Mr Singh's Examples
Executive Summary
SkyLink Financial Systems Ltd is currently experiencing network performance issues, security vulnerabilities and poor remote access control due to an outdated and unstructured network design. With the organisation planning to expand from 220 employees to significantly more over the next five years, a modernised and scalable network infrastructure is essential.
This proposal identifies the key causes of the existing connectivity problems, evaluates the associated cyber security risks, and provides a fully costed, secure network redesign. The proposed solution introduces network segmentation, modern firewall appliances, a cloud-based identity and access management system (Azure AD), an upgraded VPN platform, and infrastructure capable of supporting both business growth and secure remote access for Drone Display teams.
The proposal also includes cyber-security mitigations, updated policy requirements, and costed investments in hardware, software, and cloud licensing models. The total implementation cost is approximately £34,850, with annual recurring cloud licensing estimated at £9,600, justified through improved resilience, security, and business continuity.
(Teacher note: This Executive Summary clearly states the existing problems, the purpose of the report, the proposed solution and cost headline — this demonstrates excellent clarity and relevance, supporting Band 5 English & technical criteria.)
1.0 Introduction & Scope
The aim of this report is to design a secure and scalable upgrade to SkyLink’s network infrastructure, addressing the technical, operational and cyber security issues identified in the scenario. The scope of this proposal includes:
· Identification of the root causes of current network performance and connectivity issues
· Evaluation of cyber-security weaknesses, including insider threat vectors
· Design of a new, scalable network topology aligned to the company growth plan
· Recommendations for equipment, cloud services and software licences
· Calculation of realistic costings to meet AO4 mathematics requirements
· Proposal of secure remote access methods for Drone Display teams
· Recommendations for security policies, training and incident handling
This proposal is specifically designed to meet the assessment requirements for Task 3, including:
· Network connectivity analysis
· Secure redesign with business justification
· Costed hardware, software & cloud decisions
· Cyber security mitigation strategies
Updated network topology diagram
2.0 Analysis of Current Network and Connectivity Issues
A detailed review of SkyLink’s existing network configuration highlights multiple weaknesses relating to performance, scalability, remote access, and cyber security exposure. These issues affect business continuity, data protection compliance, and the ability to support future growth.
2.1 Outdated and Unscalable Network Hardware
The organisation is still operating with a domestic-grade ISP router acting as the core network device for 220 users. This device was never intended to support business-level routing, VLANs, access control lists (ACLs), or high-volume traffic. As the user count increased, no upgrades were implemented, resulting in bandwidth congestion, dropped connections, and bottlenecking at the router level.
(Teacher note: This paragraph demonstrates “excellent understanding of network connectivity issues” because it identifies the technical problem, the business impact, and the root cause — all required for Band 5.)
2.2 DHCP Scope Limitations
DHCP allocation is configured to support only 200 devices (192.168.1.2–192.168.1.201), despite the organisation employing 220 staff, plus printers, servers, IoT devices, and visitors. As a result, some users fail to obtain IP leases, leading to intermittent loss of network access.
This has resulted in:
· Manual static IP assignments (creating IP conflicts)
· Users unable to log in to domain services
· Failed connections to file and display servers
(Teacher note: This shows cause-and-effect reasoning with technical accuracy — a key indicator of Band 5 depth.)
2.3 Uncontrolled Remote Access to VPN Server
Remote access was originally intended only for Drone Display teams, but VPN login details have been informally shared across the company. Additionally, several devices connected to the VPN have no verified authentication or encryption, including personal phones (e.g. “Tom’s iPhone”), as shown in Control Document C.
Security risks include:
· Insider threat access to sensitive drone design data
· Unencrypted data transfer across VPN sessions
· No device compliance checks (e.g. anti-virus, OS patching)
(Teacher note: This directly links technical evidence from the brief to a security risk — demonstrating high-level applied understanding.)
2.4 Lack of Network Segmentation
All users currently exist on a flat Layer 2 network, meaning the HR team, Display Development team, Finance staff, and servers all share the same broadcast domain. This design fails to:
· Restrict internal lateral movement
· Separate development and operational systems
· Protect high-value servers from internal threat actors
A malicious insider or compromised account could therefore access the Drone Display server or HR data without firewall barriers.
(Teacher note: Strong cyber-security reasoning, linked to insider threat, shows “excellent understanding of cyber-security issues”, meeting Band 5 descriptors.)
2.5 Outdated Server Operating System
The file and print server runs Windows Server 2008, which reached end-of-life in 2020 and receives no security updates or patches. This exposes the organisation to:
· Known unpatched vulnerabilities (e.g. EternalBlue exploit)
· Failed security audit compliance for financial data handling
· Increased risk of ransomware spread through SMBv1
Given that SkyLink handles commercially sensitive drone technology, this is a critical issue.
2.6 Public Guest Wi-Fi with No Password
The guest Wi-Fi access point is configured unencrypted and open to the public, meaning any unauthorised user can connect. This exposes the business to:
· ARP spoofing or man-in-the-middle attacks
· Legal liability for illegal internet activity by guests
· Wi-Fi sniffing of internal DNS and unencrypted traffic
(Teacher note: This demonstrates highly detailed security analysis in relation to a real-world organisational risk — a Band 5 characteristic.)
2.7 No Policy, Training, or Access Review Process
There is no formal security induction training, no password policy, and no user access review process. This contributes to:
· Shared credentials
· Over-permissioned accounts
· Human-error-based attacks (phishing, credential reuse)
This weakness contributes directly to the insider threat identified in the scenario.
Summary of Key Issues Identified
Issue Impact Risk Level
Domestic router used as core network
device Network instability, not scalable High
Insufficient DHCP scope Loss of connectivity, IP conflict Medium
Unsecured and misused VPN access Data breach, unauthorised access High
No network segmentation Lateral movement, insider threat High
Windows Server 2008 in production Unpatched vulnerabilities Critical
Open guest Wi-Fi Attack entry point, legal liability High
No staff security training Increased phishing / credential risk Medium
.0 Proposed Secure Network Redesign
The redesigned network architecture has been developed to address the connectivity, scalability, and cybersecurity issues identified in Section 2, while aligning with SkyLink’s future expansion plans. The new design introduces network segmentation, modern firewall protection, cloud-based identity management, and secure remote access controls, ensuring that only authorised users and devices can reach specific resources.
3.1 Network Segmentation Using VLANs
To prevent internal lateral movement and reduce insider threat risks, the new network will implement separate VLANs, with firewalls enforcing traffic restrictions between them. The proposed segmentation is:
VLAN Department / Function Purpose
VLAN
10 General Office Staff Internet, email, business systems
VLAN
20 Drone Display Development Team High-security access to display server
VLAN
30 HR & Finance Confidential staff and payroll data
VLAN
40 Servers & Infrastructure File server, database server, domain services
VLAN
50 Guest Wi-Fi Network Fully isolated, internet-only
VLAN
60 VPN Remote Users Restricted access, logging and auditing enabled
Only the Display Development VLAN (20) will have access to the Display Information Server, and only HR VLAN (30) will have access to payroll data. This enforces least privilege by design.
3.2 Updated Network Topology Diagram (ASCII Format)
3.3 Secure Remote Access Upgrade
Instead of using password-based VPN access with shared accounts, the proposed upgrade introduces:
Feature Replacement Solution
Shared VPN passwords Azure AD Identity-based MFA login
Unverified personal devices Conditional Access + Device Compliance
Unencrypted VPN traffic Always-on IPSec Tunnel Policy
12-user VPN limit Scalable cloud VPN gateway (50+ users)
Remote Drone Display teams will authenticate using Azure AD + MFA, and only company-managed laptops will be allowed VPN access, enforced via Intune compliance policies.
3.4 Hardware and Software Components Proposed
Component Purpose Justification
Fortinet FG-60F
Firewall (x1) Enterprise-grade routing, IPS/IDS, web filtering, VLAN control Replaces domestic router, adds full security stack
Aruba 2930F
Managed Switch
(x2) Core network switching + VLAN support Required for segmentation and scalability
Azure AD + Intune Cloud-based identity, MFA, device compliance Removes shared accounts, supports growth
Azure VPN Gateway Scalable encrypted remote access Supports increasing number of remote teams
Windows Server
2022 Replacement for Server 2008 Patchable, compliant, secure
4.0 Costed Equipment, Software and Cloud Services
The proposed secure network upgrade requires a combination of new physical hardware, cloud services and software licensing. All costings below are based on realistic 2024 UK market pricing, sourced from suppliers such as Insight, CDW, and Microsoft pricing calculators.
The cost model includes:
· One-time (CapEx) hardware purchase costs
· Annual (OpEx) cloud and licensing subscriptions
· Replacement of outdated systems (Server 2008 → Server 2022)
· Scalable VPN and identity solution to support business growth
· Device management and compliance enforcement (Intune)
4.1 One-Time Hardware Costs (Capital Expenditure)
Item Qty Unit Cost Total Cost Notes
Fortinet FG-60F Next-
Gen Firewall 1 £1,295 £1,295 Replaces domestic router, enables VLANs, IPS, DPI
Aruba 2930F 24-Port
Managed Switch 2 £799 £1,598 Required for VLAN segmentation and core switching
Windows Server 2022
Licence 1 £720 £720 Replacement for insecure 2008 server
Dell PowerEdge T550
Server Hardware 1 £2,950 £2,950 Replaces outdated host server
Cat6A Structured
Cabling Upgrades — £1,200 £1,200 Adds additional ports for expanding staff
UPS Battery Backup
Unit 1 £650 £650 Provides power redundancy for key servers
TOTAL HARDWARE CAPEX = £8,413
4.2 Cloud Subscription & Licensing Costs (Annual Operational Cost)
Cloud Service Qty / Users Cost per Year Total Annual Cost Purpose
Microsoft 365 Business
Premium 220 users £45.10 per user/year £9,922 Includes Azure AD, MFA, Intune, Office 365
Azure VPN Gateway 1 instance £1,728 £1,728 Remote access for Drone Teams
Fortinet Security
Subscription (AV + IPS +
URL Filtering) 1 firewall £620 £620 Required for threat protection updates
Azure AD P1 Included in
M365 — £0 £0 Supports conditional access + MFA
TOTAL ANNUAL CLOUD LICENSING COST = £12,270
Comments
Post a Comment