45, last time pvc status changed 02:25:24


The above statistics are for a mere 2.5 hours of operation as noted by the PVC
Create Time.


The most troublesome
statistic is the ‘
in FECN pkts 174500
’ statement. This
statement shows that an intermediate Frame Relay switch in the FR network has

been overloaded with data on its outgoing port, the link to BCC’s Internet


BCC Network and Systems Analysis

14

10/28/2013



router. This indicates the bandwidth availab
le on the link is not adequate for the
amount of data being put into the Frame Relay network or that there is a
problem on the link from the ISP.


!

Working with the ISP to replace the Frame Relay with a T1 leased line and
repairing any issues that may be
limiting available bandwidth will help remedy
this situation.





Figure 4.


Serial Line Statistics


Serial0/0 is up, line protocol is up


Hardware is PQUICC with Fractional T1 CSU/DSU


MTU 1500 bytes, BW 1536 Kbit, DLY 20000 usec, rely 255/255,
load 38
/255


Encapsulation FRAME
-
RELAY IETF, loopback not set, keepalive set (10 sec)


LMI enq sent 700, LMI stat recvd 700, LMI upd recvd 0, DTE LMI up


LMI DLCI 0 LMI type is ANSI Annex D frame relay DTE


Broadcast queue 0/64, broadcasts sent/dropped 120
/0, interface broadcasts 1


Queueing strategy: fifo


Output queue 2/40, 1615 drops
;

input queue 1/75, 0 drops


5
minute input rate 1405000 bits/sec
, 302 packets/sec


5
minute output rate 229000 bits/sec
, 265 packets/sec


2622593 packets input, 7848
59095 bytes, 0 no buffer


Received 0 broadcasts, 0 runts, 0 giants, 0 throttles



942 input errors, 38 CRC, 900 frame, 0 overrun, 0 ignored, 4 abort


2428288 packets output, 245652862 bytes, 0 underruns


0 output errors, 0 collisions, 7 inte
rface resets


0 output buffer failures, 0 output buffers swapped out


3 carrier transitions


bridge
-
gw uptime is 1 hour, 33 minutes

System restarted by power
-
on

System image file is "flash:c2600
-
ip
-
mz.120
-
6.bin


The above statistics show the link f
rom the Internet ISP is congested regularly
and at near
-
capacity levels. This is a sub
-
optimal environment for Internet data
communications and is adding to Internet delays and packet loss from the
network. These statistics represent only 1.5 hours of oper
ation.


The Output Queue Drops shown above indicate that the Frame Relay network is
oversubscribed and cannot handle the traffic the Internet router is sending it.
Working with the telco on replacing the Frame Relay will help to remedy these
drops and prod
uce a more efficient routing environment.


The fact that virtually all of the BCC users access the Internet for many services’
all day long constitutes the need for better link capacities and management on
both ends of the router.


!

It is estimated that u
p to 5% of Internet traffic into or out of the Internet
router to/from the ISP is lost due to congestion and overloaded router ports.


!

Internet traffic loss relates to a loss of approximately $60.00 per month for
BCC.



BCC Network and Systems Analysis

15

10/28/2013



!

The LAN connections must be c
onfigured as 100mb / Full Duplex. The WAN
connections must be error free and packet loss free. The WAN links are the

highest cost communication links BCC pays for. They must be kept as efficient as
possible at all times.



E.

Network Security


Security in al
l areas of data communications is no longer a luxury. It is a requirement
that should involve the identification of security holes, breaches and flaws as well as
provide the means to address those issues identified.


There are a few areas of the BCC networ
k environment that need to have security
addressed. These areas include Internet Protection, Email, Remote Access and
Collocation. All of which are not very well addressed in the BCC network currently.


1.

Internet Security


Internet security includes securit
y to and from the Internet into and out of the
BCC network. This security needs to address every device in the path from the
internal BCC LAN to the BCC network edge including the WAN link, which is
connected to the Internet router.


As shown in the diagra
m below, there are a few pieces that make up the link
from the BCC network to the Internet. These pieces include the Firewall,
Internet router and ISP Data link.




BCC Network and Systems Analysis

16

10/28/2013



First and foremost, the Internet router needs to be buttoned d
own tightly with
security, which includes passwords, static routes, routing protocol filters (if
used), source and destination filters as well as administration and remote
access filters.


Security should be addressed from both the Outside ports of the rou
ter as well
as the Inside ports the router.


Passwords:

Passwords should be cryptic and encrypted so as to not be easily
guessable or hackable with outside password cracking tools.


!

The BCC Internet router is configured with a rather non
-
cryptic, easily
hackable password that is not encrypted. No matter what the password on an
Internet router, encryption should always be set to ON.


Static Routes:

Static routes should be used in almost all instances of route
tables on Internet routers.


!
It is generally
bad security practice to allow a routing protocol to control
routes through the Internet router. We must maintain full control and
understanding of the network from the Internet routers point of view. Eliminating

routing protocols helps to keep security th
reats to a minimum.


Routing Protocol Filters:

If routing protocols must be used on an Internet
router, then implementing filters on where, when and how those routing
protocols come into and go out of the Internet router are required for
maintaining securi
ty.


!

BCC should not be running any routing protocols on the Internet router. There
is one currently configured and it should be removed completely.


Source and Destination Filters:

In certain circumstances, it may be
necessary to have multiple internal n
etworks accessing the Internet through a
single source such as the Internet router. In these cases filters should be set to
allow only those subnets from communicating with the Internet router. Likewise
care should be taken to assure no incoming traffic ca
n communicate with
networks or devices that they should not be.


BCC currently does not have any need for Source/Destination Filters.


Administration and Remote Access Filters:

To keep security as tight as
possible, it is recommended to use access filters
for Administration as well as
Remote Access communication to the Internet router. These access filters will
ensure only the correct BCC administrators can access the Internet router for
administration purposes as well as keep unwanted intrusions from the I
nternet
from occurring.





BCC Network and Systems Analysis

17

10/28/2013


!

BCC should implement Administration and Remote Access Filters on the
Internet router to assure only the correct people can access this device from
inside or outside the company.


The second device that needs to be as secure as

possible is the Firewall.


!

In the case of BCC, the firewall is completely inadequate and should be
replaced as soon as possible.


With a correctly functioning and capable Firewall, the security issues to be
addressed are Rules, DNS, VPN, NAT and Remote
Access.


Rules:

The rules of a firewall are the main security tool. They dictate who, what

and where data can flow through the firewall.


In the case of the BCC firewall, it is completely inadequate for the data
communication needs of the organization and
should be replaced as soon as
possible.


!
There has been a security breach identified in the operating system of the
firewall BCC currently uses. IPX traffic is always passed through even if it is
unwanted. A patch has been made available from the manufac
turer and should
be implemented as soon as possible. This may be a problem since the firewall
used is a ‘clone’ firewall utilizing a third party operating system. Also, to spend
the time and effort patching this may be futile since the device does not supp
ort
the current data flow needs and it must be replaced.


DNS:

Today’s firewalls have the ability to do more than protect. They can
provide other mission critical functions that previously relied on separate
systems or outside systems residing on the Inter
net, resulting in delays.


One of these features is DNS.


When BCC replaces its firewall with an adequate solution, it should be taken into
consideration how the DNS for the company will be configured. Since BCC is
expecting a 2 to 6 fold increase in Inter
net traffic in the near future, it behooves
us to implement a DNS system that will more efficiently serve our user base and
systems.


NOTE:

Today’s best practice on DNS is to house all DNS functions inside the
corporation and have the DNS system only go to

the Internet for those requests
that require it. This helps to conserve Internet bandwidth and provides BCC
much more control over the DNS functions that the company requires.


VPN:

Another function today’s firewalls provide is the ability to allow remote

users from anywhere in the world to access corporate resources as if the user
were sitting in the office. This gives the user and company much more control of
the type, amount and access to corporate resources.




BCC Network and Systems Analysis

18

10/28/2013

VPN’s are inherently secure. They provide
a connection to a user, via the
Internet, anywhere in the world with encrypted communication. This means the
user can access vital and confidential company resources without the worry of
the data being intercepted on the Internet and then exploited.


NOTE:

BCC should keep VPN capabilities in mind when selecting a new firewall.
VPN technology has been available for over 6 years and has been adopted by
almost every company seeking to improve user productivity and data security for
remote access in a cost effe
ctive solution. It is currently the de facto standard
for secure remote access solutions.


NAT:

Network Address Translation. In a sentence, it allows multiple systems to
use a single IP address to access network resources.


The use of NAT has proven to be
more than a solution for limited IP addresses.
NAT also provides security in the sense of ‘Hiding’ private, internal network
addressing.


If an intruder can figure out the network addressing used on the inside of a
Internet connected network, such as the B
CC network, they will have much more

ability and access to internal systems than if they didn’t know the internal
addressing. NAT helps to ‘Hide’ the internal network addressing from outside
entities.


!

BCC uses NAT currently in a limited configuration. I
t is recommended to
continue using NAT to access Internet resources. It is also recommended to
address other networking needs that could benefit from the security aspects of
NAT. A scenario such as BCC connecting to a partner or vendor network could
use NA
T to help with security as well as address manipulation.


Remote Access:

Remote Access at BCC is currently provided through a
PCAnywhere application. Although this solution does provide for the access to all
corporate resources, it is inherently slower and

less manageable than other
solutions and much less secure.


Future remote access solutions should include a VPN or another secured method
of connecting users to corporate resources. A VPN solution is the most cost
effective and manageable option available

today for remote access.


2.

Email Security


The BCC email system is a lifeline of communication for the company. This is a
mission critical system that requires security, accessibility and functionality.


The BCC email system in use currently is completely
inadequate for the needs of
the company, in all of these areas, as we move forward.





Email Security:


BCC Network and Systems Analysis

19

10/28/2013


!

Currently there is none. Anybody on the Internet can conceivably intercept,
open, read or change the data in any of the BCC email communications. The
re is

currently nothing in place for BCC to prevent this.


Email Accessibility:


Currently the only way to access corporate email is if a user is in the office on a
computer connected to the network. This is limiting in the productivity of the
users and th
eir ability to perform business critical communications when they
are away from the office.


There are many solutions for remote email access to corporate resources. The
most popular and by far the most functional is the use of Microsoft Exchange.


Microso
ft Exchange is the de facto standard in email messaging for 80% of
small, medium and large businesses today.


!
To implement a Microsoft Exchange server would allow BCC complete control
over the security of their emails and remote access to email from anyw
here in
the world without the need for additional add
-
on software.


Email Functionality:


Today’s email systems offer the entire range of collaborative messaging and
scheduling in one package.


Microsoft Exchange is the easiest, most cost effective way t
o implement multi
-
user email collaboration. It can provide for multiple users to access other users
schedules as well as email, calendar, tasks and journals.


BCC should completely migrate to a Microsoft Exchange email solution as soon
as possible. Company

growth is highly dependent on the email communication
systems of today’s businesses.


!

BCC will not be able to grow and operate at capacity and with the best
efficiency with the current email system. It must be replaced ASAP.


3.

Remote Access Security


Re
mote Access at BCC is in an infant state. Not too many users require remote
access or even use it so there has been little need to focus on the means of
providing that access.





Currently BCC uses PCAnywhere for remote access. This is a simple means of
p
roviding a remote user access to a specific system on the BCC network.



BCC Network and Systems Analysis

20

10/28/2013

!

The use of PCAnywhere for continued remote access will not be sufficient for
BCC’s level of growth.


It is going to become increasingly warranted for BCC to create a more flexible,
s
calable and manageable remote access environment as the amount of business
increases and the desire of more BCC employees to be able to

perform business critical functions from their homes or away from the office
increases.


The most common cost effective

solution today for remote access is the use of a
VPN or Virtual Private Network.


A VPN provides a two
-
fold of services. It provides for the access to corporate
resources for any or all company employees as well as protecting the data from
intruders or ha
ckers as it is transmitted from the company network to the
remote user.


A VPN is inherently secure and provides the speed necessary for a remote
access system.


BCC should consider implementing a VPN environment as remote access needs
increase. Also, the
VPN should be an extension of the Firewall instead of a
separate system. This provides for more interaction with the firewall and helps
to reduce costs while keeping optimal security.



F.

Administration


The ability for a corporation to administer its’ syste
ms is vital to the success and
growth of the organization.


Tools for administration not only allow the admins to perform better service for
their clients but they also provide the means of giving exceptional service with
quality and efficiency.


Tools for

administration of systems can be broken down into four different
categories, management, monitoring, information gathering and reporting.


A good system of administration tools will encompass all four of these areas at
least a bit. There are a few full pa
ckage management tools for certain areas of
data communications but it may be best for BCC to use a few of the smaller
tools for management and monitoring of the systems. Reporting is usually
available in most of these tools.


BCC Network and Systems Analysis

21

10/28/2013


1.

HelpDesk


The most common to
ol in use today is a HelpDesk application or set of HelpDesk
tools. A HelpDesk system can greatly increase the productivity of the I.T. staff as
well as provide concise, responsive solutions for day
-
to
-
day user and system
problems. A HelpDesk system can al
so generate reports on I.T. workloads and
project assignment so management can have a real
-
time view of current I.T.
activity and needs.


!

It is highly recommended that BCC implements a HelpDesk application or set of

tools to better service the BCC user b
ase and allow BCC to monitor and track
I.T. staff and workloads.


2.

Network Tools


An enterprise network such as the BCC data communications network requires
proactive management, not reactive. Currently there is no network management
system in operation at
BCC.


There are network tools available to allow systems administrators to monitor
network operations as well as become proactive with problem resolution.


The most common system for network monitoring is an SNMP system. Simple
Network Management Protocol
is used to monitor, assess and report problems
and statistics across all systems and devices in an enterprise network. Most
every data communication device supports SNMP.


Very cost effective tools allow for unattended systems to be monitored and
alarms se
nt to I.T. personnel via pager, email and web when a problem occurs.
The ability to have systems alert the right people when trouble occurs offers a
greater level of network and services availability.


!

An SNMP system could prevent users coming in on Mond
ay to a system outage
or services unavailable due to a failure over the weekend.


!

BCC should seriously consider the implementation of an SNMP based system
for device management, statistics generation and status reporting.


3.

System Tools


System tools are
those used to monitor, track and report on systems themselves
that use the network as their means of transport.


A Windows NT Network is a system that requires the use of such tools as
NetMon, PerfMon, administration tools and reporting tools. Some of the



BCC Network and Systems Analysis

22

10/28/2013


required tools to manage a Windows NT Network are provided with the
operating system by Microsoft and should be used to manage the systems within
it.


Server vendors all have system management tools that go well beyond the basic
functions of monitoring
and provide for a fully proactive environment to systems
administration. These tools use SNMP as mentioned in
section 2, Network Tools
.


!

It is recommended that BCC implement an SNMP system to better manage,
monitor and

generate status reports on its enterprise systems.


!

Compaq Insight Manager should be implemented on all Compaq servers. This
is an SNMP based, server management solution that is free with every Compaq
server.



II.

Systems Analysis


A.

Servers and Workstations


1.

Windows Servers


There are basic configuration and management processes that should be
adhered to when setting up and managing Windows NT or 2000 servers. Things
such as connection duplex and speed, service pack and patch updates, security,
file shares a
nd print services just to name a few.


These items addressed, combined with a proactive approach to server
administration, will create a stable, scalable Windows environment that will
grow with BCC.


BCC currently has seven Windows based servers in
-
house.


BCC Windows server names and functions are listed below:


SERVER
: File Server, Accounting

BC
-
CORP
-
SRV2
-
DC
: Domain Controller

BC
-
CORP
-
SVR3
-
BU
: Print server, Data Backup Server

BC
-
CORP
-
SVR4
-
WT
: Web Track Server

BCC
-
CORP
-
SVR5
-
S
: AntiVirus Server, SQL Server
(sql is unused)

BC
-
CORP
-
SVR6
-
LE
: Loan Energizer Server

BCL
-
SVR1
: Bridge Leasing Domain Controller


BCC Network and Systems Analysis

23

10/28/2013



BCC currently has three Windows based servers off
-
site.


BCC Windows off
-
site server names and functions are listed below:


BC
-
SVR3
: Imail, AntiVirus (AV n
ot running), Data Backup Server

BCC
-
FAX
: RightFax

BCC
-
SQL
aka
SVR6
: SQL 2000


BCC Windows server specifications, listed by server:


SERVER
:


IP Address: 10.10.1.51/24

gw: 10.10.1.1


Pentium II


Windows NT 4 Operating System; SP6


392MB RAM


384MB PageFile


C: = 4gb; 2.7gb Free




Connection
: Auto 100mb / Full Duplex



Applications
:

Backup Exec OFO, PCAnywhere/LiveUpdate,




F
-
PROT, Backup Exec 8.x (should be removed)


Services
: File


BC
-
CORP
-
SRV2
-
DC:


IP Address: 10.10.1.9/24

gw: 10.10.1.1


IP Address: 10.
10.2.100/24

gw: 10.10.2.1


Pentium II


Windows NT 4 Operating System; NO SP


512MB RAM


512MB PageFile


C: = 4gb; 3.2gb Free


D: = 23gb; 20gb Free




Connection
: Auto 100mb / Full Duplex


Applications
:

FProt,
MsChat, MsFrontPage Express, MsMusicControl,
M
sNetMeeting, MsWallet, MsWebPublishing, Point, VDO
Live Player, Real Player4







Services
: Backup Domain Controller


BCC Network and Systems Analysis

24

10/28/2013



BC
-
CORP
-
SVR3
-
BU
:


IP Address: 10.10.1.58/24

gw: 10.10.1.1


Pentium II


Windows 2000 Operating System; SP4

512MB RAM


1.2gb PageFile

C:
= 16gb; 12.59gb Free


Connection
: Auto 100mb / Full Duplex


Applications
:

SMTP, IIS, SSC (
all three should be removed
)



Backup Exec 8.x


Services
: Print, Data Backup





BC
-
CORP
-
SVR4
-
WT
:


IP Address: 10.10.1.4/24

gw: 10.10.1.1


Pentium II 2x 498mhz


Wind
ows 2000 Operating System; SP4

512MB RAM


1.5gb PageFile

C: = 25.42gb; 23.24gb Free


Connection
: Auto 100mb / Full Duplex


Applications
:

WebTrack, Fprot, PCAnywhere, WebEX, ICA Client


Services
: SMTP, IIS (
smtp should be removed
), WebTrack





BC
-
CORP
-
SVR5
-
S:


IP Address: 10.10.1.10/24

gw: 10.10.1.1


Pentium II 2x 498mhz


Windows 2000 Operating System; SP4

512MB RAM


1.2gb PageFile

C: = 16.91gb; 14.06gb Free


Connection
: Auto 100mb / Full Duplex


Applications
:

PCAnywhere, SSC, NAV, SQL 2k (
should remove sql
)


Services
: SMTP, IIS, SAV, SQL (
should remove sql, smtp & iis
)


BCC Network and Systems Analysis

25

10/28/2013



BC
-
CORP
-
SVR6
-
LE
:


IP Address: 10.10.1.69/24

gw: 10.10.1.1


Pentium II 199mhz


Windows 2000 Operating System; SP4

192MB RAM


471MB PageFile

C: = 7.96gb; 5.57gb Free


Connection
: Auto 100mb
/ Full Duplex


Applications
: none,
No AV


Services
: SMTP, IIS (
both should be removed
)


BCL
-
SVR1
:


IP Address: 10.10.1.123/24

gw: 10.10.1.1


Pentium II 2x 548mhz


Windows 2000 Operating System; SP4

256MB RAM


632MB PageFile

C: = 8.43gb; 6.23gb Free

D: = 42
.35gb; 34.89gb Free


Connection
: Auto 100mb / Full Duplex


Applications
:

Fprot, GoldMine, BroadJump,
MsSmallOffice
,
OmniRush,
SBC Yahoo
, EnterNet 300


Services
: File, Print, SMTP, IIS (
should remove smtp & iis
)





BC
-
SVR3
:


IP Address: 192.168.12.66/24

gw
: 192.168.12.9


Pentium III 2x 400mhz


Windows 2000 Operating System;
SP3

1.8GB RAM


C: = 8.35gb;

887MB Free

D: = 118.71gb; 111.33gb Free


Connection
: (
into shared low
-
bandwidth Linksys switch
)


Applications
:

Imail, WebTrends (
not running
), AV (
not running
),
PCAnywhere, Backup Exec 8.x (
all backups failing since
at least 8/16/03
), BE Open Option Suite


Services
: SMTP, IIS (
should remove smtp and iis if possible
)


BCC Network and Systems Analysis

26

10/28/2013



BCC
-
FAX
:


IP Address: 192.168.12.69/24

gw: 192.168.12.9


Pentium II 300mhz


Windows 2000 Oper
ating System;
SP3

256MB RAM


C: = 31.48gb; 25.34gb Free


Connection
: (
into shared low
-
bandwidth Linksys switch
)


Applications
:

RightFax, AV (
not running
), PCAnywhere


Services
: FAX, SMTP, IIS (
should remove smtp & iis if possible
)


BC
-
SQL aka SVR6
:


IP Add
ress: 192.168.12.51/24

gw: 192.168.12.9


Pentium II 448mhz


Windows 2000 Operating System;
SP3

256MB RAM


C: = 3.91gb; 1.93gb Free

D: = 13.4gb; 6.8gb Free


Connection
: (
into shared low
-
bandwidth Linksys switch
)


Applications
:

FProt, SQL 2000, PCAnywhere


S
ervices
: SQL, SMTP, IIS (
should remove smtp & iis
)


Items marked in
RED
should be addressed and identify problems or resources
that should be increased or changed to better handle BCC needs and growth.


!

All Windows servers should be fully updated to the
latest security levels and
patches. All BCC servers are currently out of date with security patches released
by the hardware and software manufacturers. These are vital for a stable
environment with today’s systems.


!

All Windows servers should be connect
ed to the Core Switch with a static
100mb / Full Duplex configuration. Currently all servers are set to Auto
-
Negotiate their connection parameters. This could allow an inadequate
connection speed and duplex configuration that would not be optimal and
poten
tially degrade network performance.


!

Unnecessary applications and services should be stopped and removed from
all servers, as described above in each server detail. These unnecessary
services take up valuable server resources.


!

Most of the BCC servers
are underpowered for the operating systems they run
as well as the required services they are to provide. Windows 2000




BCC Network and Systems Analysis

27

10/28/2013


servers should have a minimum 1ghz processor with 1gb RAM. The PageFiles
should also be increased with the use of more RAM.


The cost

of today’s Intel based systems is relatively cheap compared to the
performance, stability and support offered.


!

The practice of purchasing 4
-
5 year old Intel based systems to run today’s BCC

applications and services is proving costly. The lack of warra
nted parts and labor

added to the loss of vendor support far outweighs the cost savings of buying
used, unsupported, unwarranted systems.


!

BCC could lose an estimated 100 times or more money in a single outage then
the cost of a leased system.


!

It is
highly recommended to standardize on a single vendor Server platform.
This would help to increase administration productivity as well as to decrease
costs and help stabilize the environment.


!

Server baseline security reports show that all of the BCC serv
ers are out
-
of
-
date with their security patches and updates. These are considered severe
security holes by Microsoft so should be addressed ASAP!


!

BCC should seriously consider using a leasing program for all of its Server
purchases. The benefits of whic
h are warranted parts & labor usually 3 years,
the replacement of product usually within 12
-
24 hours, the replacement of
systems every year or two for the same low leasing cost, the inclusion of server
hardware that originally comes with new purchases that

BCC loses when buying
used systems. i.e.: rack mount hardware, configuration and ROM/Driver
software .


2.

Fax Servers


Currently, BCC uses RightFax as its network faxing solution. This solution is
working fine for BCC and is able to continue to scale and gr
ow as the BCC
environment grows. There is one RightFax server in use by BCC.


Administration is simple and straightforward. RightFax does have the ability to
integrate into Active Directory as well as unified messaging, with the emergence
of Voice over IP.

This is one consideration BCC should look into for a more
robust and functional faxing environment.


!

The FAX system currently utilizes 4 trunk lines from the Telco. There may be
need in the near future to increase the capacity of the FAX system by addin
g
more trunk lines to the system. This will allow for more concurrent FAX
connections into BCC.



BCC Network and Systems Analysis

28

10/28/2013

!

The FAX system is currently located in the collocation building. It would be
more beneficial and cost effective to move the FAX system into the BCC data
cent
er at corporate. Administration and support would see the largest costs
decrease from moving this system in
-
house.


3.

Email Servers


The Email system at BCC is an Internet based POP3 mail system. This is not an
adequate solution for the email communication n
eeds of a company the size of
BCC and with the growth expected and does not provide the security, scalability
and speed BCC requires in its communication systems.


The Email system is based on IP Switch Imail. This solution should be replaced
with an enter
prise solution that can give BCC the communication capacities
demanded by the high volume currently experienced. The Imail solution provides
for no security currently.


Microsoft Exchange is the de facto standard in small, medium and large
businesses of to
day. Exchange offers many benefits that are not available with
the email environment that BCC uses today.


Some of the benefits of moving email to Exchange are listed:




Scalable to thousands of users



Integrates with Active Directory



Provides security for w
eb based email clients



Integrates backup functions with the Veritas backup system



Allows for collaborative messaging



Allows for collaborative calendars



Allows for collaborative mail box administration



Security


!

The email system is currently located in th
e collocation building. It would be
more beneficial and cost effective to move the email system into the BCC data
center at corporate. Administration and support would see the largest cost
decrease from moving this system in
-
house.


!

An Exchange email sys
tem should be implemented at BCC corporate to allow
for better communication and collaboration between all BCC employees as well
as the rest of the world.


4.

SQL Servers


There is one SQL server that BCC uses to house user name and content from
BCC employees

to brokers. This system is located in the collocation building





BCC Network and Systems Analysis

29

10/28/2013

and ties into a few processes of the loan system. SQL works with the Wholesale
web servers as well as the VLO servers.


This is a SQL 2000 system. The configuration of SQL is fine for the
BCC
environment and the system has plenty of scalability and will be able to grow
with the environment.


!

The SQL system is currently located in the collocation building. It would be
more beneficial and cost effective to move the SQL system into the BCC d
ata
center at corporate. Administration and support would see the largest cost
decrease from moving this system in
-
house.


5.

Web Servers


There are 7 web site domains that BCC owns and operates. Currently, all 7 of
these domains, or Web Sites, are run on one

system that is located in the
collocation building.


The web server that runs the Web Sites is a clone Intel P2 based system and
should be upgraded as soon as possible to prepare for the increased traffic due
to company and user growth that is expected.


The list of web domains BCC utilizes are listed:


BRIDGECAP.COM

BRIDGECAPWS.COM

BCCWS.COM

BRIDGECAPITAL.NET

BRIDGECAPVLO.COM

800USALEND.COM

BRIDGELEASING.COM


BRIDGECAP.COM





Internal and External users site



Used by all brokers to access applications



Broke
rs must be logged in to access services



Services: Loan Energizer, Load Qualifier, WebTrack, Balance,
State Info, Compliance Info and Licensing Info



Provides access to all Forms



Located in collocation


BRIDGECAPWS.COM





Internal Wholesale site



Used by inter
nal BCC Wholesale division not brokers



Services: Balance, Loan Qualifier, Signed
-
On & Not
-
Signed
-
On
privileges, Rates, Matrixes, Flyers and Custom Flyers



Located in collocation




BCCWS.COM




BCC Network and Systems Analysis

30

10/28/2013



External Wholesale site



Used by Wholesale brokers



Services: Bala
nce, Loan Qualifier, Signed
-
On & Not
-
Signed
-
On
privileges, Rates, Matrixes, Flyers and Custom Flyers



SQL Backend



Located in collocation


BRIDGECAPITAL.NET





Used for development only



Located at BCC corporate


BRIDGECAPVLO.COM





Used by VLO’s only



Services:

WebTrack, Balance, Loan Qualifier and VLO Specific
Flyers



SQL Backend



Located in collocation


800USALEND.COM





Retail Mortgages



Used by general public, loan prospects



Services: Create Login, Loan Application, Email forwarding to
BCC



Located in collocation



SQL Backend for loan applicants


BRIDGELEASING.COM





Used by companies or people that require lease/business
financing



Servces: Login, Lease Quotes



SQL Backend


EXTRANET





System in design process on Development server


INTRANET





System in design process

on Development server



!

The Web server is currently located in the collocation building. It would be
more beneficial and cost effective to move the Web server into the BCC data
center at corporate. Administration and support would see the largest cost
d
ecrease from moving this system in
-
house.


BCC Network and Systems Analysis

31

10/28/2013


6.

Workstations


The workstations in use at BCC are adequate for the most part minus a few
older systems that are slower and more costly to use.


The decision to standardize on as single vendor workstation platform
is the right
choice. Dell would be the most cost effective solution for the user needs of BCC.


The configuration of multiple workstations relates to higher administration costs
as well as longer outages of user systems when problems do occur.


All worksta
tions run Windows 2000 or XP, which coincides with industry
standards and best practices.


!

It should be taken into consideration to get a leasing program for all BCC
workstations. This would provide for the new hardware, support and upgrades
every year f
or the same price as buying new systems outright then upgrading
when required.


!

The standardization of workstations to a single vendor platform would
increase productivity and reduce support and administrations costs.


B.

Systems Security


Systems security
is no longer a luxury for any business. The need for security at all
levels of the data communication environment are evident every day with new attacks
being attempted and new software being created to gain access to network resources
and cause havoc.


Sy
stem security should cover the minimum following areas:





Server/Domain



Workstation



Application



AntiVirus



Data Backup


BCC Network and Systems Analysis

32

10/28/2013


1.

Server/Domain Security


Server/Domain and Workstation Security is achieved through configuring best

practices such as:




User Password Ex
pirations



Administrator User Name Change



Inter
-
Domain Trusts



Server Console Lockdowns



Server Patches and Security Updates


2.

Application Security


Application security should be implemented on an as
-
needed basis. The use of
Application security should compli
ment the Network and System security and is usually
done within an application itself i.e.: Accounting System password(s) or access
privileges.


3.

AntiVirus Security


AntiVirus security is mandatory in today’s connected world. BCC currently has 4 different
A
ntiVirus solutions among its systems.


!

It is highly recommended to utilize a client/server solution for company wide use and
coverage of AntiVirus software.


A client/server AntiVirus environment for BCC has been built and implemented with as
many licens
es as BCC owns, which is 5. Currently we are in negotiations with Symantec
on licensing prices to complete the rollout of this system to all BCC employees.


4.

Data Backup Security


Data Backup is one of the most vital pieces of security for BCC. Without the
proper data
backup, a disaster or even a minor outage could cost BCC millions if they lasted for a day
or more.


Data backup should include a rotation scheme for housing data a number of
days/months/years back. This is actually mandated by the FEDs for fin
ancial institutions
and there are laws that must be followed in regards to data backup and retention.


The data backup system that BCC uses is the Veritas Backup Exec solution. This is an
excellent solution for the needs of BCC and will scale with data and

company growth.





BCC Network and Systems Analysis

33

10/28/2013

Currently BCC has two data backup systems. One system is located in the collocation
building and is intended to backup the systems housed there. The second backup system
is located at BCC corporate.


The configuration and management of
the data backup system is a vital part of ensuring
that the data is backed up correctly, retained for the proper amount of time and available

for restore as quickly as possible.


!

Management of the Backup System has completely broken down.


!

Both of the
BCC data backup systems are either incomplete or failing daily.


!

All backup job information logs are deleted regularly, which is a bad idea. This makes
it very difficult to surmise the status of the backups past and present. This also makes
restoring ver
y difficult with no logs showing successes and failures of data backed up.


!

The BCC corporate data backup system has been run daily but the amount of data to
be backed up is greater than a single tape can hold. These backups have been stopped
for a new t
ape to be put in for the next backup, in essence, canceling the current backup
and not letting it complete.


!

The collocation data backup system has been run daily but all jobs have failed since
the last known log of 8/13/03. This is very bad and subjects

BCC to possibly catastrophic
outages and losses.


There is a standard scheme called GFS, Grandfather/Father/Son, used when designing
backup strategies. The GFS scheme allows for data retention and archive as well as
helps financial institutions to meet fe
derally mandated laws pertaining to data backup
and retention.


!

BCC currently does not use a GFS scheme and one should be implemented after the
backup system problems are resolved.


The clients, or servers, that the backup systems are to backup must use
a Veritas
Backup Exec Client in order to completely protect and backup the data. The client is used
to backup Windows 2000 System State as well as speed up the backup process thus
reducing the time required to complete the backup. The required clients are
not being
used on any BCC systems.


!

All systems that require the backup client do not have it and as such, are not being
completely backed up. This is very bad and opens BCC up to major outages if data loss
or a disaster occurs.




!

The BCC backup confi
guration the way it is today is sub
-
optimal. Backups that should
take less than 3
-
6 hours are taking 16
-
24 hours or more, and they are incomplete due to
tape changes not occurring as needed.


BCC Network and Systems Analysis

34

10/28/2013


!

BCC is in danger, every single day, of losing millions of doll
ars and days, weeks and
even months’ worth of work due to failing and incomplete data backups. This must be
addressed ASAP!


C.

Collocation


In house management of all BCC systems should be considered a priority. Currently, BCC
houses most of its main busines
s critical functions at an off
-
site location where all BCC
corporate users must traverse the Internet to gain access to the required services to
complete their jobs. This is a very costly solution and does not provide adequate
resources for BCC day
-
to
-
day
operations or the growth of the data communications
environment.


Administration costs are up to an estimated 15% higher due to systems not in
-
house
where they can easily be administered and supported. Support costs are higher due to
the minimum $3500.00 p
er month spent on collocation services for benefits that are not
realized today.


!

There is no visible benefit of housing BCC corporate systems off
-
site.


!

The collocation network has design properties that are not optimal for the services BCC

is paying
for. Similar design issues, as BCC has, such as aggregation points not given
priority design considerations and cooling options are not up to minimum standards. The
colo datacenter is hotter than the BCC data center.


!

A collocation should not be used for

BCC primary operations. The inherent limitations
in administration, network management, security and Internet traffic are all excellent
reasons to move collocated systems in
-
house.


In the case of BCC, a collocation would be great for disaster recovery o
r for a backup
solution to an in
-
house data center. It is not suited for BCC daily operations as it is
currently used.


BCC Network and Systems Analysis

35

10/28/2013



III.

Executive Summary


This Executive Summary will show the problem areas discovered as well as the recurring losses
in monies and product
ivity. Also included is a sorted list by urgency/priority to be addressed as
well as the estimated costs of repair for the major issues.


I.

Network Problem Summary


(1)

Topology



Unused data circuits are
costing approx. $550
-

1100.00/month in
loses



Increase inte
r
-
building links w/Etherchannel



Reconfigure inter
-
building links to 100/Full per port



Remove all shared bandwidth media (requires available ports in core &
edge switches)



Configure STP for Root Bridge and PortFast



Change Frame Relay circuits(s) to Leased L
ine full T1(s)



Upgrade all outdated IOS on Cisco hardware. Switches and Router



Remove unnecessary protocols from the network. IPX


(2)

Internet



Data loss on the Internet connection is
costing approx.
$60.00/month in loses



Internet link(s) should be changed to
Leased Line full T1(s)



Set Internet router password to a more cryptic password.



Encrypt Internet router password



Remove all secondary addressing not required. (should never have any
secondary addresses on an Internet router)



Remove configuration that is no
t used on Internet router



Remove the RIP routing protocol on Internet router. (should never have
a routing protocol on an Internet router, especially RIP)



Remove bad static routes on Internet router



Upgrade IOS on Internet router to current version



Replace

the Firewall with a scalable, capable solution



Move all systems in house that BCC currently uses the Internet to reach.
This will reduce administration and support costs



BCC Network and Systems Analysis

36

10/28/2013


(3)

Data Traffic



Data loss costing approx. 75% of the cost of all network systems and
hardware.
Estimated loses due to LAN data loss and incorrect
configuration are approx. $8,000.00 based on an estimated
cost of $12,000 for all data center hardware



Zero room for network growth or addition of services to the BCC
network



Utilization above me
dia maximum on a regular basis. This is a major
contributor to the $8,000.00 in loses as mentioned above



No way to determine required network resource needs with the current
problems in the environment



Move all systems in house to reduce administration and

support costs


(4)

Collocation



Huge money
-
pit with
no value or added benefits costing approx.
$3500.00/month in loses



Proof of value add or benefits must be made and should be visible in
production increases and reduced administration and support costs



Networ
k design is sub
-
optimal. (daisy chained network connections, as
in BCC corporate environment)



Cooling option sub
-
optimal. (the colo is hotter than BCC data center)



Data backups failing and tape change service is not catching or
fixing problem. No value her
e but at an expensive price



Should never be used as primary data center for BCC



Excellent choice for a backup data center or disaster recovery site



All collocated systems should be moved in
-
house, producing an
estimated cost savings of approx. $37,500.00 /

year


II.

Security Problem Summary

(5)

Systems & Network Security



Firewall is inadequate for BCC needs and has known flaws in operating
system that will allow certain traffic, IPX, through no matter what.
Firewall must be replaced ASAP!



Remote Access to network
devices must be controlled and secure
(currently no encryption on Internet router passwords, and easily
hackable passwords)



Email security does not exist (all BCC email can be intercepted,
modified and manipulated by any Internet entity)



AntiVirus is not m
anaged effectively. (must implement Symantec
client/server AV solution ASAP. Many systems currently unprotected)



Data Backups should be fixed and jobs reconfigured ASAP (GFS must be
implemented to meet federal guidelines for financial institution data
back
up and retention)


BCC Network and Systems Analysis

37

10/28/2013





BCC is in danger daily of losing millions of dollars and months
worth of work due to failing and incomplete data backups


III.

Systems Problem Summary


(6)

Email System



Email system inadequate for BCC needs (must replace with an
Exchange soluti
on ASAP!)



Move email system in house to reduce administration and support costs



Current email system cannot scale to meet BCC needs and growth



Current email system is completely insecure and vulnerable to
any Internet entity


(7)

SQL Systems



Move collocated SQ
L system in house to reduce administration and
support costs


(8)

Web



Move collocated Web system in house to reduce administration and
support costs



Upgrade Web server hardware to meet current and expected demand
for services


(9)

Workstations



Standardize on a sin
gle vendor for hardware



Use leasing option for all BCC workstations to reduce the Total
Cost of Ownership


(10)

Servers



Most servers on outdated hardware and not able to grow with BCC
needs



All serves are outdated with security patches and updates
(must get all

servers updated and security patches installed
ASAP!)



AntiVirus is not functioning on 6 out of 10 BCC servers (must
get servers protected for AV ASAP!)



Data Backups failing or incomplete on all servers (must get
data backups fixed and run a complete backu
p ASAP!)



All server connections to the network should be statically set for
100mb/Full Duplex


BCC Network and Systems Analysis

38

10/28/2013





Unnecessary applications and services should be removed from all
servers (currently most servers are running SMTP, IIS and other
services that create unnecessa
ry security risks)



Standardize on a single vendor for server hardware (must STOP the
practice of buying outdated, non
-
warranted, unsupported hardware)



Use a leasing option for all BCC servers to reduce the Total Cost
of Ownership



Estimated cost of an outag
e of the non
-
warranted server is 100 times +
that of the cost of a supported server



Move all servers from collocation to in house to reduce administration
and support costs


(11)

Administration



BCC should implement a HelpDesk solution to better service user
-
bas
e
as well as track IT workloads and projects



An SNMP system should be implemented to create a proactive network
and system management environment



Insight Manager should be implemented on all Compaq servers to
create a proactive server management environmen
t