Computer networking
- Thread starter PJoyce85
- Start date
Help Support Homebrew Talk - Beer, Wine, Mead, & Cider Brewing Discussion Forum:
CoalCracker
Well-Known Member
Yea I can help too. What's up?
- Joined
- Jan 18, 2011
- Messages
- 3,030
- Reaction score
- 282
Ask the question already 
MC
MC
It's kind of a am I doing this crap right kind of thing.
So at each site I need a router to connect to the Internet, I have a layer 3 switch and patch panels to connect the work stations, telephone switch and a VPN concentrator.
Right now, where I am running into problems is encryption (we haven't reached this part yet so I'm confused). I would use the firewalls in the routers and a VPN concentrator that supports both IPSec and SSL. Also running an SSH server with Kerberos and and multifunction authentication. Am I heading in the right direction here?
We don't have to get super detailed as in what software and blah, blah, blah
So at each site I need a router to connect to the Internet, I have a layer 3 switch and patch panels to connect the work stations, telephone switch and a VPN concentrator.
Right now, where I am running into problems is encryption (we haven't reached this part yet so I'm confused). I would use the firewalls in the routers and a VPN concentrator that supports both IPSec and SSL. Also running an SSH server with Kerberos and and multifunction authentication. Am I heading in the right direction here?
We don't have to get super detailed as in what software and blah, blah, blah
cageybee
Well-Known Member
I don't know what class you're taking, but the material seems fabulous....great preparation for the CISSP exam. I'm still studying this stuff myself so I won't be able to give you the best answer, but if you used a private circuit to connect the offices, encryption wouldn't be required. if over the Internet, VPN tunnels provide encryption automatically.
cageybee said:
The rest of my degree program are these certification prep classes. Network+, Security+, CISSP, Windows Server 2008 and some others.
I don't think my professor would be very happy if I said that I would configure the routers' and switches' preinstalled firewalls and rely on automatic encryption uses during tunneling and that's it.
I would do a quick skim on the security part of the product manual. Pick a VPN concentrator and check the vendors manuals. They probably even have the configurations diagramed.
Sorry I do email, Im, and backup administration.
CoalCracker
Well-Known Member
I take it your putting the switch at layer 3 because it has some routing capabilities? Otherwise I would stay with a layer two since you have a router giving out your DHCP addressing. Now your phone switch and VPN concentrator will have to have a static IP assigned. Your VPN with some type of encryption should protect your data sufficiently. As for preventing outside network access, you'll need a firewall set up. Preferably something like an ASA. You can get them fairly small. I would also look into an MPLS network, especially if your phone system will be running the phones in each location. You can place some QoS on this to prioritize the data. You can do a 1.5 pipe for each satellite, a DS3 for the Home Office. And a simple cable connection for the CEO. No reason he will need a dedicated circuit. Then he can VPN in to the office if need be.
I'd look as OSPF as your routing protocol.
Without knowing your servers and other devices, that's about as much as I can give you. I might not be 100% correct since I just did this quick but it will give you an idea.
I'd look as OSPF as your routing protocol.
Without knowing your servers and other devices, that's about as much as I can give you. I might not be 100% correct since I just did this quick but it will give you an idea.
CoalCracker said:
I'm using Layer 3 switches because they do not require additional routers between VLANs for them to communicate. Essentially, I want the border router to be the only router in the network.
I have to assign static IP addresses to the routers and servers but will use DHCP to assign addresses. At the smaller satellite office with 15 employees and limited server availability, the IP addresses will all be static.
It is my understanding that MPLS networking components are rather expensive and we have to take that into account. The layer 3 managed switches I chose allow for QoS.
Also, because I don't know what kind of business it is, I recommended T1 dedicated lines (mostly because I needed a jump off point). If the needs are low enough, it may be cheaper to lease several T1 lines vs a T3 but can be upgraded to T3 if necessary. Same with the east coast branch office. I did Fractional T1 for the satellite office. And I did DSL for the CEO.
I chose EIGRP for the routing protocol. I figured this was the best option as it allows interior and exterior routing. Would this be suitable for remote access?
CoalCracker
Well-Known Member
Any reason you're doing all static for the small office?
MPLS equipment doesn't really differ from your T1 or PRI equipment. Still need some type of CSU. EIGRP should work. I forgot about the hybrid RPs. Now your choice of Layer 3 switches makes more sense. I assumed you were doing a router and a switch at each location. So will your switch have a CSU/DSU built in? Your going to need a way to convert the t1.
MPLS equipment doesn't really differ from your T1 or PRI equipment. Still need some type of CSU. EIGRP should work. I forgot about the hybrid RPs. Now your choice of Layer 3 switches makes more sense. I assumed you were doing a router and a switch at each location. So will your switch have a CSU/DSU built in? Your going to need a way to convert the t1.
CoalCracker said:
The only reason I am doing static is limited servers. We have not yet covered what types of services can be combined on servers or virtualization yet.
I will have a router at each office but their main duty will be as a gateway to the Internet and for using Site-to-Site VPN to avoid installing software on every workstation.
For the T1 service, I'm assuming the carrier provided the smart jack and I will incorporate a CSU/DSU. I could get a router with an incorporated CSU/DSU, but did not take that into consideration and since they make stand-alone units, I threw one of those in at each site that will use a T carrier.
In the real world the telco will provide all the equipment required for MPLS and provide you with a cat 5 cable to plug into your router.
As for routers/firewalls what are you planning on using? Most will do VPN tunnelling and DHCP so that should cover your "satellite" office with secure communication and avoid static IP addressing hell.
Depending on the requirements of the satellite office you might be able to use DSL/cable/wireless. At our large 24x7 processing facilities/terminals we use MPLS but we do have 127 locations that have 2-5M DSL/wireless connections. Some of these sites have 15 - 20 users all coming back to head office over a VPN tunnel.
As for routers/firewalls what are you planning on using? Most will do VPN tunnelling and DHCP so that should cover your "satellite" office with secure communication and avoid static IP addressing hell.
Depending on the requirements of the satellite office you might be able to use DSL/cable/wireless. At our large 24x7 processing facilities/terminals we use MPLS but we do have 127 locations that have 2-5M DSL/wireless connections. Some of these sites have 15 - 20 users all coming back to head office over a VPN tunnel.
jrstacey said:
We don't have to get down to packet, circuit switching just yet.
I don't have to use specific routers and the ones I have researched all support VPN and come with firewalls. The layer 3 switches also come with firewalls. They are Cisco so they all use Cisco's security measures.
I don't know the requirement of the satellite office and that's why I suggested Fractional T1. While DSL may be available, I don't want to over pay or be limited if they require more from an ISP.
Also, with the built-in firewalls in the routers as well as supporting VPN tunneling, is there any other encryption I should be looking at? I was thinking of using a SSH server that supports IPSec and SSL and running Kerberos.
If I run that server at HQ, will that encrypt data that users at the other locations are requesting/receiving?
Also, is a remote access server necessary with VPN?
If I run that server at HQ, will that encrypt data that users at the other locations are requesting/receiving?
Also, is a remote access server necessary with VPN?
Thanks for everyone's input. I got all the information on paper and now I just need to type it up.
Instead of getting all fancy pants in the first project and using VPN's, I set up a remote access server with RADIUS for authentication. I also used an SSH server for encryption and more secure transmissions.
Instead of getting all fancy pants in the first project and using VPN's, I set up a remote access server with RADIUS for authentication. I also used an SSH server for encryption and more secure transmissions.
