Industry Capstone Project

Project Description:
GreenLeaf Technologies Inc., a technology company focused on sustainable energy
solutions, is planning to expand its workforce from 165 to 300 employees across its three
locations. The company has recently secured a significant investment and will be moving to
larger offices to accommodate the growth. As a newly hired network engineer, your task is to
design and implement a new network infrastructure that supports this expansion while
maintaining a secure and efficient environment.
Course Objectives:
● Define the need for network security
● Design a hybrid network model
● Identify weaknesses and strengths of the network design
● Set up a prototype network for the network design
● Perform penetration testing and monitoring of the network
To achieve these objectives, you must complete the following mandatory
tasks:
1. Define the need for network security by identifying potential risks, threats, and
consequences of security breaches or network downtime.
2. Design a hybrid network model that leverages both on-premises and cloud-based
resources to meet the company’s requirements for scalability, flexibility, and cost-
efficiency.
3. Identify weaknesses and strengths of the network design through a comprehensive
analysis, considering factors such as security, performance, manageability, and cost.
4. Set up a prototype network based on the proposed design, and assess its feasibility,
performance, and security in a controlled environment.
5. Perform penetration testing and vulnerability assessments on the prototype network
to identify potential security flaws and validate the effectiveness of the security
measures in place.
6. Assess the existing network, and improve the design and security by addressing
identified issues and vulnerabilities.
7. Recommend appropriate network equipment devices needed to support the new
network design, including the required number of each device.
8. Create detailed network diagrams of the new design, illustrating the layout of
devices, connections, and network segments, as well as the overall topology.
9. Compare the new network design with the existing network, and demonstrate how
the new design addresses the identified issues and improves upon the existing
infrastructure in terms of security, performance, manageability, and scalability.
10. Implement continuous monitoring of the network to detect potential security incidents,
unauthorized access, or performance issues, and develop procedures for incident
response and remediation.
Additionally, you must select at least two optional tasks from the list provided to further
enhance your network design and align it with the company’s specific needs and goals.
By completing the mandatory tasks and selecting at least two optional tasks, you will be able
to achieve the course objectives while gaining valuable hands-on experience in network
design, implementation, and security.
Optional tasks you can choose from include:
1. Implement network segmentation and VLANs to improve security and reduce
broadcast traffic.
2. Develop a comprehensive backup and disaster recovery plan.
3. Incorporate firewall policies and network access control mechanisms to protect
internal resources.
4. Design a scalable network infrastructure to accommodate future growth and
technology advancements.
5. Implement quality of service (QoS) policies to prioritize critical network traffic.
6. Monitor and optimize network performance and troubleshoot issues as they arise.
7. Ensure network devices are updated regularly and use the latest security patches.
8. Develop a network security policy and provide training to employees on security best
practices.
9. Implement a centralized network management and monitoring solution.
10. Design a secure remote access solution for employees working remotely.
Scenario
GreenLeaf Technologies Inc. is an innovative green startup technology company focused on
developing sustainable energy solutions for residential and commercial clients. Founded in
2015, the company is headquartered in San Francisco (SF), California, with additional
offices in New York City (NY) and Houston (HO), Texas.
Departments and number of employees:
SF:
Research & Development (R&D) – 20 employees
Sales & Marketing – 30 employees
Operations – 30 employees
IT & Support – 20 employees
Human Resources – 10 employees
Finance & Accounting – 15 employees
NY:
Operations – 10 employees
HO:
R&D – 20 employees
Remote Users:
Sales – 10 employees
Existing Network Details:
Servers:
2x File servers (Windows Server 2016)
1x Web server (Linux, Apache)
1x Domain Controller (Windows Server 2008)
1x DHCP server (Windows Server 2016)
1x DNS server (Windows Server 2016)
1x Email server (Windows Server 2016, Exchange)
Workstations:
130x Windows 10 desktop computers
30x macOS laptops
10x Linux desktop computers
Network Equipment:
3x Firewalls (single vendor, low-end models) at each location
6x Switches (unmanaged, no VLAN support)
4x Wireless Access Points (consumer-grade, without enterprise features)
Wireless Devices:
40x smartphones (iOS and Android)
25x tablets (iOS and Android)
Operating Systems:
Windows Server 2016 (for servers)
Windows 10 (for desktops)
macOS (for laptops)
Linux (for desktops and the web server)
Current Network Design:
All servers are on the same subnet, without proper segmentation.
No VLANs implemented, leading to unnecessary broadcast traffic.
No redundancy or failover mechanisms in place for critical services (DHCP, DNS, email).
Outdated server operating systems and unpatched software, exposing the network to
potential security risks.
Lack of proper network access controls, allowing unauthorized devices to connect to the
network.
Insufficient firewall policies, exposing internal resources to the internet.
Network Design
Internet Connection and Firewalls:
Each location (SF, NY, and HO) has an ISP connection and is equipped with a low-end,
single-vendor firewall, which also acts as a router.
SF Firewall (Firewall_SF) is connected to the ISP and the VPN tunnel to NY and the WAN
connection to HO.
NY Firewall (Firewall_NY) is connected to the ISP and the VPN tunnel to SF.
HO Firewall (Firewall_HO) is connected to the ISP and the WAN connection to SF.
Switches:
SF: Firewall_SF connects to Switch A, which further connects to Switches B and C.
NY: Firewall_NY connects to Switch D.
HO: Firewall_HO connects to Switch E, which further connects to Switch F.
Servers (All in SF, on the same subnet, without proper segmentation):
All servers are connected to Switch A.
Wireless Access Points:
SF: Two Wireless Access Points are connected to Switch B, providing coverage for the SF
office.
NY: One Wireless Access Point is connected to Switch D, providing coverage for the NY
office.
HO: One Wireless Access Point is connected to Switch E, providing coverage for the HO
office.
Workstations:
SF: Workstations are connected to Switches B and C.
NY: Workstations are connected to Switch D.
HO: Workstations are connected to Switches E and F.
Inter-Office Connectivity:
An IPsec VPN tunnel connects the SF and NY offices, established between Firewall_SF and
Firewall_NY.
A WAN connection links the SF and HO offices, established between Firewall_SF and
Firewall_HO.
Network Equipment Models
Firewalls:
SF Firewall (Firewall_SF) – Netgear ProSafe FVS318G
NY Firewall (Firewall_NY) – ZyXEL USG20-VPN
HO Firewall (Firewall_HO) – Cisco ASA 5506-X
Switches:
Switch A (SF) – TP-Link TL-SG1024D – 24 ports (Consumer-grade)
Switch B (SF) – D-Link DGS-1024D – 24 ports (Consumer-grade)
Switch C (SF) – Netgear GS324 – 24 ports (Consumer-grade)
Switch D (NY) – Cisco Catalyst 2960-L Series (WS-C2960L-24TS-LL) – 24 ports (Low-end
enterprise)
Switch E (HO) – HP OfficeConnect 1920S (JL381A) – 24 ports (Low-end enterprise)
Switch F (HO) – Ubiquiti UniFi Switch 24 (US-24) – 24 ports (Low-end enterprise)
Wireless Access Points:
SF Wireless Access Point 1 – TP-Link TL-WA901N Wireless-N Access Point (Consumer-
grade)
SF Wireless Access Point 2 – ASUS RT-N12 Wireless-N300 Router/Access Point
(Consumer-grade)
NY Wireless Access Point – Netgear WAC104 Wireless-AC1200 Access Point (Consumer-
grade)
HO Wireless Access Point – Linksys LAPN600 Wireless-N600 Access Point (Low-end
enterprise)
GreenLeaf Technologies Inc. has recently received a $40 million investment from an angel
investor. The CEO plans to grow the company from 165 employees to 300 and relocate to
larger offices to support the expansion. The employee allocation for the three company
locations, based on departments, is as follows:
San Francisco (SF):
Research & Development (R&D): 40 employees
Sales & Marketing: 50 employees
Operations: 40 employees
IT & Support: 30 employees
Human Resources: 15 employees
Finance & Accounting: 25 employees
New York City (NY):
Operations: 20 employees
Sales & Marketing: 20 employees
Houston (HO):
R&D: 35 employees
Operations: 20 employees
Sales & Marketing: 15 employees
As a network engineer, you have been hired to design a new network for GreenLeaf
Technologies that supports the growth of the company in the new offices. Below are the
mandatory tasks you should complete as part of the project:
Mandatory Tasks (10):
1. Define the need for network security by identifying potential risks, threats, and
consequences of security breaches or network downtime.
2. Design a hybrid network model that leverages both on-premises and cloud-based
resources to meet the company’s requirements for scalability, flexibility, and cost-
efficiency.
3. Identify weaknesses and strengths of their network design through a comprehensive
analysis, considering factors such as security, performance, manageability, and cost.
4. Set up a prototype network based on the proposed design, and assess its feasibility,
performance, and security in a controlled environment.
5. Perform penetration testing and vulnerability assessments on the prototype network
to identify potential security flaws and validate the effectiveness of the security
measures in place.
6. Assess the existing network, and improve the design and security by addressing
identified issues and vulnerabilities.
7. Recommend appropriate network equipment devices needed to support the new
network design, including the required number of each device.
8. Create detailed network diagrams of the new design, illustrating the layout of
devices, connections, and network segments, as well as the overall topology.
9. Compare the new network design with the existing network, and demonstrate how
the new design addresses the identified issues and improves upon the existing
infrastructure in terms of security, performance, manageability, and scalability.
10. Implement continuous monitoring of the network to detect potential security incidents,
unauthorized access, or performance issues, and develop procedures for incident
response and remediation.
Optional Tasks (students must select at least 2 optional tasks):
1. Implement network segmentation and VLANs to improve security and reduce
broadcast traffic.
2. Develop a comprehensive backup and disaster recovery plan.
3. Incorporate firewall policies and network access control mechanisms to protect
internal resources.
4. Design a scalable network infrastructure to accommodate future growth and
technology advancements.
5. Implement quality of service (QoS) policies to prioritize critical network traffic.
6. Monitor and optimize network performance and troubleshoot issues as they arise.
7. Ensure network devices are updated regularly and use the latest security patches.
8. Develop a network security policy and provide training to employees on security best
practices.
9. Implement a centralized network management and monitoring solution.
10. Design a secure remote access solution for employees working remotely.
Upon completion of the project, you are expected to present a detailed report about your
findings and recommendations, showcasing how your new network design meets the
company’s growth plans while maintaining a secure and efficient environment.
This report should cover the mandatory tasks you completed and the optional tasks you
selected, as well as the rationale behind your choices. Your supporting documentation may
include, but is not limited to, the following:
1. Network Diagrams: Visual representations of your proposed network layout,
connections, and topology.
2. Equipment Lists: Detailed lists of network devices, their models, and quantities
required for the new design.
3. Risk Assessment: An analysis of potential security risks, their likelihood, and
potential impact on the network.
4. System Analysis: A thorough examination of the existing network infrastructure and
its shortcomings.
5. Network Design: The new network design, including the improvements and
optimizations made to address the identified issues.
6. Wiki: A collaborative documentation platform that includes relevant information about
the project, such as guides, policies, and procedures.
7. Deployment: A plan for rolling out the new network infrastructure, including timelines,
resources, and personnel.
8. Documentation: Manuals, guides, and reference materials for users and
administrators.
9. Technical Adherence Report: An evaluation of the proposed network design’s
adherence to industry standards and best practices.
10. Maintenance Plan: A schedule and strategy for ongoing network maintenance,
including updates, patches, and hardware replacements.
11. Research Report: A summary of the research conducted during the project, such as
studying new technologies, security trends, and industry best practices.
12. Penetration Testing Report: Results and analysis from penetration testing performed
on the prototype network.
13. Vulnerability Assessment and Remediation Report: A detailed account of
vulnerabilities discovered during the assessment and the steps taken to address
them.
While not all these components may be included in your final report, you should aim to
provide a comprehensive and well-documented proposal that supports your network design
and addresses the course objectives.
Standards
When designing the new network, students should adhere to industry standards and best
practices to ensure a secure, efficient, and reliable network infrastructure. Some of the
relevant industry standards for LAN, WAN, and Wireless networks include:
IEEE Standards:
• IEEE 802.3: Ethernet (LAN)
• IEEE 802.1Q: VLAN
• IEEE 802.11: Wireless LAN (WLAN)
• IEEE 802.1X: Network Access Control
Internet Engineering Task Force (IETF) RFCs:
• RFC 1918: Private IP Addressing
• RFC 2131: Dynamic Host Configuration Protocol (DHCP)
• RFC 1034 & RFC 1035: Domain Name System (DNS)
• RFC 791, RFC 792, and RFC 793: Internet Protocol Suite
Security Standards and Frameworks:
• NIST Cybersecurity Framework
• ISO/IEC 27001: Information Security Management System (ISMS)
• PCI DSS: Payment Card Industry Data Security Standard
When building their new network, students should take these standards and best practices
into account, ensuring that their design complies with the relevant guidelines and provides a
secure, efficient, and reliable infrastructure to support the organization’s growth plans.
When building their new network, students should take these standards and best practices
into account, ensuring that their design complies with the relevant guidelines and provides a
secure, efficient, and reliable infrastructure to support the organization’s growth plans.
.
Network Port Requirements
1. 802.3 and 802.3U: All edge nodes must support 10BaseT and 100BaseTX Ethernet,
as well as 1000BaseT Ethernet. This means that the network should support RJ-45
connectors and twisted-pair cabling, such as CAT5e or CAT6. The network devices
must be able to communicate at 10 Mbps, 100 Mbps, and 1 Gbps speeds.
2. 1000Mbps Ethernet: The Core Server nodes in the Data Centre must support 1000
Mbps Ethernet, as well as 10 Gbps Ethernet. This means that the network devices
should support RJ-45 connectors and CAT5e or CAT6 cabling. The network devices
must be able to communicate at 1 Gbps and 10 Gbps speeds.
3. Modular Connectors: To allow for the greatest flexibility between the edge devices
and the core, both edge and core devices must support Modular Connectors for both
gigabit Fiber and Gigabit Ethernet, as well as 10 Gigabit Ethernet. This means that
the network devices should support fiber optic connectors such as SC, LC or ST, and
twisted-pair cabling with RJ-45 connectors.
4. Ethernet Switching Technology: All nodes must support Ethernet Switching
technology. This means that the network devices should be able to switch traffic
between different ports and ensure that traffic is delivered to its intended destination.
5. Power over Ethernet (PoE): While Voice over IP has been identified as potential
application requirements for this network, the network node is not required to support
Power over Ethernet. This means that the network devices do not need to provide
power to the connected devices through the Ethernet cable.
Tools
Students are encouraged to use a combination of online resources and tools to achieve the
project goals, including but not limited to:
● Cisco Packet Tracer: a free network simulation tool provided by Cisco that allows
students to design, configure, and troubleshoot networks without needing physical
hardware.
● GNS3: an open-source network emulator that allows students to simulate complex
network topologies using virtual machines and real network devices. GNS3 can be
integrated with various virtualization tools to create and test virtual networks.
● AWS and Azure free credits: both Amazon Web Services (AWS) and Microsoft Azure
provide free credits for students to use their cloud services, including virtual
machines, storage, and networking. These cloud services can be used to test and
deploy network infrastructure components.
● VirtualBox: a free and open-source virtualization tool that allows students to run
multiple virtual machines on a single physical host. This can be useful for testing
different operating systems and applications.
● Wireshark: a free and open-source network protocol analyzer that allows students to
capture and analyze network traffic to troubleshoot issues and identify potential
security threats.
● OpenVAS: a free and open-source vulnerability scanner that can be used to identify
potential security weaknesses in the network.
● LibreNMS: a free and open-source network monitoring tool that allows students to
monitor the network infrastructure in real-time and receive alerts in case of issues.
● pfSense: a free and open-source firewall and routing platform that can be used to
secure the network and control traffic flow between different segments.
These tools can be used individually or in combination to achieve the project goals. Students
should select the tools that are most appropriate for their specific project requirements and
skill levels.
Tips and Recommendations:
1. Use online collaboration tools like Google Drive, OneDrive or Dropbox to share and
collaborate on project documentation, diagrams, and reports. This will help ensure
that everyone on the team has access to the latest version of the documents and can
collaborate in real-time.
2. Use a project management tool like Trello or Asana to keep track of project tasks,
deadlines, and progress. This will help ensure that everyone on the team is aware of
what needs to be done, when it needs to be done by, and who is responsible for
each task.
3. Create a shared folder or repository for storing all project documentation, diagrams,
and reports. This will help ensure that all project files are in one central location and
easily accessible by everyone on the team.
4. Use a wiki tool like MediaWiki or Confluence to create a knowledge base for the
project. This can be used to document project decisions, design choices, and
technical details. It can also be used to keep track of project-related issues,
questions, and discussions.
5. Use a version control tool like Git to track changes to project files and collaborate on
code if applicable.
6. Keep a regular meeting schedule to check in on progress and address any issues
that arise. Use this time to review documentation and identify areas for improvement.
By following these tips and recommendations, the team can effectively collaborate, manage
tasks, document the project, and ensure the successful completion of the project.
Instructor Page
Week 1:
● Assess the existing network and identify weaknesses and strengths
● Review industry standards for LAN, WAN, and wireless networks
Week 2:
● Define the need for network security and identify potential security risks in the
existing network
● Create a risk assessment report for the network
Week 3:
● Design a hybrid network model that meets the company’s growth plans and
incorporates security best practices
● Create a network diagram for the proposed network design
Week 4:
● Set up a prototype network based on the proposed network design
● Install and configure network equipment (firewalls, switches, wireless access points)
Week 5:
● Configure DHCP and DNS servers for redundancy and failover
● Set up redundant Active Directory network for user authentication
Week 6:
● Write policies for network access control, including authentication of corporate
devices
● Set up a guest wireless network with proper security measures
Week 7:
● Enable syslog and auditing on network devices for monitoring and troubleshooting
● Set up a centralized logging server
Week 8:
● Justify the decision to keep servers on-premises or move to the cloud, or have a
hybrid approach
● Write a research report on the pros and cons of different server deployment options
Week 9:
● Perform a penetration testing and vulnerability assessment on the network
● Write a report on the results of the testing and assessment, including
recommendations for remediation
Week 10:
● Develop a maintenance plan for the network, including regular updates, patches, and
backups
● Write a technical adherence report outlining how the network adheres to industry
standards and best practices
The remaining two weeks can be used for optional tasks, such as:
● Configuring Quality of Service (QoS) for prioritizing network traffic
● Implementing Virtual Private Network (VPN) for remote access
● Setting up intrusion detection and prevention systems (IDS/IPS)
● Conducting a Wi-Fi site survey and optimizing wireless network performance
● Creating a disaster recovery plan and testing it
● Writing a training manual for end-users on network best practices and security
awareness
● Designing and implementing a cloud-based backup solution for critical data
Throughout the project, students should also be documenting their work and creating
supporting documentation such as system analysis reports, deployment documentation, and
penetration testing reports.
Students that successfully complete this project, can highlight the following skills and
experiences gained through this project on their resume:
1. Designing and implementing a secure and efficient network infrastructure to support
business growth
2. Conducting a thorough assessment of the existing network, identifying weaknesses
and areas for improvement
3. Developing and presenting a comprehensive network design proposal
4. Configuring network equipment and servers to meet specific requirements
5. Performing penetration testing and monitoring to ensure network security and
integrity
6. Collaborating with team members and stakeholders to ensure project objectives are
met within the given time and budget constraints
7. Documenting and presenting findings and recommendations in a clear and concise
manner
8. Demonstrating strong problem-solving, critical thinking, and communication skills.
Overall, this project would serve as a strong example of the student’s technical abilities and
project management skills, which would be highly valued by potential employers.