Mr Singh's Examples

 Executive Summary

SkyLink Financial Systems Ltd is currently experiencing network performance issues, security vulnerabilities and poor remote access control due to an outdated and unstructured network design. With the organisation planning to expand from 220 employees to significantly more over the next five years, a modernised and scalable network infrastructure is essential.

This proposal identifies the key causes of the existing connectivity problems, evaluates the associated cyber security risks, and provides a fully costed, secure network redesign. The proposed solution introduces network segmentation, modern firewall appliances, a cloud-based identity and access management system (Azure AD), an upgraded VPN platform, and infrastructure capable of supporting both business growth and secure remote access for Drone Display teams.

The proposal also includes cyber-security mitigations, updated policy requirements, and costed investments in hardware, software, and cloud licensing models. The total implementation cost is approximately £34,850, with annual recurring cloud licensing estimated at £9,600, justified through improved resilience, security, and business continuity.

(Teacher note: This Executive Summary clearly states the existing problems, the purpose of the report, the proposed solution and cost headline — this demonstrates excellent clarity and relevance, supporting Band 5 English & technical criteria.)

1.0 Introduction & Scope

The aim of this report is to design a secure and scalable upgrade to SkyLink’s network infrastructure, addressing the technical, operational and cyber security issues identified in the scenario. The scope of this proposal includes:

· Identification of the root causes of current network performance and connectivity issues

· Evaluation of cyber-security weaknesses, including insider threat vectors

· Design of a new, scalable network topology aligned to the company growth plan

· Recommendations for equipment, cloud services and software licences

· Calculation of realistic costings to meet AO4 mathematics requirements

· Proposal of secure remote access methods for Drone Display teams

· Recommendations for security policies, training and incident handling

This proposal is specifically designed to meet the assessment requirements for Task 3, including:

· Network connectivity analysis

· Secure redesign with business justification

· Costed hardware, software & cloud decisions

· Cyber security mitigation strategies

Updated network topology diagram

2.0 Analysis of Current Network and Connectivity Issues

A detailed review of SkyLink’s existing network configuration highlights multiple weaknesses relating to performance, scalability, remote access, and cyber security exposure. These issues affect business continuity, data protection compliance, and the ability to support future growth.

2.1 Outdated and Unscalable Network Hardware

The organisation is still operating with a domestic-grade ISP router acting as the core network device for 220 users. This device was never intended to support business-level routing, VLANs, access control lists (ACLs), or high-volume traffic. As the user count increased, no upgrades were implemented, resulting in bandwidth congestion, dropped connections, and bottlenecking at the router level.

(Teacher note: This paragraph demonstrates “excellent understanding of network connectivity issues” because it identifies the technical problem, the business impact, and the root cause — all required for Band 5.)

2.2 DHCP Scope Limitations

DHCP allocation is configured to support only 200 devices (192.168.1.2–192.168.1.201), despite the organisation employing 220 staff, plus printers, servers, IoT devices, and visitors. As a result, some users fail to obtain IP leases, leading to intermittent loss of network access.

This has resulted in:

· Manual static IP assignments (creating IP conflicts)

· Users unable to log in to domain services

· Failed connections to file and display servers

(Teacher note: This shows cause-and-effect reasoning with technical accuracy — a key indicator of Band 5 depth.)

2.3 Uncontrolled Remote Access to VPN Server

Remote access was originally intended only for Drone Display teams, but VPN login details have been informally shared across the company. Additionally, several devices connected to the VPN have no verified authentication or encryption, including personal phones (e.g. “Tom’s iPhone”), as shown in Control Document C.

Security risks include:

· Insider threat access to sensitive drone design data

· Unencrypted data transfer across VPN sessions

· No device compliance checks (e.g. anti-virus, OS patching)

(Teacher note: This directly links technical evidence from the brief to a security risk — demonstrating high-level applied understanding.)

2.4 Lack of Network Segmentation

All users currently exist on a flat Layer 2 network, meaning the HR team, Display Development team, Finance staff, and servers all share the same broadcast domain. This design fails to:

· Restrict internal lateral movement

· Separate development and operational systems

· Protect high-value servers from internal threat actors

A malicious insider or compromised account could therefore access the Drone Display server or HR data without firewall barriers.

(Teacher note: Strong cyber-security reasoning, linked to insider threat, shows “excellent understanding of cyber-security issues”, meeting Band 5 descriptors.)

2.5 Outdated Server Operating System

The file and print server runs Windows Server 2008, which reached end-of-life in 2020 and receives no security updates or patches. This exposes the organisation to:

· Known unpatched vulnerabilities (e.g. EternalBlue exploit)

· Failed security audit compliance for financial data handling

· Increased risk of ransomware spread through SMBv1

Given that SkyLink handles commercially sensitive drone technology, this is a critical issue.

2.6 Public Guest Wi-Fi with No Password

The guest Wi-Fi access point is configured unencrypted and open to the public, meaning any unauthorised user can connect. This exposes the business to:

· ARP spoofing or man-in-the-middle attacks

· Legal liability for illegal internet activity by guests

· Wi-Fi sniffing of internal DNS and unencrypted traffic

(Teacher note: This demonstrates highly detailed security analysis in relation to a real-world organisational risk — a Band 5 characteristic.)

2.7 No Policy, Training, or Access Review Process

There is no formal security induction training, no password policy, and no user access review process. This contributes to:

· Shared credentials

· Over-permissioned accounts

· Human-error-based attacks (phishing, credential reuse)

This weakness contributes directly to the insider threat identified in the scenario.

Summary of Key Issues Identified

Issue Impact Risk Level

Domestic router used as core network

device Network instability, not scalable High

Insufficient DHCP scope Loss of connectivity, IP conflict Medium

Unsecured and misused VPN access Data breach, unauthorised access High

No network segmentation Lateral movement, insider threat High

Windows Server 2008 in production Unpatched vulnerabilities Critical

Open guest Wi-Fi Attack entry point, legal liability High

No staff security training Increased phishing / credential risk Medium

.0 Proposed Secure Network Redesign

The redesigned network architecture has been developed to address the connectivity, scalability, and cybersecurity issues identified in Section 2, while aligning with SkyLink’s future expansion plans. The new design introduces network segmentation, modern firewall protection, cloud-based identity management, and secure remote access controls, ensuring that only authorised users and devices can reach specific resources.

3.1 Network Segmentation Using VLANs

To prevent internal lateral movement and reduce insider threat risks, the new network will implement separate VLANs, with firewalls enforcing traffic restrictions between them. The proposed segmentation is:

VLAN Department / Function Purpose

VLAN

10 General Office Staff Internet, email, business systems

VLAN

20 Drone Display Development Team High-security access to display server

VLAN

30 HR & Finance Confidential staff and payroll data

VLAN

40 Servers & Infrastructure File server, database server, domain services

VLAN

50 Guest Wi-Fi Network Fully isolated, internet-only

VLAN

60 VPN Remote Users Restricted access, logging and auditing enabled

Only the Display Development VLAN (20) will have access to the Display Information Server, and only HR VLAN (30) will have access to payroll data. This enforces least privilege by design.

3.2 Updated Network Topology Diagram (ASCII Format)

3.3 Secure Remote Access Upgrade

Instead of using password-based VPN access with shared accounts, the proposed upgrade introduces:

Feature Replacement Solution

Shared VPN passwords Azure AD Identity-based MFA login

Unverified personal devices Conditional Access + Device Compliance

Unencrypted VPN traffic Always-on IPSec Tunnel Policy

12-user VPN limit Scalable cloud VPN gateway (50+ users)

Remote Drone Display teams will authenticate using Azure AD + MFA, and only company-managed laptops will be allowed VPN access, enforced via Intune compliance policies.

3.4 Hardware and Software Components Proposed

Component Purpose Justification

Fortinet FG-60F

Firewall (x1) Enterprise-grade routing, IPS/IDS, web filtering, VLAN control Replaces domestic router, adds full security stack

Aruba 2930F

Managed Switch

(x2) Core network switching + VLAN support Required for segmentation and scalability

Azure AD + Intune Cloud-based identity, MFA, device compliance Removes shared accounts, supports growth

Azure VPN Gateway Scalable encrypted remote access Supports increasing number of remote teams

Windows Server

2022 Replacement for Server 2008 Patchable, compliant, secure

4.0 Costed Equipment, Software and Cloud Services

The proposed secure network upgrade requires a combination of new physical hardware, cloud services and software licensing. All costings below are based on realistic 2024 UK market pricing, sourced from suppliers such as Insight, CDW, and Microsoft pricing calculators.

The cost model includes:

· One-time (CapEx) hardware purchase costs

· Annual (OpEx) cloud and licensing subscriptions

· Replacement of outdated systems (Server 2008 → Server 2022)

· Scalable VPN and identity solution to support business growth

· Device management and compliance enforcement (Intune)

4.1 One-Time Hardware Costs (Capital Expenditure)

Item Qty Unit Cost Total Cost Notes

Fortinet FG-60F Next-

Gen Firewall 1 £1,295 £1,295 Replaces domestic router, enables VLANs, IPS, DPI

Aruba 2930F 24-Port

Managed Switch 2 £799 £1,598 Required for VLAN segmentation and core switching

Windows Server 2022

Licence 1 £720 £720 Replacement for insecure 2008 server

Dell PowerEdge T550

Server Hardware 1 £2,950 £2,950 Replaces outdated host server

Cat6A Structured

Cabling Upgrades — £1,200 £1,200 Adds additional ports for expanding staff

UPS Battery Backup

Unit 1 £650 £650 Provides power redundancy for key servers

TOTAL HARDWARE CAPEX = £8,413

4.2 Cloud Subscription & Licensing Costs (Annual Operational Cost)

Cloud Service Qty / Users Cost per Year Total Annual Cost Purpose

Microsoft 365 Business

Premium 220 users £45.10 per user/year £9,922 Includes Azure AD, MFA, Intune, Office 365

Azure VPN Gateway 1 instance £1,728 £1,728 Remote access for Drone Teams

Fortinet Security

Subscription (AV + IPS +

URL Filtering) 1 firewall £620 £620 Required for threat protection updates

Azure AD P1 Included in

M365 — £0 £0 Supports conditional access + MFA

TOTAL ANNUAL CLOUD LICENSING COST = £12,270

Comments

Popular posts from this blog

OS A3 Task 1

OS A3 Task 2