Design and implement a secured network infrastructure that ensures high availability, reliability, scalability, performance and security to support GB services. This requires 1) the design of the network; 2) the delivery of a comprehensive network security plan; and 3) Security technology implementation - proof of concept.
Golden Bank is the largest financial institution operating in mainland Tivoli. GB business processes rely on a combination of systems including Internet, IPX/SPX, SNA and ICT related services with a very complex ICT infrastructure in place seen by the GB board of directors as problematic for the sustainability and further GB business growth. There is a little room for the network infrastructure improvement. And there needs to be a change and re-provisioning of its ICT infrastructure to remain competitive. As part of this change, the transition to interoperability should be achieved in a smooth manner and leverage in the latest advancements in secure network infrastructure. There should not be any problems while migration. The bank is expected to grow by 30% in the next 4 years. In terms of security, the new system should safeguard the appropriate access and use of ICT resources; ensure unauthorized and malicious internal and external network attacks are properly blocked. The findings of this report are founded in various websites that are dealing with network security. Lot of network security features is discussed in this paper that can be used to fulfill the requirements of the banks network infrastructure expansion.
In this project Golden Bank management recruited us to investigate and find out the details about the present infrastructure, Plan the design of the new infrastructure and the required network policies to be framed to migrate the infrastrure with less downtime.
GB has 28 branch offices around Tivoli and two remote branch offices in the islands of Greenland and Faroe. GB has three major facilities, all located in mainland Tivoli: Headquarters, Operations and Backup. The Headquarters facility is located in a downtown office that houses the administrative staff. The Operations facility is located in a warehouse near an industrial area in the outskirts of Tivoli. The Operations building located 60Kms from the headquarters houses the back-office technical functions, the data centre and the GB IT staff. Finally, the Backup facility, located in the country area of Tivoli about 100km from the headquarters is used as a warm-site facility which can take over within minutes in the event that the Operations facility fails.
Security policies are discussed in many places in this project. Mainly Golden Bank should have the following password policy.
Mandatory Requirements for Password are 10 minimum password length, No spaces in between, one letter between A-Z, One letter between, one numerical characters between 0-9, One special character.
6.1 RAID : RAID is a short form for redundant array of inexpensive disks and also redundant array of independent disks. It is a virtualization technology for the storage. In RAID multiple drivers are combined together. The combination will form a logical unit. Data redundancy is the main purpose of RAID. RAID is used for performance improvement also. RAID level explains how the data is spread across the drives. Up to what level capacity, availability, reliability and performance parameters are combined together is decided by RAID levels. Golden Bank can use Raid 5 for their servers.
Block level stripping but distributed parity. Parity data also distributed among the drives. If single drive is failed then the read will happen with the help of parity. So read operation will not be affected because of the single drive failure. It requires at least 3 disks. This is very widely used in all commercial applications. Performance is very excellent and fault tolerance also very good. When write intensive application is used Raid-5 cannot be recommended as it will calculate parity in all times and this will affect the write performance. When one hard disk fails the entire system will go to degraded mode and performance also will have a hit. Rebuild will take lot of time. And second hard disk failure also possible in this. Read performance is good in this level. Good aggregate transfer rate. Controller design is very complex. Raid-5 is used in File and Application Servers, Database servers, Web, Email and News servers, Intranet servers and etc.
6.2 Microsoft and Veritas Clusters: We will be going with Microsoft windows failover clusters for the critical applications. If we want to have very stable cluster applications then we can go for VERITAS cluster technology. One standard Veritas design is given in the appendix. This design features can be used in our Veritas cluster design. Cluster technologies can be used for high availability. For load sharing we can go for DNS round robin technologies and for application servers we can go for network load balancing technologies.
6.3 High Availability of DNS: DNS can be classified as Primary and secondary. Primary server will be having master copy of the DNS records whereas secondary will be having the copy of the primary. Any time the secondary can be converted as primary when need arises. We can go ahead with active director integrated DNS which will be always primary. Further all the servers will be having primary DNS servers and so there won’t be any DNS downtime.
Switches will be kept in a switch rack of each and every room and the switch rack will be kept in 8 feet high on the wall. Only the status lights of the switches will be visible. Users can not touch the switch. The switch rack is very solid rack, able to withstand and protect the switches from extreme temperatures, high humidity, theft, vandalism, and arson, spilled drinks, overloaded electrical outlets, and bad plumbing.
There will be a server room with 24x7x365 hours AC. The servers will be kept in this room and these servers will be connected with a layer-2 switch (Distribution Switch #10). These servers will be connected with the internet through a router. The server room will be always locked from outside. Only server administrators and management people will be having the access to the server room.
VLAN technology will be used while configuring the switches. Same department users will be connected with same VLAN. This ensures smooth network traffic between the end users and internal network protection. The desktops of two different departments cannot communicate each other as they are connected with two different VLANs. There will be an anti-virus server for the entire network. Anti-virus clients will be installed in all the desktops and authorized laptops and Anti-Virus server will keep monitoring those desktops and servers. There will be a software proxy for the entire network. All the users will be connected with the proxy for internet browsing. There will be Active directory server for windows domain environment. All the users need to login to the network using windows domain user account only. For accessing the internet the network configuration of the end users PC will be configured with proxy settings as shown below. In these settings 192.168.200.200 is the proxy servers IP address and 8080 is the port number through which the internet service is delivered to the clients.
There are no much detail given about the placement, Datacenter locations and etc. The following security aspects should do as early as possible.
| Network Design | What security the design provides to the network |
|---|---|
| Switches will be kept in a switch rack of each and every room and the switch rack will be kept in 8 feet high on the wall. Only the status lights of the switches will be visible. Users can not touch the switch. | People cannot touch the switches. So there will be a physical security for the switches. The switch rack is very solid rack, able to withstand and protect the switches from extreme temperatures, high humidity, theft, vandalism, and arson, spilled drinks, overloaded electrical outlets, and bad plumbing. |
| There will be a server room with 24x7x365 hours AC. The servers will be kept in this room and these servers will be connected with a layer-2 switch (Distribution Switch #10). These servers will be connected with the internet through a router. The server room will be always locked from outside. Only server administrators and management people will be having the access to the server room. | People cannot touch the servers. So there will be a physical security for the servers. The servers rack is very solid rack, able to withstand and protect the servers from extreme temperatures, high humidity, theft, vandalism, and arson, spilled drinks, overloaded electrical outlets, and bad plumbing. Since servers are isolated from the end users area physical access to the servers is restricted to only server administrators. So there will not be any data theft will be there. |
| VLAN technology will be used while configuring the switches. Same department users will be connected with same VLAN. | This ensures smooth network traffic between the end users and internal network protection. The desktops of two different departments cannot communicate each other as they are connected with two different VLANs. |
| Install anti-virus in all the clients and servers | This will protect the servers and desktops from viruses, adware , spyware, Trojans and etc. |
| There will be Active directory server for windows domain environment. All the users need to login to the network using windows domain user account only. |
All the users’ login time and their activities can be monitored. Un-authorized users cannot come into the network and cannot access the network resources like file server, webserver and internet. If the user tries to do hacking, tried to do file sabotage, unauthorized copying then the user will get caught easily? |
| There will be a software proxy for the entire network. All the users will be connected with the proxy for internet browsing. | Proxy will control the internet access to the users who are members of the domain. The username password will be the domain user name and password for the internet access through the proxy. If the password is wrong then proxy will not allow internet access. |
| For accessing the internet the network configuration of the end users PC will be configured with proxy settings as shown below. In these settings 192.168.200.200 is the proxy servers IP address and 8080 is the port number through which the internet service is delivered to the clients. | Controlled internet flow is possible. Each user’s session can be monitored. The bandwidth usage of the users, Types of files downloaded, download duration and all web download properties can be controlled. |