Scribd
Upload
41 views

Network Architecture Description: by Imad Boustany and Jean Matar

Our network architecture provides redundancy with connections to two ISPs and multiple firewalls, switches, and servers distributed across several zones. Traffic flows through routers, next-generation firewalls from Palo Alto and Fortigate, with IPS inspection and web proxies. Four DMZ zones contain applications and a honeypot. A second layer of Fortigate firewalls and IPS provide VPN access. Core switches separate zones and filtered traffic. Data center firewalls further secure server zones holding applications, authentication, backups, email, security tools, and monitoring systems. A disaster recovery site ensures availability of critical systems.

Uploaded by

Imad Boustany
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
41 views

Network Architecture Description: by Imad Boustany and Jean Matar

Our network architecture provides redundancy with connections to two ISPs and multiple firewalls, switches, and servers distributed across several zones. Traffic flows through routers, next-generation firewalls from Palo Alto and Fortigate, with IPS inspection and web proxies. Four DMZ zones contain applications and a honeypot. A second layer of Fortigate firewalls and IPS provide VPN access. Core switches separate zones and filtered traffic. Data center firewalls further secure server zones holding applications, authentication, backups, email, security tools, and monitoring systems. A disaster recovery site ensures availability of critical systems.

Uploaded by

Imad Boustany
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

By imad Boustany and Jean Matar

Network architecture description

1. Our network will be connected to 2 different ISP’s assuring redundancy in case an ISP
connection goes down.
2. The first layer in our network is 2 routers running BGP, ensuring high availability, and packet
routing from both ISP’s pointing to the same public IP, allowing us to achieve high availability
within the 2 ISP’s.
3. 2 Palo alto next generation firewalls, that will be our first layer of security. These routers will be
running in high availability mode (active-active), and running a sandbox service. The sandbox
service will test executables and predefined files in an isolated environment in the aims of
detecting possible viruses/malwares that do not have a known definition detectable by the
antivirus agent. Therefore preventing infection.
4. IPS with 4 legs, running in bridge mode will inspect incoming traffic from the internet to the
firewall and outgoing traffic from the firewall in to our network. The IPS will detect and block
known attacks signatures.

DMZ1 – is our first dmz zone and will contain the CRM application that will be accessed from
outside. This zone will be protected by a web application firewall (WAF) to prevent all sorts of
web attacks (sql injection ..)
DMZ2 – is our second dmz zone, and will contain the mail relay/filter. The mail relay will act as
the recipient of all incoming mail, and will filter them according to preconfigured rules, and will
work in correlation with the sandbox service running on our first firewall (palo alto) to check
potentially malicious files.
DMZ3 – is our third dmz zone, and contains the web proxy. The web proxy will be the gateway
between the clients and the internet for all web browsing needs. The proxy will serve as a cache
server to provide the feeling of faster internet and preserve bandwidth, in addition to filtering
web requests according to website categories, denying access to malicious websites,
pornographic websites etc…
Honeypot – the 4th dmz zone will contain a honeypot. A honeypot will work as a trap for hackers,
it’s a sacrificial computer system that’s intended to attract cyberattacks. It mimics a target for
hackers and uses their intrusion attempts to help protect the production environment.

5. 2 fortigate next generation firewalls will be our second layer of defense. We have chosen a
different brand of firewalls for our second layer to avoid zero day or unknown attacks on one of
the vendor’s firewalls. These firwalls will act as the VPN gateway for users and remote sites. We
will be using IPsec VPN for site to site VPN’s ensuring encryption, authentication and integrity.
As for client to site VPN we will use SSL vpn , as it is easy to use with any browser, can have
multiple profiles with published services for group of users, and can be used behind NAT.
6. A second IPS with 4 legs, running in bridge mode will inspect incoming traffic from the internet
to the firewall and outgoing traffic from the firewall in to our network. The IPS will detect and
block known attacks signatures.
7. 2 core switches, will divide the network into different security zones, and will filter packets
according to predefined ACL. To ensure proper inter VLAN communication.
The core switches are redundant to all distribution switches where the endpoints are
connected. An access point providing access through different VLANS (guest, IT,users..) will be
connected to distribution switches.
8. 2 Data center firewalls will provide a multilayer security and redundancy to all incoming traffic
to our datacenter zones, providing tight protection to all accessed services.
9. Server zone 1 – will contain non-core business applications
NAC: network access control server will ensure secure network access control, providing
authentication, profiling and visibility, security posture check and incidence response.
Active directory: Will provide user authentication and policy assignments for services running in
our environment and endpoint policies.
Backup server: the backup server will handle all backup processes for users and servers
according to a set RTO/RPO. The backup server will handle replication to the disaster recovery
site to ensure service availability in case of a disaster.
Email server: will handle all email services
Endpoint protection: will provide endpoint security measures (antivirus, malware detection and
response…)
SIEM: Security information and event management is a subsection within the field of computer
security, where software products and services combine security information management and
security event management. They provide real-time analysis of security alerts generated by
applications and network hardware.
NMS: a network monitoring system will be monitoring, maintaining, and optimizing our
network.
10. Server zone 2 – will contain core business applications. HRM,CMS,Finance server
11. A passive disaster recovery site on the cloud will keep a copy of our core applications and
services to ensure availability in case of a disaster.

You might also like