Reference no: EM131073379
Subject - System and network administration
Project Requirements
Overview
You are required to setup and install a small network and set of servers to support a small company which operates a tomato packing plant. The plant operates in a small regional town and has 10 permanent employees and around 25 part-time and casual employees.
The company requires a forward facing (connected to the Internet) Web Server that is located onsite in the main office. The National Broadband Network has just been enabled in the area so a high speed Internet connection is now available.
An existing file server, TommyToe, used by the permanent employees to store various documents, spreadsheets, databases, etc., will need to be integrated into the new network. TommyToe runs Microsoft Windows Server as the operating system and is backed up daily via an attached high speed tape drive with suitable software. All new servers should mount a shared space on TommyToe to save backups to. These will then form part of the backup process already operating on the TommyToe server.
The Network
Summary
A single internal network is to be created using DHCP for all networked device configuration. All servers (including TommyToe) should be allocated a fixed IP address by the DHCP server and have a fixed server name (server names are provided below). All other client hosts should be allocated an IP address from a range of IP addresses.
The internal network should be protected using a single gateway/firewall server.
The Servers
General
To provide simple, robust and secure systems throughout the company the following standards and recommendations have been agreed to and must be adhered to, for all systems:
* all servers will be Ubuntu based (excluding TommyToe)
* lighttpd will be used for all web servers
* MySQL will be used for all new databases where possible
* Samba is used for all internal file sharing requirements
* all new systems must be hardened and scanned for security issues prior to being made available for use
* an intrusion detection and prevention systems (IDPS) must be running at all times
* appropriate password aging must be implemented on all servers
DHCP Server [Cherry]
A small, secure, dedicated server should be created that provides automatic server and client network configuration using DHCP. Only support staff will have access to this server. DHCP configuration must be backed up regularly and a simple recovery procedure must be developed in the event of server failure.
It is suggested that one of the other servers be setup as a manual failover DHCP server with changeover details listed in the recovery procedure.
All servers should have permanent IP addresses assigned to them from the DHCP server, based on MAC addresses. The internal network IP address range to be used is 192.168.33.0/24.
Web Server [BigBeef]
The Web Server offers an overview of the organisation and provides potential casual staff with all necessary details to apply for a position within the company.
The Web content is handled by an external web developer. The only requirements are that lighttpd and php5 be available on the server and that the server be very secure. Only support staff and the web developer should have access to the Web Server itself.
File Server [TommyToe]
The existing Microsoft Windows Server with MAC address: 08-00-27-00-CC-77.
Client machines vary on the internal network - they are a mix of Windows, Mac OS and Linux, however all will access the File Server using Samba shares. All client machines will receive network configuration from the DHCP server.
All of the organisations servers and data should be backed up to the central File Server over the network. All backup procedures must be scripted, well documented and limited to a backup group of staff members. The File Server will hold the most recent backups of all systems, data and files, on disk, to allow for fast retrieval/restore of data, files and systems. All long term backups will be removed from the server once they have been written to tape by third party backup software and stored offsite.
Server backup scripts must generate a text file list of all files that were backed up, including timestamp and ownership details, which should be stored with the backup file (use the same name but with a different extension).
Third party backup software is installed on the File Server that automates the process of writing backups to a tape backup system (assume it just works). It simply requires that all backups be named appropriately and placed into a single directory, \\TommyToe\backup, on the server. Retrieval of long term backup file sets is simply a matter of typing the backup file set name into the third party software and it will prompt for the required tape to be inserted and restore the file set to the \\TommyToe\restore directory on the File Server.
Gateway/Firewall [Roma]
A hardened Gateway/Firewall should be placed between the internal network and the Internet. At this time there are no restrictions on staff access to external networks. External access should be limited to the organisations Web Server and support staff SSH access to maintain systems.
IDPS [BlackRussian]
A suitable server for detecting, reporting and preventing all suspicious activity on the network, should be installed and configured.
Email
The organisation finds it much easier to use Gmail for all of its Email requirements. So no internal Email server is required. However, all server 'alerts' should be sent to a generic support email address (use your own for this).
The document must include the following:
a) Installation and configuration details of all servers.
b) Backup and recovery procedures to allow staff to perform backup and recovery of all servers.
c) Failover procedures in the event of failure of the DHCP server.
d) Details of the network configuration. This should include a table of servers with MAC addresses, allocated IP addresses, client IP address ranges and a well labelled diagram of the entire network.
e) Details of general procedures and actions required to be taken in the event of an attempted attack/security breach.
f) Details of general procedures and actions to be taken in the event of a significant security breach occurring e.g. unauthorised access to the Web Server.
g) Details of how support staff gain access to internal systems from outside of the network.
h) Details on how all servers have been hardened against security attacks.
i) Details of system/security alerts - what/where alerts are generated and where they are sent.
j) Details of the password aging implementation.
Tips:
i. Keep notes on each server as you progress. You can use these to provide the required details listed above.
ii. Backup notes and configuration files regularly - loss of these due to hardware or software failure will not be accepted as a reason for problems with submitting the project.
iii. Do not repeat yourself e.g. if you list details for a base server installation, which is used by most/all servers, only do that once. Do not include details about VirtualBox installation or configuration - we are only interested in the servers and network details.
2. Submit the following configuration files and scripts:
a) All backup scripts which must be well documented and clearly referred to in the TommatoPlant.docx document. Sample backup script output for each server named as $SN.BackupOutput.txt, where $SN is the server name. Include a backup.readme.txt file that summarises the files you have submitted.
b) iptables rules used on the gateway/firewall - submit as a well-documented script. Ensure it is named appropriately.
c) /etc/passwd, /etc/group and /etc/sudoers (or sudoers.d) files for all servers. Name them as follows, substituting the server name for $SN:
$SN.passwd e.g. Roma.passwd
$SN.group e.g. BigBeef.group
$SN.sudoers e.g. Cherry.sudoers or Cherry.sudoers.d.xxx
3. Summarise results of security scans performed on each server. Submit as a single Word document named SecurityScans.docx.
4. The hard disk on the Web Server has failed. Rebuild the entire server using your recovery procedures in 1 (b). Provide full details of the process including details of where your recovery procedures failed or can be improved.
You must provide 'proof' that you have rebuilt your Web Server with screen shots of the recovery process where appropriate. Include relevant sections of the /var/log/auth.log file showing the relevant commands being performed using sudo. These must be full entries including date/time stamps etc.
5. The idea to move the main web server offsite has been raised - moving it into the 'cloud'. Write an overview of the requirements to do this. List three providers including: Amazon ec2 (Amazon Elastic Compute Cloud), linode (Linode Cloud) and one of your choosing. Highlight associated costs/savings/pros/cons for doing this.