Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Enterprise Network Design


  • Please log in to reply
4 replies to this topic

#1 Langdale

Langdale

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 28 July 2018 - 06:20 AM

I am trying to design a secure enterprise network for a company with a Headquarters and several Branches. The Headquarters hosts all the important data servers etc, to which the Branches need access.

 
I am attempting to produce a design using a 3-tier method, DMZ, Middleware and Private Zone. 
 
It is my understanding that the DMZ is Fire walled from the Middleware which in turn is Fire walled from the Private Zone.
 
So far, I think I understand this, it makes sense! 
 
However, if using VPN, are the Branches and the Headquarters considered to be on the same Middle and Private zones, or does branch traffic have to be filtered through the Perimeter Firewall / Router before accessing protected servers?


BC AdBot (Login to Remove)

 


#2 Replicator

Replicator

  • Members
  • 279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:02:44 AM

Posted 28 July 2018 - 08:16 AM

Well, traffic you want to be sent and received, to the database servers would first have to be 'Whitelisted' in your firewalled router for access?

 

This would be achieved through user permissions.


The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 


#3 Langdale

Langdale
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 28 July 2018 - 08:24 AM

Hi, thanks for your reply.

 

So, to clarify if I may.

 

The internal Firewall/Router would support an Access Control List, a Whitelist of all IP's on the protected or VPN network, and only these would be allowed access to the Private Network. Traffic, from and to the Branch LAN's, does not go through the Perimeter Firewall/Router but through the Internal Firewall/Router? Is this correct?

 

Thanks



#4 Replicator

Replicator

  • Members
  • 279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dark Basement
  • Local time:02:44 AM

Posted 30 July 2018 - 08:48 AM

No, All branch traffic packets should be filtered through 'Stateful Packet Inspection' on the perimeter.

Branch access should be treated as 'remote' connections.

 

A stateful inspection firewall keeps a record of all outgoing network traffic and only allows incoming traffic that has a corresponding outgoing request within the packets headers.

 

This essentially blocks any scanning attempts from the WAN and prevents IP spoofing attacks!

 

Headquarters should be on its own LAN and controlled user access through the Internal wall and user permissions

 

You must also consider a BYOD policy.....a security defence against employee mobile devices that connect to your business network, then when they leave work, connect to other unsecured networks such as WiFi Hotspots.

These devices can often lead to the downfall of any perimeter firewall as would increased business demands for e-commerce applications.


Edited by Replicator, 30 July 2018 - 08:55 AM.

The quieter you become, the more you are able to hear!
CEH, CISSP @ WhiteHat Computers Pty Ltd

 


#5 Langdale

Langdale
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 30 July 2018 - 10:11 AM

Thank you

 

That's quite a comprehensive reply and I will incorporate what you have said.

 

Again, thank you!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users