Items to consider when assessing a new network? (consultants, this is for you)

forkvoid

When going in to assess a potential client's network, what do you look at?

Here's what I can think of off the top of my head:

High-level
Is there documentation?
What is their workflow?
Who/what provides email service?
Who/what provides phone/internet service?
What is the disaster recovery/backup procedure?

Server room
How many servers?
Is everything cabled neatly and labeled?
What are the models of all equipment in the room?
How old is all the equipment?
Are they reaching capacity on the networking equipment?
How's the HVAC in the room?
How's the electrical?
Are there UPS's? Are they adequate?

Servers (OS)[/b
Are the operating systems current or nearly-so (Win2k3 and later)?

Desktops
What models?
How old are they?
What software is in use and how old is it?
Are they operating systems current or nearly so (WinXP and later)?

What else do you guys have?

CertGuy2011

Here's a few more ... Equipment on warranty ? Equipment leases or bought ? Any current invenroty list ? Any IT policy in place ?

sieff

there are generally tools you can run to assess the network. i normally do a quick survey and take photos, etc. lists of hostnames and IP's, run nmap or lansurveyor tool. for enterprise type clients you can use Netformix Discovery Tool, formerly Cisco Discovery Tool or a RISC Assessment. these tools utilize ping sweep, SNMP, CDP, etc ... to gather serial numbers, warranty information, software, etc and then put all the data into .pdf, .xls, visio, etc for a presentation.

brad-

Wireless AP placement?
How many network jacks per station? Wall placement?
Fire suppression method in the server room?

mikej412

What's the current Corporate Security Policy -- do you need any kind of approval from higher up the food chain to do any of the network scans or traffic analysis you may be considering?

shednik

What is the overall end goal of the assessment you plan on doing?

forkvoid

shednik wrote: »

What is the overall end goal of the assessment you plan on doing?

It's my foot-in-the-door pitch.

I have one tomorrow that I've already sold a couple minor projects on, so this particular one serves as my upsell.

ibcritn

Is your goal to assess the security posture of the system? If so, you certainly want a clear defined "rules of engagement" before you begin to use tools. Basically your CYA saying here is what I plan on doing and here is possible impact.

I would also look into current patch management, change management, access controls of users (is every user an admin on the box, or are they locked down).

Host based security (HIPS/AV?), User training, information flows to third parties.

I can keep going on, but most of what I am suggesting is related to security.

demonfurbie

age and type of the network wireing

(cat5? cat5e? cat6? token ring?)

i dont know how many times i get called and head out there to find out the wire from the early 90's is broken or bent, or its just not going to hold gig speeds

eMeS

forkvoid wrote: »

It's my foot-in-the-door pitch.

I have one tomorrow that I've already sold a couple minor projects on, so this particular one serves as my upsell.

Don't try to sell them what you think they need....sell them what they think they need.

In other words, what is the result that will be accomplished from this assessment and how does it benefit their business? Also, you said "network" in the title, but the scope seems to be a bit broader than that...it's always better when you can draw a firm boundary around what will and won't be covered...try to avoid thinking that necessarily adding more things to the scope of the assessment makes it more attractive to the customer.

But since you've done work for them already, then you probably know best what their hot buttons are...make sure that type of thing is reflected in what you're proposing.

MS

forkvoid

eMeS wrote: »

Don't try to sell them what you think they need....sell them what they think they need.

In other words, what is the result that will be accomplished from this assessment and how does it benefit their business? Also, you said "network" in the title, but the scope seems to be a bit broader than that...it's always better when you can draw a firm boundary around what will and won't be covered...try to avoid thinking that necessarily adding more things to the scope of the assessment makes it more attractive to the customer.

But since you've done work for them already, then you probably know best what their hot buttons are...make sure that type of thing is reflected in what you're proposing.

MS

I was wondering when you'd show up in the thread; thanks for the suggestions.

The situation is kinda unique to an IT consultant(at least for me)... they've been without IT for quite some time, and they know for certain (which I confirmed) that there are several issues already(which I fixed). They asked me to come in and identify any others. This assessment becomes the starting point for their IT priorities.

As for scope... yeah, it's not just network in the sense of hardware, but more of their entire IT. Replacing a desktop without asking business needs is fine in most every case... replacing a server, though, is not. You have to start going up the chain to get a clear picture of how everything is interacting to give an accurate recommendation on the direction they should go.

RTmarc

mikej412 wrote: »

What's the current Corporate Security Policy -- do you need any kind of approval from higher up the food chain to do any of the network scans or traffic analysis you may be considering?

To somewhat expand on this, I'd find out if there are any special requirements for security and/or regulations/compliance (HIPAA, etc.)

dratnol

I would take a hard look at licensing. It seems to be pretty common that some of the places I walk into are not in compliance in regards to licensing (Office, OS, etc). Just something that I check when walking into a new network.

rsutton

I try to find out where the last company was failing and give extra attention to those areas.

Some additional information you will want to gather: public DNS host/credentials, domain registrar host/crdentials, vendor support agreements & contact numbers, after hours physical access/contacts, acceptable down time (this is an important one and requires some attention/planning).

I would also take this opportunity to gather baseline statistics for the servers, UPS's and network traffic.