COIT13146 System and Network Administration Final Project, Term 1 2017 vt117 [1] COIT13146 - System and Network Administration Final Project Requirements – Period of Study 1,2017 Introduction: The final project tests your ability to put together the skills learned in previous weeks and present it as an application of your knowledge and skills to a small business network. So as you read through the requirements, consciously relate it to relevant work you’ve already completed. The small business network represents the capstone of this course – it is what all the previous assignments have led to, and is the reason that it takes the bulk of the assessment weighting. Some additional research and reading may still be required. Any questions of clarification or requests for help for the Final Project should be raised on the Course Forum under the topic 'Final Project'. The Scenario You are required to setup and install a small network and set of servers to support a small company, which operates a tomato packing plant. The plant has 10 permanent employees and around 25 parttime and casual employees. Of the 10 permanent employees, 5 work full-time in the office and already have a fully configured networked workstation computer each. On high-capacity networked laser printer serves the entire plant. The company requires a forward facing (connected to the Internet) Web Server that is located onsite in the main office. The National Broadband Network has just been enabled in the area so a high speed Internet connection is now available. An existing computer, Wally, used by permanent employees to store various documents (spreadsheets, databases, etc), will need to beCOIT13146 System and Network Administration Final Project, Term 1 2017 vt117 [2] integrated as the File Server into the new network. Wally runs Microsoft Windows or MacOS* as the operating system and is backed up daily via physically attached high-speed tape drive with proprietary driver software. All new servers should mount a shared space on Wally to save backups to. These will then form part of the backup process already operating on the Wally server. *if you are not using windows or mac as your host OS (hosting VirtualBox with your VM’s) you can use whichever you do have, e.g. Linux. The Network Summary A single internal network is to be created, using DHCP to configure all networked devices. All internal servers should be allocated a fixed IP address by the DHCP server and have a fixed server name as specified below. All other client hosts (e.g. workstations, printer) should be allocated an IP address from a range of IP addresses. You do not need to configure the workstations and printer – assume they have already been setup. However you should include them in your network diagram as they are part of the network. What you need to setup (configure) are the internal servers and their connection to the file server. These internal servers are described below. The Servers and their names General To provide simple, robust and secure systems throughout the company the following standards and recommendations have been agreed to and must be adhered to, for all systems: * all servers will be Ubuntu based (excluding Wally). You are to use the given server names (shown bracketed) – do not invent your own.COIT13146 System and Network Administration Final Project, Term 1 2017 vt117 [3] * lighttpd will be used for web servers * Samba client is used for all internal file sharing requirements (ie Ubuntu servers accessing the Windows file server should have Samba client installed). * all new systems must be hardened and scanned for security issues prior to being made available for use * intrusion detection and prevention systems (IDPS) must be running at all times * appropriate password aging must be implemented on all servers DHCP Server [Hiccups] A small, secure, dedicated server named Hiccups should be created that provides automatic server and client network configuration using DHCP. Only support staff will have access to this server. DHCP configuration must be backed up regularly and a simple recovery procedure must be developed in the event of DHCP primary server failure. It is required that one of the other servers (chosen by you) be setup as a manual failover time-synced DHCP server with changeover procedures detailed in the recovery procedure. All internal servers should have fixed IP addresses assigned to them from the DHCP server, based on their MAC addresses. The internal network IP address range to be used is 192.168.35.0/24. Web Server [Spiderman] The Web Server (Spiderman) offers outsiders an overview of the organisation and provides potential casual staff with forms and facilities to apply for any available position within the company. The Server also hosts general information for the public such as press releases and promotional content. The Webpages and content is designed and maintained by an external web developer on contract. Key requirements for Spiderman are that lighttpd and php5 must be available on the server and that the server be very secure.COIT13146 System and Network Administration Final Project, Term 1 2017 vt117 [4] Only support staff and the web developer should have access to the Web Server itself. File Server [Wally] The existing Microsoft Windows or Mac computer hosting your VB will act as the “external file server.” Wally is the only external server in the network: all other servers are internal. Company IT policy is that all Client machines on the internal network, whether Windows, MacOS or Linux machines, will all access the Windows File Server using Samba shares. All of the organisations servers and data should be backed up to Wally over the network. All backup procedures must be scripted, well documented and operations limited to a backup group consisting of staff members. The File Server will hold the most recent backups of all systems, data and files, on disk, to allow for fast retrieval/restore of data, files and systems. All long term backups will be removed from the server once they have been written to tape by third party backup software and stored offsite. Server backup scripts must generate a text file, listing all files that were backed up, with details including timestamp and ownership details, which should be stored with the backup file (use the same name but with a different extension). All backups must be named appropriately and placed into a single directory named \\Wally\backup, on the Ubuntu Server. We can assume that third party backup software is installed on the File Server, which automatically writes the backups to a tape backup system. The tape backup system itself is outside our scope here. Assume that retrieval of long term backup file sets is simply a matter of typing the backup file set name into the third party software and it will prompt for the required tape to be inserted and then restore the file set to the \\Wally\restore directory on the File Server. From there, you supply the script to access the restored files via Samba client and restore them to the appropriate server or client.COIT13146 System and Network Administration Final Project, Term 1 2017 vt117 [5] Gateway/Firewall [Lockwood] A hardened Gateway/Firewall server (Lockwood) should be placed between the internal network and the Internet. At this time there are no restrictions on inside staff accessing external networks. However, access to the Web Server from outside should be limited to the organisations Web Server and support staff, who must use SSH to access systems from outside. You are expected to use the iptables/SSH techniques previously learned, for limiting or allowing access as required. IDPS [Sentinel] A server (Sentinel) with suitable software for detecting, reporting and preventing all suspicious activity on the network, should be installed and configured. Email alerts should be sent to your own email. Email – no separate server required The organisation finds it much easier to use Gmail for all of its email requirements. So no internal Email server is required. However, all server security 'alerts' should be sent to a generic support email address (use your own for this). Submission The following items make up the Final Project submission. 1. A single Word document named TomatoPlant.docx, with table of contents, containing all installation, configuration, processes and procedures used to develop the system. The document must include the following in the order listed: a) Installation and configuration details of the servers DHCP, WEB, GATEWAY and IDPS.COIT13146 System and Network Administration Final Project, Term 1 2017 vt117 [6] b) Backup and recovery procedures that would allow any IT staff, even those not familiar with backup/recovery methods, to perform backup and recovery of all servers if needed. c) Details of Failover arrangements and procedures in the event of failure of the primary DHCP server. d) Details of the network configuration. This should consist of: i. a table of servers with MAC addresses, allocated IP addresses, client IP address ranges and; ii. a well labelled diagram of the entire network showing all network members. The diagram must be embedded and viewable in the Word document, do not attach as a separate file. e) Details of general procedures and actions required to be taken in the event of an attempted attack/security breach. Assume that the attempt has been detected. f) Details of general procedures and actions to be taken in the event of a significant security breach actually occurring e.g. unauthorised access to the Web Server. Assume that the breach has just occurred. Hint: e) and f) differences: Your answers should reflect essential differences in response to attempted breaches and actual breaches. g) Details of how support staff gain access to internal systems from outside of the network. This should be detailed enough to give a new support staff member a good idea of how they are supposed to access the internal systems from their home. h) Details outlining how all servers have been hardened against security attacks. i) Details of system/security alerts - what/where alerts are generated and where they are sent. Write this so that your boss, who is not a systems administrator and in your absence, could read it and understand exactly how alerts are generated and where they are sent. j) Details of the password aging policy and implementation. The policy should be appropriate to the organisation, and detail exactly how it is implemented in the system.COIT13146 System and Network Administration Final Project, Term 1 2017 vt117 [7] Tips: i. Keep notes on each server as you progress. You can use these to provide the required details listed above. ii. Backup your servers, clients, notes and configuration files regularly - loss of these due to hardware or software failure will not be accepted as a reason for problems with submitting the project. iii. Do not repeat yourself e.g. if you list details for a base server installation, which is used by most/all servers, only do that once. Do not include details about VirtualBox installation or configuration - we are only interested in the servers and network details. 2. Submit the following configuration files and scripts: a) All backup scripts which must be well documented and clearly referred to in the TommatoPlant.docx document. Sample backup script output for each server named as $SN.BackupOutput.txt, where $SN is the server name. Include a backup.readme.txt file that summarises the files you have submitted. b) iptables rules used on the gateway/firewall - submit as a well-documented and executable script. Ensure it is named appropriately. c) /etc/passwd, /etc/group and /etc/sudoers (or sudoers.d) files for all servers. Name them as follows, substituting the server name for $SN: $SN.passwd e.g. Lockwood.passwd $SN.group e.g. Spiderman.group $SN.sudoers e.g. Hiccups.sudoers or Hiccups.sudoers.d.xxx 3. Summarise results of security scans performed on each server. Submit as a single Word document named SecurityScans.docx. 4. Assume that the hard disk on the Web Server has failed. Rebuild the entire server using your recovery procedures in 1b). Provide full details of the process including details of where your recovery procedures failed or can be improved.COIT13146 System and Network Administration Final Project, Term 1 2017 vt117 [8] You must provide 'proof' that you have rebuilt your Web Server by providing screen shots of the recovery process where appropriate. Include relevant sections of the /var/log/auth.log file showing the relevant commands being performed using sudo. These must be full entries including date/time stamps etc. Submit as a single word document named WebServerRestore.docx. How to submit: Include all your documents and files as outlined above in a single zip file named FinalProject.zip. Images courtesy of James Barker/FreeDigitalPhotos.net