Mr singh task3

 

Project Proposal: Secure and Scalable Network Upgrade for SkyLink Financial Systems Ltd

1.0 Executive Summary

This proposal outlines a comprehensive plan to address the critical network connectivity and cyber security issues at SkyLink Financial Systems Ltd. The current network is unfit for purpose, suffering from performance bottlenecks, severe security vulnerabilities, and an inability to support planned growth. Our solution involves migrating key services to a cloud-based Microsoft 365 platform, segmenting the network, implementing a robust firewall, and enforcing strict security policies. This will resolve immediate connectivity problems, mitigate insider and external threats, and create a scalable, resilient infrastructure for future expansion. The total estimated initial investment is £11,500 with an ongoing annual subscription cost of £10,800.

2.0 Analysis of Network Connectivity Issues

The current network suffers from several critical issues that impact performance and security:

  • Inadequate DHCP Scope: The DHCP scope (192.168.1.2-192.168.1.201) only provides 200 addresses for 220+ devices, leading to IP address exhaustion and connection failures for employees.
  • Underpowered Network Hardware: The domestic ISP router is a major bottleneck, unable to handle the traffic of a 220-user company, causing slow network performance and dropped connections.
  • Unsecured and Misconfigured VPN:
    • The VPN server has a maximum of 12 connections, which is insufficient for the 15 Drone Display teams, creating a connectivity lottery.
    • The use of a shared administrator account (Admin) with a weak password (12345678) and no encryption requirement is a severe security risk.
    • Table 1 shows multiple unauthorised devices (e.g., Becky’s iPhone, Tom’s iPhone) using the Admin account to connect, indicating credential sharing and a complete lack of access control.
  • Poor Wireless Security: The open WiFi network (192.168.2.1) with no password provides a potential entry point for attackers to launch attacks against the company network or compromise guest devices.
  • Outdated Server Operating System: The File and Print Server running Windows Server 2008 is end-of-life, receiving no security updates, making it highly vulnerable to exploitation.
  • Lack of Network Segmentation: All devices (servers, HR PCs, Display Creation PCs) are on a single, flat network (192.168.1.0/24). This means if one device is compromised, an attacker can move laterally to access critical servers like the Display Information Server.

3.0 Proposed Solutions to Resolve Issues and Meet Business Needs

Our proposal is centred on a "Zero Trust" model, where nothing inside or outside the network is trusted without verification.

1. Migrate to Microsoft 365 Cloud Platform:

  • Solution: Replace the on-premises File/Print and VPN servers with Microsoft 365 E3 licenses.
  • Justification:
    • Resolves Connectivity: Provides seamless, secure remote access via Azure Active Directory and Conditional Access policies, eliminating the VPN bottleneck. Users can access files and applications from any device, anywhere.
    • Addresses Business Needs: SharePoint Online replaces the file server; Microsoft Teams facilitates collaborative communications; OneDrive provides personal cloud storage. This supports a growing and potentially remote workforce.
    • Enhances Security: Includes always-up-to-date Office apps, advanced threat protection, and data loss prevention, mitigating risks from outdated software.

2. Implement a Professional Firewall and Network Segmentation:

  • Solution: Replace the domestic router with a business-grade firewall (e.g., FortiGate 60F).
  • Justification:
    • Resolves Connectivity: A powerful firewall can handle the traffic of 220+ users without performance issues.
    • Addresses Business Needs: We will create segmented Virtual LANs (VLANs):
      • VLAN 10 - Corporate Users: For HR and general staff.
      • VLAN 20 - Development & Display Creation: For the Display Creation team.
      • VLAN 30 - Servers: For the remaining on-premises servers.
      • VLAN 40 - Guest WiFi: Isolated from the corporate network.
    • Firewall rules will strictly control traffic between VLANs, ensuring users only access what they need for their role.

3. Secure Remote Access for Drone Display Teams:

  • Solution: Implement Always On VPN or leverage Microsoft Defender for Endpoint for the corporate mobile devices used by Drone Display teams.
  • Justification: This provides a dedicated, secure, and always-on connection for authorised corporate devices only, replacing the flawed VPN system. Access will be conditional on device compliance (e.g., encrypted, up-to-date).

4. Infrastructure Hardening:

  • Solution:
    • Decommission the Windows Server 2008 machine.
    • Configure the WAP with a separate password for a guest network.
    • Implement a formal process for assigning static IPs only to critical infrastructure.
    • Expand the DHCP scope to 192.168.1.2-192.168.1.254.

4.0 Equipment, Software, and Cost Justification

Item

Type

Quantity

Justification

Cost (One-Time/Annual)

Microsoft 365 E3

Cloud Subscription

220 User Licenses

Replaces on-premises file server, VPN, and provides email, collaboration, and advanced security features. Essential for secure remote work.

£10,800 per year (£41.40/user/year est.)

FortiGate 60F

Hardware (Firewall)

1

Provides the processing power for 220+ users, enforces network segmentation, and includes advanced security services (IPS, Anti-Virus).

£700 (one-time)

New Switch

Hardware

1

A managed switch is required to properly configure the proposed VLANs for network segmentation.

£500 (one-time)

Staff Training

Service

1 Program me

Critical for mitigating insider threats. Regular, mandatory security awareness training to educate staff on phishing, social engineering, and secure practices.

£500 (one-time)

Total Initial Investment

£1,700

Total Ongoing Annual Cost

£10,800

Costings are estimates for budgeting purposes.

5.0 Cyber Security Issues and Mitigations

Cyber Security Issue

Proposed Mitigation

Insider Threat & Weak Access Controls

Mitigation: Implement Principle of Least Privilege via Azure AD. Enforce Multi-Factor Authentication (MFA) for all users. Regular access reviews will be conducted.

Unauthorised Remote Access

Mitigation: Decommission the old VPN. Use Azure AD Conditional Access policies to only allow remote access from compliant, corporate-owned devices (the Drone Display team laptops). This blocks access from personal phones and unauthorised devices.

Outdated Software & OS

Mitigation: Migrating to Microsoft 365 ensures all Office apps and Windows 10/11 are kept automatically updated. A formal patch management policy will be implemented for the remaining Display Information Server.

Lack of Network Segmentation

Mitigation: The new firewall and VLAN configuration will segment the network. If the HR VLAN is compromised, the attacker cannot directly access the Development VLAN or Servers.

Unsecured WiFi

Mitigation: The guest WiFi will be placed on a separate VLAN with a password and a firewall policy that only permits internet access, blocking all traffic to the corporate network.

6.0 Annotated Network Topology Diagram

[Below would be a professionally drawn diagram. This is a detailed textual description of that diagram.]

Proposed Network Topology Description:

  1. Internet Connection: Terminates into the new FortiGate 60F Firewall.
  2. Core Switch: A managed switch connected to the firewall.
  3. Network Segments (VLANs):
    • VLAN 10 (Corporate - 192.168.10.0/24): Connects HR and general staff PCs. Firewall rules allow internet access and access only to specific shares on the cloud (SharePoint).
    • VLAN 20 (Development - 192.168.20.0/24): Connects the Display Creation team PCs. Firewall rules allow internet access and strictly controlled access to the Display Information Server in the Server VLAN.
    • VLAN 30 (Servers - 192.168.30.0/24): Contains the Display Information Server (with a static IP). Highly restricted firewall rules dictate which VLANs can communicate with it and on which ports.
    • VLAN 40 (Guest WiFi - 192.168.40.0/24): The Wireless Access Point is connected here. A firewall rule allows guest devices to access the internet but blocks all traffic to VLANs 10, 20, and 30.
  4. Cloud Services (Microsoft 365): Depicted as a cloud symbol, showing connections from all corporate VLANs and remote Drone Display teams via secure, encrypted sessions.
  5. Remote Access: Drone Display teams' corporate laptops connect directly to Microsoft 365 services via a secure connection, authenticated and authorised by Azure AD Conditional Access policies. The old VPN server is removed from the diagram.

 

Comments

Post a Comment

Popular posts from this blog

TASK 1 MINE FULL

Image
      Introduction   I am a consultant who is working with TeachTechNow and I have been asked to make recommendations to secure the network and to resolve some specific issues that have been brought to my attention to the office there are currently a range of different issues and I will talk about them specifically what they are and what to do and how to mitigate these risks. I have been also told that that several organisations within the same sector have experienced successful cyber attacks and the board of directors are concerned with the management of the it systems at TeachTechNow and the impact it could have on their reputations so it is my job to ensure this does not happen and is prevented.         Overview of current issues:   Outdated operating systems One of the many factors that are making TeachTechNow have a insecure network is that they have old os systems and this is a major flaw and due to t...
Read more

Eveything TASK format

 You're in excellent shape — and yes, based on what you've now completed and plan to finish, you are in a strong position to earn full marks (6/6) for both parts of Task 4 , if you follow through properly . ✅ Let’s go over it clearly: ๐Ÿงพ Part 1: Satisfaction Survey (6 marks) You already: ✔ Wrote thoughtful, varied questions ✔ Covered all required topics (ease of use, security, VPN/cloud access, confidence, secure work) ✔ Included different question types (tick boxes, yes/no, open, ranking, Likert scale) ✔ Aimed it at non-technical users ✔ Planned to add in formatting later (which is fine — it's expected) ➡️ As long as you add in the actual tick boxes, scales, and fix spelling/grammar , you’ll get full marks . ๐Ÿ“„ Part 2: Project Summary (6 marks) You now have: ✔ A detailed overview of the original network weaknesses ✔ A clear list of solutions you implemented (cloud storage, VPN, hardware) ✔ A breakdown of security issues mitigated ✔ ...
Read more

Full format what i done at home questions

 Perfect — to help you achieve full marks (6 marks) on the sample satisfaction survey for Task 4, here's a fully expanded and professionally formatted version with a wide variety of question types , including: ✅ Yes/No ✅ Tick boxes ✅ Open-ended ✅ Ranking (1–10) ✅ Likert scale (Strongly Agree → Strongly Disagree) This version is clearly laid out, accessible for non-technical users , and specifically covers: Ease of use Network security Ability to connect to resources (especially via cloud/VPN) Confidence in security Ability to work securely and efficiently ๐Ÿ“‹ NexaTech IT Solutions – User Satisfaction Survey Thank you for taking part in this short survey. Your feedback helps us evaluate the effectiveness of our recent system upgrades, including new cloud storage and cloud-based VPN access. Section 1: General Usage and Frequency 1.1 Which department are you in? ☐ Finance  ☐ HR  ☐ Sales  ☐ IT  ☐ Operations  ☐ Other: ___________ 1.2 How often do you use...
Read more