Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Semi critical servers / equipment at branch offices : network design to secure them

We have 30+ small office branches that connects to our Data Centre via WAN routers
& these WAN routers connect to a core switch in DC.  

Each branch has 2 flat Class C subnets : one for wired LAN & one to our corporate
Wifi LAN.   We don't expect more than 100 PCs/devices in each branch.  All devices
& PCs at each branch are connected to L2 switches (including the branch WAN router).

There are PCs & devices (Cashiers, cameras, small robots/automation, scanners and mini
databases) in the branches that run applications that do not need to communicate to
servers in the DC other than to AV EPO, SCCM patching, central encryption management
servers, HIPS (endpoint IPS) console & the likes  but backups are taken by NAS located at
branches.

However, there are some semi critical mini servers & databases which we deem ought to
be segregated from the rest of the organization to prevent DoS  though PCs for emails
& Internet access will need to go back to the DC.

Q1:
What are among the best practices for such branches network traffic?
Hub & spoke design?   Layered security?  Micro-segmentation within each branch?

Q2:
Do we treat each branch's network to be of lower, equal or higher trust levels than
DMZ, applications servers zone or backend servers zones (typical network trust
zones)?

Q3:
For traffic filtering / microsegmentation, is it best practice to configure
a) ACLs at each branches' WAN routers (as switches at branches are Layer 2 &
    at most can only do MAC address filtering which is not an option for us)           Or
b) Windows firewalls on the PCs that host mini databases & mini servers
    (but note that there are appliances which we may not have firewalls in them)  Or
c) use the HIPS firewalls (they run on the PCs) but not the appliances                     Or
d) replace "default gateway" setting on the mini servers / databases with             Or
    restrictive persistent routes (ie static route as it's called in Cisco) that allows
    communications with the SCCM, AV EPO, HIPS console etc : can Windows
    GPO manage/enforce such persistent routes?
e)  or which combinations of  the above


Q4:
For each of the controls a-d above, do we filter for ingress or egress traffic or both?

Q5:
Sounds silly: should we move all these mini servers / devices to the DC ?   They are
usually powered off at nights or Sundays.  Sometimes, they may need to be to just
simply restarted or frequent servicing : have seen hospital branches/clinics, bank
branches &  post offices having these equipments in their premises (ie don't need
DC air con, humidity controls etc)
Avatar of sunhux
sunhux

ASKER

Q6:
There's plan 1 year later to replace the L2 switches at the branches (as the Cisco 2960s are going EoSL).
A colleague just asked: should we segmentize each branch's LAN into several segments of trust such
that those semi critical PCs (hosting mini servers & databases) are on a higher-trust segment while
the normal PCs (used for emails/Internet access) are on another segment or should we go one segment
per system, eg: all cash/cashier related equipment in one segment/subnet of a branch, scanning/copiers
in another, queue/ticketing in another subnet, ... : sounds overkill or should we just place everything in
one subnet for each branch?

Q7:
If we were to get L3 switches, should the L3 switches do the filtering with ACLs or let the WAN router
do the filtering or both or the PCs' firewalls (but appliances can't do that) ?



Lastly, all branches PCs authenticate to AD server that's located in the DC (in internal zone, not DMZ)
Avatar of sunhux

ASKER

Need to assess the options in terms of security, supportability/maintability and
'future-proof' (say the branches plan to have a broadband to connect to Internet
one day to bypass going thru the DC but we're not allowing this currently as we
want them to go thru the proxy, DLP (Data Loss Protection) at the DC.

My views:

a) for immediate/fast implementation (as we have a couple months only), defining
    static/persistent routes is fastest & least disruptive as we may not have full
    inventory of all the mini servers &  equipment that had gone into the branches
    last few decades.  Some appliances like NAS only could allow default gateways
    to be set & not static/persistent route but it meets our security needs if we just
    remove the 'default gateway' setting as the NAS only serve the subnet within
    the branch (no routing needed)

b) setting Windows firewall : doubt we can use GPO to centrally manage/enforce
    it : can be unsustainable & some appliances don't have it (say SMS Sendlink
    device or Redbox voice recorders

c) ACL WAN router at each branch: not so micro-segmented but at least it covers
    appliances that don't have built-in firewalls : however, this option met with
    huge resistance from Network team, citing this is not secure & firewall on the
    HIPS is most secure (but sounds to me that Network guys dont want to take
    up this task)

c) HIPS administrator objected too as he said supporting 30 branches firewall
    in the HIPS is unsustainable
Avatar of sunhux

ASKER

Q8:
Should we even consider dynamic routing protocol with ACLs ?
Or the scale is too small currently to consider this?
You are asking a lot of deep, technical questions and expecting someone to spend a lot of time to answer those questions.  

Actually what you are asking for is for someone to design your remote branch for you, and you have offered nothing in return.

Why not make this a paid project? You would probably get a much better response.
ASKER CERTIFIED SOLUTION
Avatar of atlas_shuddered
atlas_shuddered
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

We are with PCI-DSS compliance.


Thanks very much Atlas.

>A6 - Again, trust model.  I'll pitch the question back to you.
We have a current Network Security Architecture doc which has 1-liner mention that a branch  is of "Medium Secure Trust".
The doc mentions 4 levels of trust : High Secure, Med Secure, Low Trust, Untrusted (ie Internet)
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial