Task 3 - Info

Executive summary

SkyLink must replace ad-hoc, under‑spec domestic networking with a secure, segmented, resilient architecture that protects intellectual property (drone displays), enforces least privilege, supports remote Drone Display teams, and scales for rapid growth. Recommended solution: enterprise router + managed switch(es), firewall with segmentation and high-availability, hardened on‑premises directory and file services integrated with cloud identity and file services (Azure AD + Microsoft 365 Business Premium + SharePoint/OneDrive), device management (Intune), endpoint protection, and a zero‑trust remote access model for Drone teams. This proposal includes an annotated network topology, security mitigations, rollout and testing plan, incident processes, staff training, and costed estimates with clear calculations to support AO4 mathematics and top‑band grading.


Proposed network topology (annotated)

Key features shown and explained below:

  • Separate physical network for servers and core infrastructure
  • VLAN-based segmentation for: Admin/HR; Display Creation (development); Drone Operations (operational); Guest Wi‑Fi; Management/Servers
  • Perimeter firewall + IDS/IPS with explicit rulesets
  • Redundant internet links and HA firewall/router pair
  • Replace VPN with Conditional Access + Intune + secure tunnelling for corporate devices (detailed under Remote Access)
  • Cloud services (Azure AD, Microsoft 365, SharePoint, Intune) for identity, files, and device management
  • NAS replaced by SharePoint/OneDrive; on‑prem file server retained for legacy systems with restricted access and encryption

ASCII diagram (annotated):

Internet -- ISP A (primary) <> ISP B (secondary) | Edge Router (HA pair) | Enterprise Firewall (HA) | Core Switch (managed, L3) 192.168.0.1 / | |
VLAN 10 (Servers) VLAN 20 VLAN 30 VLAN 40 (Guest Wi‑Fi) (192.168.10.0/24) (192.168.20.0/24) (192.168.30.0/24) (192.168.2.0/24) | | | | Domain Controller Workstations Drone Ops WAP (guest, isolated) (AD/Azure AD Connect) (GPO/SD‑LAN) (Secure remote access) | File & Print Server (moved to 2019+; BitLocker; SMB over internal network only) Display Info DB Server (Windows Server 2019; DB VLAN; encrypted disks) Monitoring/Logging Appliance (SIEM/log collector); IDS sensor mirrors traffic

(See notes: DHCP scope adjusted per VLAN; static IPs for infra; documented IP plan included in appendix.)


Equipment, software and cloud choices with justification

  1. Core network devices

    • Edge Router / UTM (HA pair) — enterprise grade (e.g., Ubiquiti UniFi Dream Machine Pro XG or equivalent enterprise firewall like Fortinet/FortiGate or Cisco Meraki MX)
      Justification: replace SOHO router; supports VLANs, NAT, VPN fallback, high throughput and HA.
    • Managed Layer‑3 Switch (PoE for WAPs)
      Justification: VLANs, QoS for operational traffic, remote management, port security.
    • Wi‑Fi 6 Access Points (business grade) for staff; separate WAP for Guest network with captive portal and no access to internal subnets.
  2. Servers and storage

    • Replace Windows Server 2008 file server with Windows Server 2019/2022 or migrate file shares to Microsoft 365/SharePoint with hybrid sync for legacy apps.
      Justification: EOL OS replaced; cloud reduces on‑site NAS exposure and sharing-account issues.
    • Display information database stays on hardened DB server (Windows Server 2019) with restricted access, encryption, and regular backups.
    • Monitoring VM/SIEM (open-source or SaaS e.g., Azure Sentinel) to collect logs.
  3. Identity, endpoint & device management

    • Azure AD (Primary identity) with Azure AD Connect for hybrid join.
    • Microsoft Intune (MDM/MAM) for device compliance, remote wipe, application control.
    • Microsoft 365 Business Premium (SharePoint, OneDrive, Office apps, Defender for Business).
    • Group Policy for domain‑joined internal devices; Intune for mobile/remote.
  4. Remote access / secure transfer

    • Replace open/shared VPN with conditional access + Intune device compliance + SAML/OAuth protected connections; for necessary secure tunnels use per‑user VPN certificates and split tunnelling that only permits access to required internal resources.
    • For Drone teams: corporate laptops enrolled in Intune; network access permitted only from compliant devices with MFA.
  5. Security controls

    • Endpoint protection (Microsoft Defender for Business / EDR).
    • Firewall rules: block SMB/TCP445 from guest and non‑server VLANs; allow SMB only from specified management VLAN and authenticated devices.
    • Remove shared admin accounts; unique admin accounts with MFA; privileged access management (PAM) where possible.
    • Implement logging, alerting, file access auditing (especially for display DB and file shares).
    • Network segmentation: Dev/Prod separation to protect IP for drone displays.
    • Backup & DR: offsite encrypted backups (cloud or secure tape) and recovery runbooks.

Detailed security mitigations (how requirements are met)

  • Principle of least privilege: centralised authentication (Azure AD + on‑prem AD) and role‑based access; remove local admin rights; use Just‑In‑Time (JIT) or temporary elevation for admins.
  • Authorised-only network access: Intune device compliance + Conditional Access policies + MFA. Devices not enrolled are denied access.
  • Remote access only for authorised users and corporate devices: Drone teams use corporate laptops/phones enrolled in Intune; certificate‑based or conditional access.
  • Network segmentation: VLANs + firewall rules enforce separation between operational (Drone Ops) and development (Display Creation). DR/test networks separated.
  • Change control: formal change control board (CCB) and documented change requests, rollbacks, and approvals before config pushes.
  • Redundancy: dual ISPs, HA firewall/router, power redundancy (UPS), redundant core switches or stacking for resilience.
  • Secure data transfer: HTTPS/TLS for web access; SFTP or HTTPS for any file transfer; signed manifests for displays; mutual TLS for critical services.
  • Incident processes: SIEM collects logs; automated alerts for anomalous access, privilege elevation, file exports. Forensic logging retention policy (90+ days or per regulatory needs).
  • Staff training: mandatory security induction + quarterly phishing simulations and role‑specific secure handling training for Drone teams.

Remote access design (detailed alternative to current VPN)

Current VPN issues: shared admin sessions, unauthenticated devices, exhausted concurrent licenses. Proposed approach:

  • Identity = Azure AD; require MFA.
  • Device compliance = Intune; require devices be enrolled and compliant.
  • Conditional Access policies: only compliant devices and approved users allowed to access internal resources; block legacy authentication; require location risk checks.
  • For Drone teams offline at events: use per‑device VPN certificates (limited concurrent license pool) OR use secure staged sync of approved display artifacts to device via SharePoint/OneDrive for Business with offline availability—this reduces live VPN load and licensing footprint.
  • For critical internal services that must be available remotely, use Application Proxy or secure reverse proxy with MFA rather than full network VPN.

Security benefits: removes shared admin sessions, ensures encrypted connections, reduces concurrent connection bottleneck and provides device posture validation.


Network segmentation, IP plan and addressing (summary)

  • VLAN 10 Servers 192.168.10.0/24 (infra static IPs)
  • VLAN 20 Admin/HR 192.168.20.0/24 (DHCP reserved scope)
  • VLAN 30 Display Creation (Dev) 192.168.30.0/24 (restricted access; testing sandboxes)
  • VLAN 40 Drone Operations (Ops) 192.168.40.0/24 (operational access via conditional access)
  • VLAN 50 Management 192.168.50.0/24 (switches, firewalls, monitoring)
  • Guest Wi‑Fi 192.168.2.0/24 (isolated, no access to internal VLANs)

DHCP ranges and static reservations documented per device; core infra assigned static IPs; DNS handled by AD DNS with forwarders to ISP and cloud DNS as needed.


Change control and incident response

  • Change control: all config changes logged in ticketing system; emergency changes require post‑implementation approval; pre-deployment in lab/virtual environment.
  • Incident response playbook (outline):
    1. Detection via SIEM alert or user report.
    2. Triage (containment: isolate affected VLAN/device).
    3. Forensic capture (preserve logs, image devices where required).
    4. Eradication (remove malware, revoke compromised credentials).
    5. Recovery (restore services from verified backups).
    6. Lessons learned and update policies.
  • Privilege misuse detection: alerts on creation of new admin accounts, changes to ACLs, unusual file access patterns.

Deployment plan and timeline (high level)

Phased rollout (minimise disruption):

  • Week 0–2: Procurement, design finalisation, IP plan and change control process set up.
  • Week 3–4: Lab tests; configure firewall, VLANs, Intune test tenant.
  • Week 5–6: Deploy core network (edge router and HA firewall), managed switch setup; migrate WAPs.
  • Week 7–8: Migrate identity: install Azure AD Connect, pilot group of users for hybrid join and Intune enrolment.
  • Week 9–10: Move file shares to SharePoint/OneDrive pilot; disable SMB on guest networks; enforce firewall rules.
  • Week 11–12: Enroll Drone team devices; decommission shared admin credentials; full monitoring & SIEM go‑live.
  • Post‑deployment: 30/60/90 day reviews; security audit and penetration test.

Rollback plans included for each phase.


Testing and validation (to achieve full marks on Task 3 and align with Task 1/2 guidance)

Test types and expected outcomes (to be included in final written testing matrix):

  • Connectivity tests (ping by IP and FQDN across VLANs) — expected: internal name resolution and ping success where permitted.
  • Access control tests (attempt SMB from office network and from VPN/unapproved device) — expected: SMB allowed only from authorized VLANs/devices; blocked from guest.
  • Privilege test (attempt software install as standard user) — expected: cannot install; UAC prevents changes.
  • Remote access test (intune non‑compliant device attempts access) — expected: blocked by Conditional Access.
  • Failover tests (simulate ISP A failure) — expected: automatic failover to ISP B; services remain available.
  • Performance tests for display downloads (simulate Drone team download at event) — expected: throughput acceptable, time within SLA.
  • Audit/logging test (trigger admin creation) — expected: SIEM alerts and logs capture event, generate ticket.
  • Penetration test & vulnerability scan post‑deployment — expected: no critical findings; prioritized remediation list.

Record actual results, date, tester, remediation actions and user acceptance sign‑off.


Staff training, policies and governance

  • Mandatory induction covering acceptable use policy, password hygiene, phishing awareness.
  • Role‑based training: Drone teams trained on secure handling and offline sync of displays; Admins trained on PAM and change control.
  • Quarterly simulated phishing and security refresher.
  • Policies to implement: Acceptable Use, Password & MFA policy, Remote Access policy, Change Control policy, Data Classification and Retention policy.

Costing (mathematics AO4) — estimates and calculations

Assumptions: approximate market prices (rounded), one‑off capital vs annual subscriptions. All figures in GBP (£).

Hardware (one‑off)

  • HA enterprise firewall/router pair: £4,500 (pair)
  • Managed core switch (stackable): £1,200
  • Wi‑Fi 6 APs (x4): £700 (4 × £175)
  • Server upgrades / replacement (2 servers): £4,000 (2 × £2,000)
  • UPS and cabling / contingency: £1,000

Subtotal hardware = £4,500 + £1,200 + £700 + £4,000 + £1,000 = £11,400

Software and services (annual)

  • Microsoft 365 Business Premium (220 users × £16.60/user/month ≈ £199.20/user/year) → Using official-like pricing: assume £199/year/user
    Annual M365 cost ≈ 220 × £199 = £43,780
  • Intune / Device management bundled in M365 above (assumed included)
  • Endpoint protection / EDR licensing: £4 per user/month → annual ≈ £4 × 12 × 220 = £10,560
  • SIEM/monitoring subscription (or Azure Sentinel estimated): £6,000/year
  • Support & maintenance (hardware warranty + firewall subscriptions): £3,000/year

Subtotal recurring year 1 = £43,780 + £10,560 + £6,000 + £3,000 = £63,340

First-year total (hardware one‑off + recurring) = £11,400 + £63,340 = £74,740

Example calculations shown:

  • M365 annual = 220 users × £199 = £43,780.
  • Endpoint annual = £4 × 12 months × 220 users = £10,560.
  • First-year total = hardware subtotal (£11,400) + recurring subtotal (£63,340) = £74,740.

Notes:

  • Prices are indicative and must be vendor‑quoted; include VAT and procurement discounts in final procurement.
  • For AO4: arithmetic shown clearly and units (GBP/year and GBP one‑off) provided.

(If asked, provide simple comparison: on‑prem NAS replacement vs SharePoint cost analysis — e.g., on‑prem NAS £5,000 capex + £1,000/year maintenance vs SharePoint included in M365 subscription above.)


Risk analysis and mitigation (top‑band detail)

  • Risk: Insider misuse (creation of admin accounts)
    Mitigation: Remove shared admin accounts; enable privileged account monitoring; alerting on new admin creation; conduct monthly privilege reviews.

  • Risk: Concurrent VPN limit exhausted
    Mitigation: Move to conditional access + minimize VPN use via cloud sync; if VPN retained, expand license pool and enforce per‑device certificates.

  • Risk: Malware from user downloads on NAS
    Mitigation: Replace public NAS with SharePoint; DLP policies, file type scanning, content filtering; restrict file write permissions.

  • Risk: Single point of failure (ISP/router)
    Mitigation: Dual ISPs with BGP/failover; HA firewall/router; backups and tested DR plan.


Validation, monitoring and success metrics

Key performance indicators (post‑deployment):

  • 99.9% availability for core services (contractual SLA)
  • Zero unauthorised admin account creations without approvals (monitored)
  • Average display download time under X minutes at events (define per test)
  • Reduction in security incidents related to local admin rights to zero within 3 months
  • User satisfaction score >8/10 in post‑deployment survey focused on access and usability

Monitoring:

  • SIEM dashboards for auth anomalies, file exfiltration, privilege changes
  • Regular vulnerability scanning and quarterly penetration testing

Appendices (to include in submission)

  • Detailed IP addressing table and DHCP scopes
  • Firewall ruleset summary (explicit deny for SMB from guest; allow from server VLAN)
  • Change control template and sample CR (change request)
  • Incident response runbook (step‑by‑step)
  • Testing matrix (tests, expected outcomes, actual results, sign‑off table)
  • Training schedule and sample induction checklist
  • Full cost spreadsheet (breakdown by line item, one‑off vs recurring and totals)

Conclusion and evaluation

This proposal meets all stated requirements: least‑privilege access; authorised remote access via device‑based conditional access; segmentation of operational and development networks; documented processes for incident management and change authorisation; redundancy for resilience; secure transfer mechanisms for Drone teams; and a programme of staff security training. Implementation in clearly defined phases with testing and rollback reduces risk. Cost estimates and calculations are provided to support decision‑making and meet AO4 numeracy requirements.

If you would like, I can:

  • convert the appendix items into a printable test matrix and firewall ruleset,
  • produce the step‑by‑step change request and incident runbook content as ready templates,
  • or generate the cost spreadsheet layout for submission (note: I will prepare content you can paste into Excel).

Comments

Popular posts from this blog

OS A3 Task 1

OS A3 Task 2