(Đồ án hcmute) design of a network for standard and small sizer enterprises

OVERVIEW

INTRODUCTION

As technology advances, networking has shifted from wired to wireless solutions, becoming essential across various industries This evolution prompts the development of a networking model tailored for small and standard businesses The advantages of effective networking for these businesses are significant, enhancing connectivity and collaboration.

It helps to improve the system's performance, quality, and management efficiency Information security and problem-solving in running network systems

Security and redundant monitoring are essential elements in computer network design, significantly enhancing network policy oversight and adjustments Implementing a redundancy model allows organizations to minimize concerns over equipment failures, providing staff with ample time to address and resolve issues effectively.

Due to the significance of computer networks in enterprises, our group's topic

The design of a network tailored for standard and small-sized enterprises is essential for effectively addressing business needs This includes implementing VLANs for departmental segmentation, establishing a server, and incorporating a VPN, redundant firewall, and redundant internet connections Our findings will demonstrate the operational viability of this network model.

OBJECTIVES

In this study, we are going to design and simulate a network for standard or small-size enterprises with following features:

● Designing and implementing a network for an enterprise which will be monitored by ADAudit Plus software

● The network system is designed with 3 departments, an internal server using Windows Server in order to use ADAuditPlus to monitor employees, and also has a local website

● The network system has a redundant plan for the firewall in case it has trouble

● The network system is integrated with VPN that supports secure connections for remote branches

● The networkk system has two Internet connection lines

● The network is simulated and tested on EVE-NG software

This article explores the advantages and disadvantages of various models and devices through thorough research, analysis, and design considerations It aims to recommend design solutions that offer the most logical options for both standard and small-sized centers, ultimately maximizing savings.

1.3 THE URGENCY OF THE STUDY

With 68.17 million Internet users, Vietnam is regarded to be among the top 20 nations with the greatest Internet usage rate in the world This figure accounts for 70% of the country's total population [1] As a result of the increasing number of users, there are also a significant number of shortcomings, such as vulnerabilities to security and hackers According to a survey on cybersecurity, Vietnam is one of the groups that is the most susceptible to attack State agencies, banks, firms, and enterprises all have a high degree of responsibility and are adequately safeguarded, but they are also susceptible to infiltration, disruption, and data theft for a variety of reasons In addition to enhancing organizations' and enterprises' levels of productivity and professionalism, the establishment and management of network systems is crucial to the prevention of the problems listed above.

SCOPE OF RESEARCH

Our research emphasizes achieving high network availability for organizations with fewer than 200 employees This network model allows employees to access both local websites and the Internet seamlessly Additionally, administrators can effectively monitor user accounts using ADAuditPlus software.

REPORTS LAYOUT

This report has five chapters as follows:

● Chapter 1: Introduce the topic, research the scope, and the methodology

● Chapter 2: Introduce the techniques, services used in the project

● Chapter 3: Design of the network system

● Chapter 5: Draw conclusions and future work for the network

THEORETICAL BASIS

LAN

A local area network (LAN) is a networking system that connects devices within a specific physical location, such as a building, office, or home LANs can vary in size, accommodating anything from a single user's home network to extensive corporate networks serving thousands of users and devices in offices or schools Other types of networks include WAN (Wide Area Network) and WLAN (Wireless Local Area Network), each serving different connectivity needs.

A client/server LAN consists of multiple client devices connected to a central server, which manages file storage, application access, device connectivity, and network traffic Any device that runs applications or connects to the Internet is classified as a client, and these clients can connect to the server via wired or wireless connections.

Application suites are commonly hosted on LAN servers, allowing users to access various services such as databases, email, document sharing, and printing, with access permissions managed by network or IT administrators Client/server LANs are prevalent in most midsize to large networks across commercial, government, research, and educational sectors.

A peer-to-peer LAN is typically smaller than a client/server LAN due to its lack of a central server, which limits its ability to handle large workloads In this network model, each device plays an equal role in network operations, contributing to its overall functionality.

VLAN

Virtual Local Area Networks (VLAN) are logical groupings that enable devices to share the same broadcast domain Configuring VLANs on switches typically involves assigning specific interfaces to distinct broadcast domains Each VLAN functions as a subset of the Ethernet LAN's switch ports, enhancing network organization and efficiency.

Figure 2: Virtual Local Area Networks [3]

Virtual local area networks organized by port In this sort of virtual LAN, switch ports can be manually set to VLAN members

Because all other ports are configured with an identical VLAN number, all devices connecting to this port will be part of the same broadcast domain

This type of VLAN handles traffic based on a protocol that may be used to construct filtering criteria for the tags of untagged packets

In a Virtual Local Area Network (VLAN), the layer-3 protocol is embedded within the frame to identify VLAN membership, operating effectively across various protocol environments; however, this approach is not practical in networks primarily based on IP.

This type of VLAN allows incoming untagged packets to be assigned virtual LAN and, thereby, classify traffic depending on the packet source address

Network segmentation enhances security, reliability, and efficiency within a network By utilizing VLANs, organizations can fully leverage their benefits, such as isolating visitor traffic from employee traffic, thereby optimizing network performance and safeguarding sensitive information.

It allows users to connect to the Internet as well as another network VLANs can also be utilized to limit employee access to sensitive or unnecessary data [7]

VLAN subdivides the LAN When transferring data, the system just sends a single VLAN and does not communicate with other VLANs; this reduces the amount of data and conserves bandwidth

TRUNKING

A trunk serves as a unified communication channel that enables multiple entities at one end to connect with the corresponding entity at the other end Its most recognized application is in telecommunications, where it facilitates the connection of switching centers and the establishment of multi-signal lines.

Trunking DOT1Q and IEEE: Trunking DOT1Q will insert 4 bytes after the Source Address of Internet Frame

Network Address Translation (NAT) is a technique that allows multiple local private IP addresses to be mapped to a single public IP address for data transmission This method is commonly employed by organizations and home routers to enable several devices to share one IP address There are three types of NAT: Static NAT, Dynamic NAT, and NAT Overload, with this study focusing specifically on NAT Overload.

NAT Overloading, or Port Address Translation (PAT), allows multiple private IP addresses to be mapped to a single public IP address through the use of different ports This many-to-one mapping enables numerous internal private IP addresses to utilize a single public IP address efficiently.

IP SLA (IP Service Level Agreement) is a powerful feature in Cisco IOS that allows routers to send data streams to designated destinations By analyzing the responses received, it measures key performance metrics, offering valuable statistics on network service quality and link performance This functionality is commonly utilized in network management tasks.

HA

Information technology is essential for effective communication in corporate management, enhancing competitiveness and operational efficiency Consequently, network computing systems are designed for constant availability, ensuring reliable data communication both internally and externally.

High Availability (HA) is essential for ensuring redundancy in network architecture, allowing hosts to maintain continuous access to critical servers, whether on the network or the Internet Many modern enterprise network architectures are equipped with HA capabilities to meet these requirements.

VPN

A VPN, or Virtual Private Network, encrypts your internet traffic and conceals your online identity, making it more difficult for third parties to monitor your activities and access your data By utilizing a VPN, businesses can streamline connections between remote employees and the enterprise, eliminating the need for complex subscriber lines and routing all traffic securely over the Internet.

Safety and convenience are the primary benefits for remote employees They have easy access to the enterprise's Internet for work and use, but confidentiality is still maintained

GRE, or Generic Routing Encapsulation, is a Cisco protocol that allows for the encapsulation of various network layer protocols in point-to-point networks It is commonly used to create a GRE Tunnel for transporting data packets across different networks over the Internet By enabling GRE, a virtual tunnel is established between two routers, facilitating the routing of packets between their respective internal networks through this secure tunnel.

Implementing local area networks can increase overall system costs, but utilizing a VPN can offer a more cost-effective solution A VPN-managed system simplifies network management, making it easier to operate compared to traditional local area networks.

A private network can be beneficial for launching your business, but the expenses associated with its expansion can be high By utilizing a VPN server, you can grant access to both local and remote employees simultaneously Additionally, mission-critical applications can be hosted in the cloud, allowing secure access through the VPN's encrypted channel.

A VPN enhances your online privacy by encrypting your internet connection, ensuring that your browsing activities and data remain confidential It also conceals your IP address and geographic location, making it difficult for trackers to identify and monitor you.

EVE-NG

EVE-NG, or Emulated Virtual Environment – Next Generation, is an advanced version of Unetlab that offers a user-friendly web interface This software simplifies the process of creating nodes by utilizing a library of available templates, making it accessible for users.

Advantages of using EVE-NG:

● It is free to use and suitable for beginners, it also has a web interface that is very easy to use

● Can be specified nodes by colors, On or Off

● Support different images The search bar can filter information, which helps save searching time.

WINDOWS SERVER

Microsoft Windows Server OS (operating system) is a series of entrepreneurship server operating systems that are intended to give significant administrative control over data storage, applications, and corporate networks

Utilizing a Windows server provides enhanced security, making it a safe choice for hosting websites With a reliable internet connection routed through the server, visitors can easily verify the security of your site and the protection of your data.

Multiple sockets exist on the server, allowing you to host multiple websites concurrently without interruption

Windows is a widely recognized operating system that offers users easy access to its full range of functionalities with a simple program launch This familiarity and user-friendly interface make Windows a preferred choice for many enterprises.

2.6.2 Some of the main functions of Windows Server

There are so many functions of the Windows Server such as AD, DNS, IIS,

Active Directory serves as a centralized repository for managing organizational resources, including users, groups, devices, printers, applications, and documents This allows Active Directory administrators to efficiently oversee company information from a single source Rather than authenticating user accounts locally, the domain controller manages all authentication processes.

The Domain Name System (DNS) is a critical server role that can be installed via Server Manager or Windows PowerShell, or manually When setting up a new Active Directory forest and domain, DNS is automatically installed, enabling Active Directory to function as the Global Catalog server for the forest and domain.

Internet Information Services (IIS) is a Microsoft web server that runs on Windows and is used to exchange static and dynamic web content with internet users

[14] IIS may be utilized to host, deploy, and manage web applications built with ASP.NET and PHP.

ADAuditPlus SOFTWARE

ADAudit Plus is an enterprise-wide change auditing software for Active Directory and File Server that includes reports and alarms

ADAudit Plus offers user-friendly solutions through comprehensive reports and alerts that are accessible to those without technical expertise It effectively answers the key questions of Active Directory auditing: "Who did what, when, and from where?" In addition to presenting modification data, the audit solution allows users to export results in various formats, including XLS, HTML, PDF, and CSV, and provides printing options for enhanced clarity.

The workflow of ADAudit Plus is shown in the figure below:

Figure 8: The workflow of ADAudit Plus

ADAudit Plus tracks user and server activities, including domain policy changes, user account unlocks, and the creation of new accounts, presenting the findings in a comprehensive dashboard report.

SYSTEM DESIGN AND CONFIGURATION

SYSTEM REQUIREMENT

The network is designed for an enterprise with following requirements:

● Three departments: Sales, Human Resources, IT departments

● An internal server to manage employees, a local website for internal enterprise

● Two firewalls for a redundant plan If there is any problem with the primary firewall, the back-up firewall will replace the primary firewall

● The network will have VPN for another branch of the enterprise to get in

● The enterprise will have 2 internet connection lines

● The whole network system will be simulated on EVE-NG software.

PROPOSED NETWORK MODEL

Enterprise has less than 200 employees and includes three departments, each department will have a maximum of 65 computers

● IT Dept with the address 192.168.30.0/24

● Sales Dept with the address 192.168.10.0/24

● Human Resources Dept with the address 192.168.20.0/24

● Interface fa0/0 with IP address 192.168.2.1

● Interface fa1/0 with IP address 19.3.19.3

● Interface fa0/1 with IP address 3.19.3.19

● Interface fa0/0 with IP address 172.16.2.1

● Interface fa0/1 with IP address 30.4.30.4

Enterprise’s Network Model

To satisfy the above requirements, we propose the following network model for the company:

Figure 9: The Model of the Enterprise’s Network

The network model is monitored by ADAuditPlus on the Server with less than

200 employees, including 3 departments which are Sales, HR and IT The enterprise will have 2 internet connection lines, 2 firewalls, 1 is used as primary and 1 is used as back-up

ENTERPRISE’S NETWORK SIMULATION

The network is simulated by using EVE-NG software The figure below is the simulation of the network.

Figure 10: Simulate the Network of the Enterprise on EVE-NG

The green zone serves as the head office, housing three departments, while the orange zone is designated as the Internet zone, equipped with two internet connection lines Additionally, the blue zone functions as the branch site.

NETWORK CONFIGURATION

The internal network of the enterprise will be organized into three VLANs to enhance departmental efficiency: VLAN10 for the Sales department, VLAN20 for the HR department, and VLAN30 for the IT department, which will also include a dedicated server.

Figure 11: Sales, HR, IT Departments.

First, we will config VLANs for departments on switches by using this command:

Switch(config-vlan)#name SELL

Switch(config-vlan)#name HR

Switch(config-vlan)#name IT

After configuring VLANS on core switch, we will see the result:

Figure 12: VLANs show on Core Switch

Similarly, we will see the result on access switches

Figure 13: VLAN of IT Department Shows on Access Switch

Besides, after configuring VLAN for access switches, we will choose ports that devices can connect to VLAN on the access switches

SW(config)#interface range et0/1-et1/3

SW(config-if-range)#switchport access

SW(config-if-range)#end

Below is the result after choosing ports that can access to VLAN:

Figure 14: Ports Connect to VLAN

Next, we will configure trunking on the core switch and access switches in order to send packets between VLANs and switches

On core switch, trunking configuration will be configured by these commands below:

Switch(config-if-range)#switchport trunk encapsulation dot1q

Switch(config-if-range)#switchport mode trunk

Switch(config-if-range)#switchport trunk allowed vlan 10,20,30,40

Below is the result of trunking configuration on core switch:

Figure 15: Trunking Configuration on Core Switch

Next, we will configure trunking on access switch by these commands:

Switch(config-if-range)#switchport mode trunk

Switch(config-if-range)#switchport trunk allowed vlan 10,20,30,40

Below is the result of trunking configuration on access switch:

Figure 16: Trunking Configuration on Access Switch

To configure the default route on the SITEA router, enabling all packets from the firewall to access the Internet, use the appropriate commands on the SITEA router.

Below is the result of default route:

Figure 17: Default Route Configuration on SITEA Router

To ensure all the computers from departments can connect to the Internet with only one public IP, we need to configure NAT Overload for the enterprise

First, we need to create an access list to give the permission for vlans to go outside by using the command below:

SITEA(config)# access-list standard NAT_VLANS permit 192.168.10.0

SITEA(config)# access-list standard NAT_VLANS permit 192.168.20.0

SITEA(config)# access-list standard NAT_VLANS permit 192.168.30.0

SITEA(config)# access-list standard NAT_VLANS permit 192.168.2.0

Below is the result of creating an access list:

Figure 18: NAT_VLANS access list

To configure the route map for prioritizing Internet lines and determining which addresses will be routed, use the following commands.

SITEA(config)#route-map INTERNETB permit 20

SITEA(config-route-map)#match ip address NAT_VLANS

SITEA(config-route-map)#match interface fa1/0

SITEA(config-route-map)#exit

SITEA(config)#route-map INTERNETA permit 10

SITEA(config-route-map)#match ip address NAT_VLANS

SITEA(config-route-map)#match interface fa0/1

Below is the result of route-map configuration:

To accommodate multiple computers within the enterprise, we implement the NAT Overload method for external connectivity The following commands are utilized to configure the addresses for connecting to the outside port.

SITEA(config)#ip nat inside source route-map INTERNETA interface FastEthernet0/1 overload

SITEA(config)#ip nat inside source route-map INTERNETB interface FastEthernet1/0 overload

Below is the result of configuring to connect to the outside port:

Figure 20: Connect to The Outside Port

To determine local connections, we use the commands below:

SITEA(config-if)#ip nat inside

SITEA(config-if)#full duplex

Below is the NAT Inside configuration on SITEA router:

Figure 21: NAT Inside on SITEA Router

To determine ports that connect to the outside, we use the commands below: SITEA(config)#int fa0/1

SITEA(config-if)#ip nat outside

SITEA(config-if)#full duplex

SITEA(config-if)#ip nat outside

SITEA(config-if)#full duplex

Below is the NAT Outside configuration on SITEB router:

Figure 22: NAT Outside on SITEB Router

To check the Internet connection line works properly or not, we need to configure IP SLA for both Internet connection lines by using these commands below:

SITEA(config-sla-monitor)# icmp-echo 19.3.19.1 source-ip 19.3.19.3

SITEA(config-sla-monitor)# timeout 2000

SITEA(config-sla-monitor)# threshold 2

SITEA(config-sla-monitor)#frequency 3

SITEA(config-sla-monitor)#exit

SITEA(config)#ip sla schedule 1 life forever start-time now

Below is the result of ip sla configuration for the first line:

Next, continuing to configure IP SLA for the second Internet connection line SITEA(config)#ip sla 1

SITEA(config-sla-monitor)# icmp-echo 3.19.3.1 source-ip 3.19.3.19

SITEA(config-sla-monitor)# timeout 2000

SITEA(config-sla-monitor)# threshold 2

SITEA(config-sla-monitor)#frequency 3

SITEA(config-sla-monitor)#exit

SITEA(config)#ip sla schedule 2 life forever start-time now

Below is the result of ip sla configuration for the first line:

After configuring IP SLA for both Internet connection lines, we also need to configure the static route for them by using the commands below:

SITEA(config)#ip route 0.0.0.0 0.0.0.0 19.3.19.1 5 track 1

SITEA(config)#ip route 0.0.0.0 0.0.0.0 3.19.3.19 10 track 2

Below is the result of configuring static route for both lines:

Figure 25: Static Route for Internet Connection Line

For the figure above, the line with the parameter 5 is the line connects to

INTERNETA, which is the primary line and prioritized

3.5.5 Active Directory Domain Service on Windows Server 2016

To streamline user management, the enterprise network will implement a domain that allows employees to connect seamlessly This server will establish policies and monitor user logon and logoff activities effectively.

To implement AD DS on Windows Server 2016, go to Manager and choose the Add Roles and Features tab

Figure 26: Add Roles and Features tab

Choose Next at Before You Begin, Installation Type, Server Selection steps Choose Active Directory Domain Services at Server Roles

Figure 27: Active Directory Domain Service at Server Roles

Choose Group Policy Management at Features and click Next at AD DS

Confirm and choose Install at Confirmation

After the AD DS installation finishes, we will promote this server to Domain Controller

The promotion will be implemented as:

Choose Add a new forest, Root domain name is the domain name The domain name of this server is hcmute.local

Set the NetBIOS domain name as HCMUTE

After the installation finishes, the server will restart and finish the Domain Controller promotion for Active Directory server

All the client computers are now joinable to the domain of the enterprise and will be managed by the server with the policies which the server creates and implements.

User accounts will be created for the employees to logon, with the password policies created

Figure 33: Accounts for the employees of IT and HR departments

Create accounts for Sales department also

Figure 34: Accounts for the employees of Sales department

To enhance security within the enterprise domain, we have established password policies that all users must follow Firstly, passwords must be a minimum of 8 characters in length Additionally, they must adhere to complexity requirements, such as including a mix of letters, numbers, and special characters, exemplified by a password like p@ssw0rd.

Our account locker policies are designed to enhance security, locking employee accounts for 30 minutes after three unsuccessful login attempts Once the lockout period is over, employees can reset their accounts and log in again.

To host a local website using IIS (Internet Information Service) on Windows Server, ensure that it is accessible exclusively to users within the hcmute.local domain.

First, we need to get IIS from Add Roles and Features

Second, choose next for all the next steps and install it before the Results

Figure 38: Web Server (IIS) has been installed successfully

After the installation, we must go to the IIS Manager tab in Tools to add the website

Now, we will add a local website for hcmute.local domain

● Physical path: C:\web (this is the path that directs to the folder containing the website)

● IP address: 192.168.30.3 (this is the server IP address)

● Host name: www.hcmute.local (Every accounts in hcmute.local will be able to react this website)

After adding a website, http://www.hcmute.local is now reachable from all accounts in hcmute.local

For the server to manage the employees in the enterprise, the employees must join the domain of the enterprise which is hcmute.local domain

To join the domain, right click on Computer and choose Properties

Next, click on the Change Settings then Computer Name/Domain Changes will pop up Enter the domain name of the enterprise

Figure 43: Computer Name/Domain Changes

To authorize the computer to join in, we must use the Administrator account to give the permission

It will take a moment to join in the hcmute.local domain

Figure 45: Join hcmute.local successfully

After joining the hcmute.local domain, we can check the domain name by opening Command Prompt and type nslookup.

Figure 46: Show the domain name successfully

3.5.8 High Availability Configuration on Firewall

To ensure that the network will always have the redundant plan for firewalls in case it is harmed or vulnerable

Figure 47: Redundant plan for firewalls.

To configure a redundant plan for firewalls in the enterprise network First, we will go to tab System and then go to HA tab and then configure those parameters

Configure the first Fortigate as Master

In a firewall setup, the Device Priority parameter determines which firewall acts as the Master (Primary) A firewall with a higher Device Priority is designated as the Master, while a firewall with a lower priority takes over as Master only if the primary experiences errors For optimal performance, we have configured the Device Priority parameter to 120 for the Master firewall.

● Heartbeat interfaces: Choose ports to configure HA port (port 3 and port

4 in this network) These 2 ports will send exchange packets to determine if the devices are working properly and to synchronize configurations between members

The Management Interface Reservation feature enables the selection of a specific port to assign an IP address for administrative access However, in this instance, we have disabled this function and are solely utilizing the IP address of the Primary interface.

Configure the second Fortigate as Slave

● Device Priority: The Device Priority parameter on Slave must always lesser than the Master to ensure this is backup Firewall

Figure 50: Back-up Firewall Configuration

3.5.9 Inter-Vlans on Fortigate Firewall

Software-based virtual interfaces have been configured, each linked to a single physical Ethernet interface Routers enable the setup of sub-interfaces, with independent IP addresses and VLAN assignments for each These sub-interfaces are organized into different subnets based on their VLAN assignments.

First, we will go to tab Networks and then go to Interfaces tab and then click Create New to set sub-interfaces

Next, we will create VLAN10, VLAN20, and VLAN30 and set the required parameters for each VLAN such as:

● VLAN ID: 10, 20, 30 each will equivalence to VLAN10, VLAN20, VLAN30

● Address: Set IP/Netmask for each VLAN

● Administrative Access: Set optionally for each VLAN

These 3 VLANs will be assigned to Port 4 of Fortigate Firewall.

3.5.10 Policy configuration on Fortigate Firewall

To ensure that devices in each department can reach each other and ensure all the devices inside the enterprise can connect to the Internet

First, go to Policy & Objects and choose Firewall Policy and Create New

Next, to set up all Vlans of each device in all departments can reach each other and also connect to the Internet We need to configure these parameters below:

● Service: Services allowed in policy (choose ALL is for all services)

● Action: “Accept” allows the policy to be in use

Figure 55: Policy for Sales Dept to reach IT Dept

Next, we will configure the policy for VLAN30 to reach VLAN10 (IT Dept reaches Sales Dept

Figure 56: Policy for IT Dept reaches Sales Dept

From IT to HR department:

Figure 57: Policy for IT Dept reaches HR Dept

Next, we will set up the policy in order to let all devices in the enterprise connect to the Internet

● Incoming interface: choose VLAN10 (do the same for VLAN20,

Figure 58: Policy for PCs to connect to the Internet

The result after configuring policy for the network of the enterprise:

3.5.11 VPN Configuration (Site-to-Site)

To connect the branch device with the head office device, the enterprise network will implement a site-to-site VPN using a GRE Tunnel for configuration.

First, we have to create GRE Tunnel on SITEA router by these commands: Router(config)#interface tunnel 0

Router(config-if)#ip address 10.0.0.1 255.255.255.0

Router(config-if)#tunnel mode gre ip

Router(config-if)#tunnel source 19.3.19.3

Router(config-if)#tunnel destination 30.4.30.4

Below is the result after configuring Tunnel0 on SITEA router:

Figure 61: GRE Tunnel on SITEA Router

Next, similarly, we have to create GRE Tunnel on SITEB router by these commands:

Router(config-if)#ip address 10.0.0.2 255.255.255.0

Router(config-if)#tunnel mode gre ip

Router(config-if)#tunnel source 30.4.30.4

Router(config-if)#tunnel destination 19.3.19.3

Below is the result of Tunnel0 on SITEB router:

Figure 63: GRE Tunnel on SITEB Router

To enable PCs from the branch site to access the server and communicate with the PCs from three departments, it is essential to create an Address after configuring the routers on SITEA and SITEB This Address will facilitate the connection by saving the branch's address to the PCs across the three departments Navigate to POLICY & OBJECTS and select ADDRESS to complete this setup.

● IP/Netmask: Address from the branch

Figure 64: Parameters When Creating Address From the Branch Site

We also need to create the Address for the GRE Tunnel that is already created on SITEA and SITEB routers

● IP/Netmask: Address from the branch

Figure 65: Parameters when creating Address for GRE Tunnel

On the firewall of the head office site, we will configure it with the parameters below

● Outgoing Interface: VLAN30 (this is configured same with VLAN10 and VLAN20)

● Source: Choose SITEB and VPN (because PC from the branch will reach to the head office)

● Destination: Choose VLAN30 address (this is configured same with VLAN10 and VLAN20)

Figure 66: Policy for The Branch to Reach the Head Office

Similarly, we also need to create the policy on the firewall of the branch site for PCs from the head office site to reach

Figure 67: Policy for The Head Office to Reach the Branch

Configuring default route on SITEB router to be able to access the Internet, we use the command below:

Below is the result of default route configuration on SITEB router:

Figure 68: Default Route Configuration on SITEB Router

After configure default route for SITEB router, we also use NAT Overload method for the branch site

First, we need to create an access list to give the permission for the computer to go outside by using the command below:

SITEB(config)# access-list standard NAT_VLANS permit 172.16.30.0

Below is the result of creating an access list on SITEB router:

Figure 69: NAT_VLANS Access List

Next, we will configure for the address to connect the outside port for brand site by the commands below:

SITEB(config)#ip nat inside source list NAT_VLANS interface fa0/1 overload

Below is the result of configuring to connect to the outside port:

Figure 70: Connection to the outside port

To determine local connections, we use the commands below:

SITEB(config-if)#ip nat inside

SITEB(config-if)#full duplex

Below is the result of NAT Inside configuration on SITEB router:

Figure 71: NAT Inside on SITEB Router

To determine ports that connect to the outside, we use the commands below:

SITEA(config-if)#ip nat outside

SITEA(config-if)#full duplex

Below is the result of NAT Outside configuration on SITEB router:

Figure 72: NAT Outside on SITEB Router

3.5.12 Static Route Configuration on Fortigate Firewall

To enable Internet connectivity for PCs at the head office and facilitate communication with branch site PCs, it is essential to configure a static route on the firewall.

First, go to Static Routes in the Networks tab and click Create New to configure the static route

Next, configure the static route for PCs in the head office to connect the Internet and the PCs in the branch site

● Gateway Address: Next hop address

Figure 74: Static Route Configuration for PCs in the Head Office Site

Finally, configure the static route for PCs in the branch site to reach the PCs in the head office site

● Destination: Destination address (do the same with VLAN10 and VLAN20)

● Gateway Address: Next hop address

Figure 75: Static Route Configuration for PCs in the Branch Site

RESULTS

LAN SERVICE RESULTS

4.1.1 Test the connection between PCs from departments and the internal server

Beside the guarantee of the Internet connection inside the enterprise, it is also important to ensure the connection between PCs from departments and the server

First, we use the PC from the Sales department to connect to the server which has the address 192.168.30.3 with the command ‘ping 192.168.30.3’ Below is the result:

Figure 76: Sales’ PC Connected to the Server

Next, we use the PC from the HR department to connect the server which has the address 192.168.30.3 with the command ‘ping 192.168.30.3’ Below is the result:

Figure 77: HR’s PC Connected to the Server

Finally, we use the server to ping back to PCs in departments

Figure 78: The Server Connected to PCs

The network has been successful in ensuring that PCs connect to the server and vice versa

4.1.2 Test the domain of the enterprise and its policy

After joining the enterprise domain, all the users’ accounts must follow the policies that the server has implemented

Figure 79: User after Joining hcmute.local Domain

According to the policies for password that we already set, the user will be locked out for 30 minutes if the user tries to log-on and fails three times

Figure 80: Account Has Been Locked out

As a result, we can see that the server has done a great job in managing users’ accounts

4.1.3 Test local website of the enterprise

The enterprise has a local website for every user in the HCMUTE domain to search for it Users can type http:/www./hcmute.local to reach the local website

Figure 81: Local Website of the Enterprise

The server has successfully hosted a local website within the HCMUTE domain, allowing PCs from three different departments to access it.

4.1.4 Test the redundant plan of the firewalls

To ensure that the network is still working normally when a firewall is under attack, we will test the high availability by turning off the primary firewall

Figure 82: First Firewall Turned off

The backup firewall continues to function as the primary firewall, with all activities, including firewall policies, being synchronized to the backup system.

Figure 83: All the Policies Have Been Synced

4.2.1 Test the Internet connection of the network

To test computers from all departments are all able to connect to the Internet successfully, we will use PCs and the server of the enterprise to check

We will first use the PC from the Sales department to connect the Internet by pinging ping 8.8.8.8 command

Figure 84: Sales’ PC pinged 8.8.8.8 successfully

Next, we will use the PC from the HR department to ping 8.8.8.8 command

Figure 85: HR’s PC pinged 8.8.8.8 successfully

Finally, to make sure that PCs can browse on the Internet We will try to browse Youtube.com

Figure 86: PCs used the Internet successfully

4.2.1 Test VPN site to site between PCs in SITE-A and PC SITE-

We will begin testing a site-to-site VPN for the enterprise to facilitate the director's plans for expanding additional branches This setup will enable PCs at the branch locations to connect with PCs at the head office, including those in three departments, as well as allowing seamless communication with the server and vice versa.

First, start testing the connection between the PC in the head office site and the

To establish a connection between the Sales department's PC, which uses the IP address 192.168.10.1, and the branch site's PC with the IP address 172.16.30.2, we utilize the ping command By executing the command "ping 172.16.30.2" from the Sales PC and "ping 192.168.10.2" from the branch site PC, we can verify the connectivity between the two locations.

● Test the connection between the PC in the head office site and the PC in the branch site

Figure 87: The PC in the head office site reached to the PC in the branch site

● Test the connection between the PC in the branch site and the PC in the head office site

Figure 88: The PC in the branch site reached the PC in the head office site

To ensure effective data exchange between branch site PCs and the head office server, it's crucial to test the connection between them This involves using the ping command to verify connectivity, where the branch site's PC with the IP address 172.16.30.2 attempts to connect to the head office server at IP address 192.168.30.3.

PC in the branch site, and ping 172.16.30.2 command for the server

● Test the connection between the server and the PC in the branch site

Figure 89: The server reached the PC in the branch site

● Test the connection between the PC in the branch site to the server

Figure 90: The PC in the branch site reached the server

4.2.3 Manage and monitor users by ADAuditPlus

To ensure the enterprise network is operational, it's crucial to verify key connections such as the Internet link, VLAN connections to the server, and the VPN site-to-site connection Utilizing the ADAuditPlus program will facilitate this verification process effectively.

47 execute user monitoring and administration on the Windows server When the program is accessed using the address localhost:8081, it will display information on the employees' activity

Figure 91: Dashboard of Employee’s Activities

The server effectively manages user activity across departments, identifying accounts that have been locked due to repeated login failures, as well as tracking accounts that have been created, modified, or removed.

ADAuditPlus software offers administrators daily user activity reports, highlighting key events such as account lockouts and password changes, including details like a single account being locked on December 7, 2022.

Figure 92: Lockout and Change Password Activities

The ADAuditPlus software will show exactly the name of the user, the time, the address of the department that the user failed to log on

All the activities on the server will be also recorded, such as changing policies, creating new accounts or modifying accounts

CONCLUSIONS AND FUTURE WORK

CONCLUSIONS

After finishing the project of “Design of a network for standard and small-sized enterprises”, we can draw the conclusions as below:

ADAudit Plus monitors the network by tracking employee log-on and log-off events, documenting server policy changes, and providing alerts for any significant activities.

● PCs from three departments can reach the server and also the local website of the enterprise

● The redundant plan for firewalls works properly, when one of two firewalls is down

● Two internet connection lines work stably

● The interface of EVE-NG, Fortigate Firewall, ADAudit Plus are easy to use.

FUTURE WORK

In addition to setting up essential functions like static routing and policies for PCs, it's crucial to implement configurations on the Fortigate Firewall to block harmful external services and regulate access to certain services in alignment with the enterprise's development policy.

On ADAudit Plus, we can implement more functions such as: track the actions impact on files, track the employees browse what website

[1] H Minh, "Hiện Thực Hóa Khát Vọng Chuyển Đổi SỐ Của Việt Nam," 27 June

2021 [Online] Available: https://baochinhphu.vn/hien-thuc-hoa-khat-vong- chuyen-doi-so-cua-viet-nam-102284478.htm

[2] "Local-Area-Network," 24 April 2021 [Online] Available: https://thietbikythuat.com.vn/wpcontent/uploads/2021/04/Local-Area-

[3] "Mạng VLAN là gì? Hướng dẫn cấu hình một VLAN trên Switch?," 7 August

2020 [Online] Available: Available: https://viettelco.net/mang-vlan-la-gi- huong-dan-cau-hinh-mot-vlan-tren-switch

[4] "Port-based VLAN configuration example," [Online] Available: https://techhub.hpe.com/eginfolib/networking/docs/switches/3100-48/5998- 7639r_l2-lan_cg/content/442449802.htm

[5] "Protocol-based VLAN configuration example," [Online] Available: https://techhub.hpe.com/eginfolib/networking/docs/switches/5120si/cg/5998- 8489_l2-lan_cg/content/436042635.htm

[6] "MAC-based VLAN configuration example," [Online] Available: https://techhub.hpe.com/eginfolib/networking/docs/switches/3100v2/5998-

[7] Williams, "What is VLAN? Types, Advantages, Example," 4 February 2020 [Online] Available: https://www.guru99.com/vlan-definition-types- advantages.html

[8] N L., "Tự Học CCNA Bài 6: VLAN, Trunking, VTP - ITFORVN," 31 August

2017 [Online] Available: https://itforvn.com/bai-6-vlan-trunking-vtp.html/

[9] Lâm, "Giới thiệu về High Availability," 14 August 2017 [Online] Available: https://vnpro.vn:443/thu-vien/gioi-thieu-ve-high-availability-2412.html

[10] "How to create GRE tunnel," 09 July 2021 [Online] Available: https://www.heficed.com/kb/cloud-hosting/create-gre-tunnel/

[11] Fortinet, "Benefits of VPNS: Advantages of Using a Virtual Private Network," [Online] Available: https://www.fortinet.com/resources/cyberglossary/benefits- of-vpn

[12] H O A H B S A H A.-O N N Afnan Binduf, "Active Directory and

Related Aspects of Security," IEEE, 2018

[13] G J, "Domain Name System (DNS)," 10 January 2022 [Online] Available: https://learn.microsoft.com/en-us/windows-server/networking/dns/dns-top

[14] "What Is IIS (Internet Information Services) and How Does It Work?," [Online] Available: https://www.solarwinds.com/resources/it-glossary/iis

DESIGN A NETWORK FOR STANDARD AND