Network Redesign Help

[StarTrek4U]

Where I work the previous people who setup and layed out our network did it in a real slapshot sort of way which now means things are generally overly complicated and less reliable than they should be. I have been given the task of designing what our network "should" look like then creating a plan to make it so over the next few years. Does anyone have any good resources they use as far as standards and best practices go? I'll be talking some some of our local contractors but I wanted to have a better idea as to what I was talking about going into this. Some of the key points I want to accomplish are:

• Segment Workstations from Servers, different subnet & firewalled
• Have a public and private wireless network
• I'll need to include an area to do web filtering
• Have a DMZ
• Incorporate redundancy/high availability where possible and reasonable

Anyone have any good pointers as to where to get started or suggestions on some things to look at?

 

[xeon711]

What kind of network hardware is in place? If its limited, is there a budget to get what you need? This is a general question. Lots of varibles here...

Basically you will need to vlan and subnet your network. The hardware follows too... firewall, layer 2 or 3 (more options there)switches, and quality router/s.

I am no pro, but this is from my understanding.

 

[TechieSooner]

Also, how big is this?

Luckily I haven't had to mess with more complicated setups than it seems you are going into...

My idea of a "screwy network" is no cables labeled...

 

[StarTrek4U]

We have about 20 physical servers, roughly 120 network devices (workstations, printers, etc), some decent and some not so decent cisco equipment. I guess I'm not look for advice as far as hardware goes (with the possible exception of wireless) but what are some best practices in terms of logical and physical design? Where are the trends going in this area and how can I try to incorporate some scalability and security into the network (as we are a bank). The problem with our current design is that it is not scalable and we have a few key points within our network that if they failed would cause a significant (if not complete) outage of connectivity. I'm looking to plan out a few years and get a rolling design in place for a phased rollout of the changes I need to come up with.

Hopefully that clears up some of the confusion.

 

[Xipher]

If this is a bank you might think about VPN access for remote sites (branch offices and the like).

 

[xphil3]

I have a few questions to start. Right now, the current network layout is flat? Meaning there is no logical segmentation, everything is on one network and one VLAN? And this is a bank? Networks like this need to meet certain regulations, off the top of my head.. PCI com pliancy if you want to offer any kind of debit/credit card transactions with your customers(which im sure that you would want to).

Also, I don't mean to sound rude.... but are you sure that you are up to the task of rebuilding such a network? The costs involved in not becoming compliant could very well span millions of dollars per month.

On to some more advice, Are these servers colocated or at your offices? Power redundancy should be at the very top of your list, review review review your disaster recovery plan and incorporate that into the equipment that you may be purchasing. Onto your segmentation, best practice is to allocate one subnet per VLAN that you will be implementing. You should have at a minimum of one VLAN per department(tellers, managers, financial consultants, etc). Logical security will not suffice if you want to pass any types of compliancy, so VLANS will not be enough.... separate switches per access VLAN(which is a best practice anyways) with transparent firewalls between the access switches and your core layer(3 layer model is a must). Your security posture should be of the DiD model(defense in depth), hence a transparent firewall per security enclave with ACLs set on your core routers/switches. All core devices should be redundantly connected and if possible modules configured with Stateful failovering. Web filtering should be done at your service provider block(right outside of your core layer) and should be done for the entire organization.

Wireless for your public should not be an open network, meaning some kinds of radius authentication with captive portaging should be used. Question, why are you providing WiFi to the public anyways? These access points should also be on their own VLAN, subnet, access switch and firewall. Remember, You're a bank! NO LOGICAL SECURITY AT ALL . Lastly, private WiFi should be accomplished through VPN with radius authentication.

This is all I can think of off the top of my head, You have a lot of work ahead of you. Good luck, any other question...... just ask.

 

[StarTrek4U]

I have a few questions to start. Right now, the current network layout is flat? Meaning there is no logical segmentation, everything is on one network and one VLAN? And this is a bank? Networks like this need to meet certain regulations, off the top of my head.. PCI com pliancy if you want to offer any kind of debit/credit card transactions with your customers(which im sure that you would want to).

Also, I don't mean to sound rude.... but are you sure that you are up to the task of rebuilding such a network? The costs involved in not becoming compliant could very well span millions of dollars per month.

On to some more advice, Are these servers colocated or at your offices? Power redundancy should be at the very top of your list, review review review your disaster recovery plan and incorporate that into the equipment that you may be purchasing. Onto your segmentation, best practice is to allocate one subnet per VLAN that you will be implementing. You should have at a minimum of one VLAN per department(tellers, managers, financial consultants, etc). Logical security will not suffice if you want to pass any types of compliancy, so VLANS will not be enough.... separate switches per access VLAN(which is a best practice anyways) with transparent firewalls between the access switches and your core layer(3 layer model is a must). Your security posture should be of the DiD model(defense in depth), hence a transparent firewall per security enclave with ACLs set on your core routers/switches. All core devices should be redundantly connected and if possible modules configured with Stateful failovering. Web filtering should be done at your service provider block(right outside of your core layer) and should be done for the entire organization.

Wireless for your public should not be an open network, meaning some kinds of radius authentication with captive portaging should be used. Question, why are you providing WiFi to the public anyways? These access points should also be on their own VLAN, subnet, access switch and firewall. Remember, You're a bank! NO LOGICAL SECURITY AT ALL . Lastly, private WiFi should be accomplished through VPN with radius authentication.

This is all I can think of off the top of my head, You have a lot of work ahead of you. Good luck, any other question...... just ask.

Thanks for the response, I'll try to address everything...

To begin with, we are not a retail bank (ie, no customers, tellers, branches etc) so some of the traditional compliance issues don't affect us as much, we get audited like it's going out of style and we have been found to be generally compliant.

Yes, our network design incorporates a single internal VLAN for all workstations and servers currently. I do think I'm up to the task in a technical sense however I've mostly been maintaining the status quo, I'm not sure where to begin as far as planning for today and tomorrow, etc.

All of our servers are in our office, we do have a generator and a UPS that our server room are connected to, both of which are tested. We also do an annual DR plan review and test and have a fairly good handle on that.

Defense in Depth and similar models are exactly what I was looking to refer to. There have been some discussions within our dept about the best way to achieve security and reliability without incurring excessive costs, we have talked about VLANs, and transparent firewalls, etc. I'm not sure that we're going to be able to do seperate switches and VLANs per dept but we want to at least segment them off from the server infrastructure. It's at least good to hear that what we've been talking about seems to be the right direction.

EDIT: When I was talking about public/private WiFi I was refering to the ability to have one VLAN/SSID for internal users to connect to, and another for vendors and guests (ie "the public") to connect to which would basically just get trunked straight out to the internet with no internal access what so ever.

Any other feedback is certainly welcome.

 

[Party2go9820]

I have a few questions to start. Right now, the current network layout is flat? Meaning there is no logical segmentation, everything is on one network and one VLAN? And this is a bank? Networks like this need to meet certain regulations, off the top of my head.. PCI com pliancy if you want to offer any kind of debit/credit card transactions with your customers(which im sure that you would want to).

Also, I don't mean to sound rude.... but are you sure that you are up to the task of rebuilding such a network? The costs involved in not becoming compliant could very well span millions of dollars per month.

On to some more advice, Are these servers colocated or at your offices? Power redundancy should be at the very top of your list, review review review your disaster recovery plan and incorporate that into the equipment that you may be purchasing. Onto your segmentation, best practice is to allocate one subnet per VLAN that you will be implementing. You should have at a minimum of one VLAN per department(tellers, managers, financial consultants, etc). Logical security will not suffice if you want to pass any types of compliancy, so VLANS will not be enough.... separate switches per access VLAN(which is a best practice anyways) with transparent firewalls between the access switches and your core layer(3 layer model is a must). Your security posture should be of the DiD model(defense in depth), hence a transparent firewall per security enclave with ACLs set on your core routers/switches. All core devices should be redundantly connected and if possible modules configured with Stateful failovering. Web filtering should be done at your service provider block(right outside of your core layer) and should be done for the entire organization.

Wireless for your public should not be an open network, meaning some kinds of radius authentication with captive portaging should be used. Question, why are you providing WiFi to the public anyways? These access points should also be on their own VLAN, subnet, access switch and firewall. Remember, You're a bank! NO LOGICAL SECURITY AT ALL . Lastly, private WiFi should be accomplished through VPN with radius authentication.

This is all I can think of off the top of my head, You have a lot of work ahead of you. Good luck, any other question...... just ask.

While that all sounds good in a perfect world - this is reality. I can promise you that this is not a single company out there (maybe with the exception of DoD and it's subcontractors) that have an entire network design with no logical security. Like, I said - I agree with your concept, but I doubt the OP will be able to pull it off.

As far as the examiners go, (and it will depend on who your reporting agency is) most of them are less concerned with you having good security and more concerned with making sure you have documented the security you have. Regardless of who you report to the FFIEC handbooks are a pretty good place to start. http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

 

[xphil3]

While that all sounds good in a perfect world - this is reality. I can promise you that this is not a single company out there (maybe with the exception of DoD and it's subcontractors) that have an entire network design with no logical security. Like, I said - I agree with your concept, but I doubt the OP will be able to pull it off.

As far as the examiners go, (and it will depend on who your reporting agency is) most of them are less concerned with you having good security and more concerned with making sure you have documented the security you have. Regardless of who you report to the FFIEC handbooks are a pretty good place to start. http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

um, no. I can promise you that organizations that require certain compliances are scrutinized beyond belief. Even the small guys, shit... I designed a small(TINY) WiFi network that was only logically segmented from a POS system, PCI compliance failure. We needed to segment with an actual hardware device. This was a tiny coffee shop. So, a bank...... will REQUIRE much much more than logical segmentation. Thats what I was trying to convey, that the OP would require both to achieve a better security posture. I also want to point out while your statement does have some truth to it, this is why so MANY security consultants have the jobs that they do....

I mean come on, how hard is it to execute a VLAN bleeding attack?

Startrek,
It sounds like you are on a really great start. I think that you're going to be fine. Check out the DoD sites to get very good documentation about DiD, security enclaves, router acl best practices. These documents are generally written by the vendors, so take what you read with a grain of salt.

 

[StarTrek4U]

Thanks for the link, that FFIEC booklet on InfoSec looks to be quite useful.