Large System Setup Help

evilhomer

I was just wondering if anyone could give me a little help with the way they would setup the system below. It's not a college project or anything.
But I would like to see how others would approach this.

I know the details are a bit sketchy but it is all I have to work with.


Details of Case Study:

"A client company is considering an upgrade of their HR system. This client on start-up had an office in Dublin only but has since expanded to have an additional 5 offices throughout Europe. Their current HR system is a client-server package installed in head-office in Dublin. However other offices do not have network connectivity to this office and can not avail of HR Services electronically. The client is considering buying additional licensed servers and installing the HR package in each office but wants you to review and recommend alternative strategy.

Can you present your recommended IT solution to the client - taking into consideration requirements such as:

- distributed/remote access

- network connectivity

- user identification

- access control

- security

- system administration

etc.


What I was thinking was that if you got network connectivity setup in the offices it would cheaper then buying licences for the HR software.

- distributed/remote access:
If all the offices could connect to the Main system in Dublin It would save on licence fees and also keep a central record for all sites.

How to access the system Remotely I was thinking by using either Terminal Servers or possibily VPN's so you have a seemless link to the main system.

- network connectivity:
For network connectivity I'm not too sure what type of connection speed would be required(depends on how many people require access from the remote offices) possibly 5mb pipe up and down (too much or too little?)?
Obviously the Dublin office would need a far bigger connection.

- user identification:
For user identification I was thinking Active directory and user groups with different privilage levels for security.
Biometrics(iris scan, fingerprint scanner) and RFID(personal RFID login badges) could be used to handle user identification (this has to kind of include some new technologies).

- access control:

I think I have covered internal access control, but how would you restrict external access (Firewalls, using a secure/encrypted transport protocol?)

- security

How would you secure the system against attacks and virus's etc??

- system administration

What level of system administration would be needed on each site for a system like this? would you only need sysadmins in Dublin for the main Server and have regular tech support on the other sites for hardware faults?
since the sysadmins can probably do most stuff remotely?


- backups ?

What sort of backup system would be required for this?
Tape, RAID, SAN?

Cost analysis?
Obviously this is only the way to go if it is either cheaper or a better system.
with a centralised system it is easy to keep everything for everyone uptodate and not face the problem of data duplication and makes cross site movement easier



Any suggestions would be greatly appreciated.

I'm not set on the centralised system but it seems logical to me.

Kali

evilhomer wrote:

What I was thinking was that if you got network connectivity setup in the offices it would cheaper then buying licences for the HR software.

- distributed/remote access:
If all the offices could connect to the Main system in Dublin It would save on licence fees and also keep a central record for all sites.

How to access the system Remotely I was thinking by using either Terminal Servers or possibily VPN's so you have a seemless link to the main system.

Is it a Client/Server type system?

- network connectivity:
For network connectivity I'm not too sure what type of connection speed would be required(depends on how many people require access from the remote offices) possibly 5mb pipe up and down (too much or too little?)?
Obviously the Dublin office would need a far bigger connection.

Again can't know this without knowing what is being transferred and whether it a simple client/server system... 5MB seems overkill for a HR system for a start-up company to me.

- user identification:
For user identification I was thinking Active directory and user groups with different privilage levels for security.
Biometrics(iris scan, fingerprint scanner) and RFID(personal RFID login badges) could be used to handle user identification (this has to kind of include some new technologies).

biometrics? good god, overkill for a start-up.. look at IP restrictions first to whatever database the server is using.

- access control:

I think I have covered internal access control, but how would you restrict external access (Firewalls, using a secure/encrypted transport protocol?)

- security

How would you secure the system against attacks and virus's etc??

- system administration

What level of system administration would be needed on each site for a system like this? would you only need sysadmins in Dublin for the main Server and have regular tech support on the other sites for hardware faults?
since the sysadmins can probably do most stuff remotely?

Look at Netscreen boxes, a 25 for the main office and 5GTs for the remote offices.. that will cover your VPN & firewalls on each office, a strict firewall policy will stop the vast amount of trojans and worms... use a mail-gateway av scanner in front of your mail-server and that will stop the majority of the remainder (protection on client PCs would be nice as well if money allows)

- backups ?

What sort of backup system would be required for this?
Tape, RAID, SAN?

Again it depends on the data and the system you have in place.. where is it stored? how is it stored? how much of it is being stored?

I'm not set on the centralised system but it seems logical to me.

Its hugely beneficial and much more manageable for any admin... everything should be central imo.. unless your branch offices are > 20/30 users... even then its just a case of bandwidth and availability.

stevenmu

Simplest way, and probably the cheapest is to just stick a couple of VPN routers in each office. This basically connects each lan at each office together transparently so that all the PCs and servers think they're on the same physical network. User logins would be handled on the server in dublin exactly the same way they would be for people actually sitting in dublin. The routers would have their own seperate authentication methods for linking up, ideally each one should have fixed IPs and only allow connections from the recognised list, probably also some form of rotating username/password system.

The HR system could be run this way either by client server or through terminal software. The decision on this has to be based on the software itself, the more network intensive it is the more it would favour terminal, the less so client-server.

The system could be administered almost exclusively from dublin, with someone in each office capable of making the occasional router restart (i.e. if there's no connection, flick the power off and back on again) and being talked through minor configuration changes over the phone. I've helped administer a similar system and it wasn't always easy trying to get someone in the european offices to understand what to do but generally it worked very well. Most routers have the ability of being configured through a web interface but for obvious reasons you'd want to disable access to this from the internet side. I'm not sure how they'd feel about being configured from outside the office but within the VPN structure, I think that'd be ok.

In terms of security, most of these routers should have inbuilt firewalls which get regular-ish updates, and you could always put and extra firewall between each one and the internet (as long as it will allow the VPN connections to pass through). I think the current VPN protocols are reasonably secure, and good routers should allow for them to be updated as needed.

The cost is really just a router for each office, they probably go for well under €200 these days but it's probably worth going a bit above the bottom of the range for extra security and upgradeability. There's also the cost of the internet connections, the speed of which depend on what the HR systems usage is like (probably not much) and what other kind of transfers you'd be making, the odd small office document and a few emails won't need much. Dublin would need a fairly good symetrical connection cos it has to connect to all the others.

evilhomer

Thats some great advice there thanks

Is it a Client/Server type system?

It is Client/Server.

The case study I was given is very vague. I can only imagine that it would not be a massive amount of storage required. a terabyte RAID 5 and a Tape backup would probably again be overkill, but I don't have exact details unfortunately