Example of One of my Desgins for Cyber &Networking Solutions for Customers from chen sheffer

1
Communications Solution for:
www.cyberfriday.com

Communications Solution and Upgrading the Network = Meeting Business Objectives
1. The company CyberMonday is a E-Commerce company, whose services are deployed in a total
of five sites: 3 overseas, and 2 main sites in Israel. The majority of the company’s revenue
comes from marketing and selling products on-line over the Internet, as well as from sales by 20
mobile sales personnel.
2. The company CyberMonday is listed on the stock exchange in accordance with provisions of the
Board of Managers of the company, and is subject to financial market regulation by law. It is
therefore obligated to meet one or more of the following standards:
ISO27001
Sarbanes-Oxley A
Payment Card Industry Data Security Standards version
3. The current structure of the network is as follows:
a. A single internet link to Cellcom 013
b. There is a CP 4800 FW at the Tel Aviv and Haifa sites.
c. At the main site and at the DR site, there is a DC, which includes 4 physical servers. At the two
sites, there is VNX 5400 storage.
d. The company has 3 other sites, each with 20 users, that are connected via CheckPoint S-Boxes.
e. At the main site, as well as a the DR site, there are 60 users, all of whom are connected by
means of a 10/100 connection to a flat network.
f. There is a Cisco Call Manager telephony system at all sites, with an external power supply to
the telephones. 2

33
Schematic of the Network—Current Situation
Communications Network and Information Security

Weaknesses and Problems with the Current Situation
4
• Most of the company's revenue is from online servers that are connected to the internet—the company has one
internet connection without a backup: In case of a malfunction or the phone line crashing, the sales staff also will
not be able to connect to the servers, and all the sites around the world will be cut off from the main site.
Also, there will be no internet connection, which means low availability of services and loss of revenue.
• All the company's employees are connected via communications interfaces working at a rate of 10/100 MB. Even
when the servers are connected to a speed of 1000 MB - communication is adapted to work with network
interfaces at a rate of 100 MB at best, so we end up with a slowing down of applications, low availability of
services, and loss of revenue.
• The company has no division or segmentation of vlans , the users and servers essentially sit in the same broadcast
domain, which increases the slowness of the network and invites hacking, slowness of applications, low availability
of services, loss of revenue, data theft by competitors and exposing of the company's data bases to all comers,
thus causing damage to the company's reputation.
• The existing network and all its components work without survivability—this means that a collapse of one of the
network components due to a power outage or malfunction can cause a complete shutdown of the network's
services in the company. This will give us slowness of applications, low availability of services, and loss of revenue.
• The server farm at the main site, as well as at the DR site, is protected by a single firewall, which cannot prevent
the wide variety of cyber threats that exist today, such as: SQL injection, XSS scripting, and account hijacking.
• It takes a long time to introduce new services to the company, in terms of time to market on the basis of the
existing farm. It is possible to reduce the time in half—and in the competitive market in which the company
operates, it is vital to shorten the time it takes to introduce new services.

5
Weaknesses of the Current Situation

Schematic of the Proposed HP, CP, F5 Equipment- Based Solution
6
Confidentiality, Integrity and Availability (CIA)

• Access –Concentrations of Users>>| HP 2920-48G-PoE+740W | HP 2920-48G-PoE+|
7
Advantages:
• Performance And Connectivity:
1) 48 port 101001000 mb POE + Optional two-port stacking module.
2) Throughput 130.9 million pps , Switching capacity 176 Gb.
3) Up to four optional 10 Gigabit ports (SFP+ and/or 10GBASE-T)
• Resiliency and high availability :
1) Allows stacking of up to 4 switch units into a single virtual device .
2) Multiple spanning tree protocol (STP) and IEEE 802.1s Offers high link availability in
multiple VLAN environments by allowing multiple spanning trees; and provides legacy
support for IEEE 802.1d and IEEE 802.1w.
3) IEEE 802.3ad (LACP) and HP port trunking .
4) SmartLink Provides easy-to-configure link redundancy of active and standby links.
5) Dual flash images Provides independent primary and secondary operating system
files for backup while upgrading.
Open Flow SDN Ready
• Limited Lifetime Warranty 2.0 with 3 years 24x7 phones support
Advantages of the HP Communications
Solution

8
Advantages:
• Convergence , Security :
1)IEEE 802.1ab LLDP, IEEE 802.3at dynamic, for , IEEE 802.3af device class, or user
2) IEEE 802.3at - (PoE+) 30 W per port IEEE 802.3af 15.4W
3)802.1X,multi user auth, o MAC-based authentication ,Acl …, Dynamic ARP protection
• Layer 2,3 :
1)IEEE 802.1s -Multiple Spanning Tree
2) IEEE 802.3ad link-aggregation-control protocol (LACP) and HP port trunking
3) VLAN support and tagging supports IEEE 802.1Q (4,094
4) Rapid Per-VLAN Spanning Tree (RPVST+)
4) Static IP routing; includes ECMP capability Routing Information Protocol (RIP)
provides RIPv1 and RIPv2 routing
• Management :
1) HP Intelligent Management Center (IMC) ,SNMP V3,V2 ,sFLOW
|168 Port Haifa |192|
• Access –Concentrations of Users>>| HP 2920-48G-PoE+740W | HP 2920-48G-PoE+|
Solution

9
• Core, Datacenter| Top-of-rack |HP 5830AF-96G|HP 5830AF-48G |
• Performance And Connectivity, :
1)96 RJ-45 autosensing 10/100/1000 ports 10 fixed 1000/10000 SFP+ ports | HP 5830AF-96G
2) 48 RJ-45 autosensing 10/100/1000 ports ,2 dual-personality ports; auto-sensing 10/100/1000Base-T or SFP 2 fixed
1000/10000 SFP+ ports 1 extended module slot
3)Throughput 291.6 Mpps (64-byte packets) Switching capacity 392 Gbps |HP 5830AF-96G
4) Throughput 119 Mpps (64-byte packets) Switching capacity 160 Gbps |HP 5830AF-48G
5) Jumbo frames
Limited Lifetime Warranty 2.0 with 3 years 24x7 phones support
HP FlexNetwork Architecture’s HP Flex Fabric solution module.
Solution

10
Advantages of the HP Communications Solution
• Resiliency and high availability :
1) HP Intelligent Resilient Fabric (IRF) Creates virtual resilient switching fabrics, where two or
more switches perform as a single L2 switch and L3 router; switches do not have to be co-
located and can be part of a disaster recovery system; servers or switches can be attached
using standard LACP for automatic load balancing and high availability;
2) Rapid Ring Protection Protocol (RRPP) ring 200 ms,
3) Smart link Allows 200 ms failover between links
4) Redundant hot-swappable AC or DC power and fans’ Supports front-to-back or back-to-front
airflow for hot/cold aisles, rear rackmounts, and
5) Device Link Detection Protocol (DLDP)
Solution

Solution
11
• Core, DataCenter| Dmz>>>>| HP 5830AF-96G |HP 5830AF-48G |
• Security :
1) Access control lists (ACLs)
2) Port security Allows access only to specified MAC addresses, which can be learned or specified by the
administrator
3) STP BPDU port protection
4)DHCP protection .
5) Dynamic ARP protection
6)STP root guard Protects the root bridge from malicious attacks or configuration mistakes
7)Guest VLAN Provides a browser-based environment to authenticated clients that is similar to IEEE 802.1X
8) MAC-based authentication Allows or denies access to the switch based on a client MAC address
9)IP source guard Helps prevent IP spoofing attacks
10) Endpoint Admission Defense (EAD) Provides security policies to users accessing a network
11) RADIUS/HWTACACS Eases switch management security administration by using a password authentication
server

12
• Management, QOS :
1) HP Intelligent Management Center (IMC) ,SNMP V3,V2 ,SFLOW
• QOS
1)Traffic policing Supports Committed Access Rate (CAR) and line rate .
2) Powerful QoS feature Creates traffic classes based on access control lists (ACLs),
3)IEEE 802.1p precedence ,IP, DSCP, or Type of Service (ToS) precedence
4) supports filter, redirect, mirror, or remark;
5)supports the following congestion actions: strict priority (SP) queuing.
6)weighted round robin (WRR), weighted fair queuing .
7)(WFQ), weighted random early discard (WRED),
SP+WRR, and SP+WFQ
• Core, DataCenter| Dmz>>>>| HP 5830AF-96G |HP 5830AF-48G |
Solution

13
Multi-core security technology, high port density and redundant components MultiLayer security
load-sharing features in Check Point ClusterXL, WITH GAYA R77.40
| 12200 NGNFWx2 |4800x1|
Advantages of the FWNGN–CHECK-POINT Solution
Performance And Connectivity
1) 26 10/100/1000Base-T copper ports | 12200 NGNFW
2)12 1000base-F SFP or 10Gbase-F SFP+ fiber ports | 12200 NGNFW
3)16 1000Base-T ports and 1.2M concurrent sessions |4800 NGNFW
---------------------------------------------------------------------------------------------------
-
4) 14 Gbps in real-world firewall throughput | 12200 NGNFW
5)3.5 Gbps in real-world IPS throughput | 12200 NGNFW
---------------------------------------------------------------------------------------------------
6)5.8 Gbps in real-world firewall throughput |4800 NGNFW
7) Provides up to 1.1 Gbps in real-world IPS throughput |4800 NGNFW
• Resiliency and high-availability :
1) Redundant power supplies
2) Redundant disk drives,
3) Lights-Out-Management card, and high-availability
4) Load-sharing features in Check Point ClusterXL.

14
IPsec VPN Software Blade& Mobile Access Software Blade
Advanced Networking & Clustering Software Blade, Multiple Remote Access VPN Connectivity Modes+
ssl extender
Check Point Mobile app
Check Point Mobile VPN app SSL VPN Portal through a browser
SSL Network Extender (SNX) with light-weight, dissolvable client
URL& Application Filtering Software Blade
Next Generation Secure Web Gateway:
URL Filtering |Inspect SSL Encrypted Traffic| Application Control| over 4,800 applications and
240,000 social network widgets with the industry’s largest application coverageCreate granular
security policies based on users or groups to identify, block or limit usage of web applications and
widgets like instant messaging social networking, video streaming, VoIP, games and more.
2)Prevents browser and application vulnerability exploits with an optional NSS Labs top-rated
IPS1)Inspect SSL Encrypted Traffic, UserCheck
2)Inspect SSL Encrypted Traffic+policy enforcement
3) Application Detection and Usage Control
4) Intuitive and insightful granular reports and forensic tools
Identity Awareness Software
Blade: Centrally manage user access to company resources and Internet applications
Granular user-, group- and machine-based visibility and policy enforcement
Easily distinguish between employees and others, i.e., guests and contractors
Raduis, ldap , Transparent Kerberos Authentication >>> with rsa secure id or
working with two or multifactor authentication fro
. Almost free two factor authentication from cat
http://www.megaas.com/index.asp
FIREWALL-CORE |DMZ| 12200 NGNFW |4800 SOFTWARE BLADES
SOFTWARE BLADES:

15
Check Point 680 Appliances
1GbE LAN
Ports
8 8 8
1GbE WAN
Port
1 1 1
1GbE DMZ
Port
1 1 1
ADSL2/ADSL2+
(Annex A or B(
Optional Optional Optional
802.11b/g/n
Wireless
Optional Optional Optional
Firewall Throughput (Mbps) 1500
VPN Throughput (Mbps)220

16
Advantages of F5 Solutions
F5 BIG IP :
F5 TMOS platform provides a unified system for optimal
application delivery, giving you total visibility, flexibility, and control
across all services
LINK CONTROLLER
1)Eliminates barriers of multi-homing with BGP
2)Bandwidth scalability
3)Link capacity and throughput
3)High availability Programmable link routing with iRules
4)Integrated rate shaping, optimized TCP performance,Compression
Performance And Connectivity & HA :

17
F5 BIG IP :
BIG IP DNS –Global Traffic Manager® (GTM BLADE SOFTWARE)
Global application availability and sophisticated health monitoring that
support a wide variety of application types, giving organizations the flexibility to adapt
quickly and stay competitive.
1) Global load balancing—BIG-IP DNS provides comprehensive, high-performance
application management for hybrid environments.
2) Infrastructure monitoring—BIG-IP DNS checks entire infrastructure health, eliminating
single points of failure and routing app traffic away from poorly performing sites.
3) Dynamic ratio load balancing—BIG-IP DNS routes users to the best resource based
on site and network metrics (for example, based on the number of hops between the
client and the local DNS).
4) Wide area persistence—To ensure user connections persist across apps and data
centers, BIG-IP DNS synchronizes data, propagates local DNS, and maintains session
integrity.
5) Geographic load balancing—BIG-IP DNS includes an IP database identifying location
at the continent, country, and state/province level to connect users to the closest app or
service for the best performance.

18
F5 BIG IP :
The BIG-IP Application Acceleration Manager ® (AAM BLADE SOFTWARE):
(AAM) overcomes network, protocol, and application issues to help you meet application
performance, data replication, and disaster recovery requirements presented by cloud, mobile applications,
and video distribution, By offloading your network and servers, BIG-IP AAM decreases the need for additional
bandwidth and hardware. Users get fast access to applications.
FEATURE INCLUD:
1)Pre-defined and generic acceleration policies for ease of configuration
2)Flexible deployment (symmetric and asymmetric)
3)E-commerce stand-in capability ,Symmetric adaptive compression
4)HTTP 2.0 and SPDY gateways ,Bandwidth Controller
5)Dynamic compression, Caching Compression
6)TCP Express, Forward error correction
7)OneConnect ,TCP rate pacing
Image optimization,Content reordering Dynamic caching/deduplication
Multi-protocol optimizations (HTTP, FTP, MAPI,
UDP)
8)MultiConnect

19
The BIG-IP Local Traffic Manager ®
BIG-IP LTM includes static and dynamic load balancing to eliminate single points of failure. Application proxies give
you protocol awareness to control traffic for your most important.
applications. BIG-IP LTM also tracks the dynamic performance levels of servers in a group,
ensuring that your applications are not just always on, but are easier to scale and manage.
BIG-IP LTM delivers industry-leading SSL performance and visibility for inbound and outbound traffic, so you can
cost-effectively protect your entire user experience by encrypting everything from the client to the server. It also
defends against potentially crippling DDoS attacks and provides ICAP services for integration with data loss
protection (DLP) and virus protection.
BIG-IP LTM Include :
Offload SSL encryption from data center servers, free up resource, Round Robin mode ,Static Persist mode
1) Using dynamic load balancing mode
2) Ratio mode
3) Round Robin mode
4) Persist mode
BIG-IP LTM TOOLS:
1) iRules for data plane programmability
2) iCall for event-based control-plane scripting
3) iApps for app-level config management and deployment
4) iControl for Management API (SOAP, REST)
5) iCheck for programmable monitors
v

20
The Application Security Manager- Web Application Firewall®
BIG-IP Application Security Manager (ASM) enables organizations to protect
against OWASP top 10 threats, application vulnerabilities, and zero-day attacks.
Leading Layer 7 DDoS defenses, detection and mitigation techniques, virtual patching
, and granular attack visibility thwart even the most sophisticated threats before they reach your servers.
BIG-IP ASM also enables compliance with key regulatory standards like HIPAA and PCI DSS.
With BIG-IP ASM, organizations gain the flexibility they need to deploy Web Application Firewall (WAF)
services close to apps to protect them wherever they reside—within a virtual software-defined data center
(SDDC), managed cloud service environment, public cloud, or traditional data center.
on-premises web application firewall (WAF)
,web scraping, and brute force attacks before they occur.
1)Track malicious user attempts
2)Enforce geolocation-based blocking
3)In-depth forensic analysis and database security
4)SQL injection
5)XSS scripting
6)Lets work together IBM®
InfoSphere®
Guardium®
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-4-0/28.html
.

21
Advantages of Wireless HP Solutions
HP 830 8-port PoE+ Unified Wired-WLAN Switch
Performance And Connectivity:
1) (8) RJ-45 auto-negotiating 10/100/1000 PoE+ ports
2) (2) SFP dual-personality 1000 Mbps ports
Resiliency and high availability:
supports N+1 and N+N backup
The HP 830 Unified Wired-WLAN Switch Series supports up to 60 APs
Enterprise network management
HP Intelligent Management Center (IMC) platform software and the HP IMC
Wireless Services Manager Software Module, which effectively integrate traditionally disparate
management tools into one easy-to-use interface
• Secure controller management
manages the controller securely from a single location with IMC or any other SNMP management
station; controller supports SNMPv3 as well as SSHv2 and SSL for secure CLI and Web
management; console port is available as a pass-through to the switch console function

22
HP 830 8-port PoE+ Unified Wired-WLAN Switch
Wi-Fi Clear Connect:
1) Advanced radio resource management
2)Automatic radio channel
3)Intelligent client load balancing
4)Airtime fairness
•Spectrum analysis
•Evaluation of channel quality
•Band Navigation
•Support for environments using Bonjour services
•AP Plug and Play (PnP)
Flexible forwarding modes
supports both distributed and centralized forwarding mode; in a wireless network using
1)centralized forwarding, all wireless traffic is sent to the HP 830 Unified Wired-WLAN Switch
for processing;
2) if the distributed mode is configured, authenticated clients can continue to access
local resources in the event that connectivity to the HP 830 Unified Wired-WLAN Switch is lost

23
HP 525 802.11ac(IL) Dual Radio Access Point Series
1)Two spatial stream MIMO technology: Provides the latest in Wi-Fi technology, which allows for 866 Mbps in
the 5 GHz frequency band and 300 Mbps in the 2.4 GHz band of signaling.
2)Band steering: Redirects 5 GHz-capable clients automatically to the less-congested 5 GHz spectrum
3)HP 525 embedded antennas :Provides excellent coverage through use of embedded high-gain antennas (4
dBi antenna at2.4 GHz and 5 dBi antenna at 5 GHz); no need for the added cost of external antennas.
4)Anywhere, anytime wireless coverage: Dual-radio IEEE 802.11b/g/n and 802.11a/n/ac access point; per-radio
software-selectable configuration of frequency bands; self-healing, self-optimizing local mesh that extends
network availability; Wi-Fi Alliance certifications for interoperability with all IEEE 802.11a/b/ g/n/ac client
devices.
security :
1)AP client access control functions: Offers IEEE 802.1X authentication using EAP-SIM, EAP-FAST, EAP-TLS,
EAP-TTLS, and PEAP
2)Delivers MAC address authentication using local or RADIUS access lists
3)Provides RADIUS AAA using EAP-MD5, PAP, CHAP, and MS-CHAPv2
4)Supports RADIUS Client (RFC 2865 and 2866) with location-aware support
5)Provides Layer 2 wireless client isolation.
6) Integrated IDS support: Automated AP and client classification>> Helps identify the rogue device location
7) Choice of IEEE 802.11i, WPA2, or WPA
8) TKIP/WEP encryption
9) Local wireless bridge client traffic filtering

24
Additional Recommendations That Can Be Implemented in Phase 2
• Upgrading of the virtual server system to vCenter Version 5.5, and the implementation of a dual
connection of vSwitch, for the survivability of each virtual machine.
• Upgrading vSwitch to DVS, faster implementation of network services and adding additional data
security capabilities, as well as segmentation of virtual machines.
• Upgrading to Version 6, preparing the infrastructure for migration to a cloud in the future, including
micro-segmentation and implementing information security services from the VMware ecosystem,
transferring the DR servers from an integrated topology of Hybrid Cloud to a cloud of VMware, Bezeq
International, IBM, Triple C, Cellcom.
• After the successful implementation of the F5 GTM and construction of a VMware-based system, it is
possible with ease to transfer the Haifa server site—the DR site-- to another location in the cloud.
• At the stage of the initial examination, it was found that the existing storage solution satisfies the IT
staff as well, in terms of Capacity Plan Sizing, I/O, and latency.

Full Disclosure:
25
1. The company CyberMonday doesn’t really exist - the name of the company for which the solution was
designed and implemented has not been publicized, for the purposes of client confidentiality, maintaining
data security, and discretion.
2. The solution that was laid out in the framework of the presentation was done as part of an initial survey of
the site—and constitutes a foundation for the work program of the organization's Information Systems
Division.
3. In the framework of the solution, a number of alternatives were suggested to the client on the basis of the
technology of Juniper Cisco Fortinet ,PALO ALTO However, for reasons of cost-benefit considerations, as
well as maintaining the investment in existing technologies at the client's site, and the relevant skills of
the IT staff and knoldge in the division, the solutions were selected on the basis of the manufacturers that
were described.
4. Also in the framework of the solution, a number of technologies were suggested to the client, including a
Web Security firewall ,Sandbox, mail security and SAS based on Microsoft Cloud Accelerate,plan as well as
Arbor Network's Anti-DDoS solution .
5. The Haifa site serves also as a DR site, as well as a branch housing 60 personnel. In accordance with the
business plan of the company, at a certain stage, the servers will be moved from the site, and only
employees will remain at the branch—a savings in overhead costs due to real estate, electricity and the
company's ongoing operating expenses.

26
Thank You!
Chen Shefer
Communications &cyber Security Architect

Example of One of my Desgins for Cyber &Networking Solutions for Customers from chen sheffer

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Example of One of my Desgins for Cyber &Networking Solutions for Customers from chen sheffer (20)

Recently uploaded (20)

Example of One of my Desgins for Cyber &Networking Solutions for Customers from chen sheffer