https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3004.pdf
system support trace
Tuesday, 30 April 2024
Wednesday, 3 April 2024
network design ideas
Just writing down some idea's
Dual internet connection with failover (wired and radio/4g would be best but most expensive)
Dual internet connection with failover (wired and radio/4g would be best but most expensive)
Newer network hardware often have dual WAN support and handle failover for you.
Larger enterprise may want to share public range with BGP between HQ and a DR site.
Alternatively two public IP ranges with dyndns or script to update DNS during failover
OOB management (open gear etc)
Redundancy starting at the SAN.
Rule of thumb 2 of everything infra (you may need to go to 3 or more for apps [pri/sec/test/etc])
Larger enterprise may want to share public range with BGP between HQ and a DR site.
Alternatively two public IP ranges with dyndns or script to update DNS during failover
OOB management (open gear etc)
Redundancy starting at the SAN.
Rule of thumb 2 of everything infra (you may need to go to 3 or more for apps [pri/sec/test/etc])
Need mpls / L2 site link between HQ and DR sites for failover/vmware/san/backups etc
HA firewall with SSL decrypt/IPS/AV enabled
HA firewall with SSL decrypt/IPS/AV enabled
HA switch (stack or 2 smaller stacks with HSRP/VRRP) or go L3 switching with routing protocols handling HA.
Vlans/networks LAN,WIFI, DMZ, DB, APP, VOICE, RSPAN, OOBMGMT, BACKUPS, MONITORING, 3RDPARTY-ACCESS
Off site (cloud) backups or tape taken off site. We want immutable backups. 3-2-1 backups.
Monitoring, graphing, alerting, PTRG, Netflow, SNMP
Vlans/networks LAN,WIFI, DMZ, DB, APP, VOICE, RSPAN, OOBMGMT, BACKUPS, MONITORING, 3RDPARTY-ACCESS
Off site (cloud) backups or tape taken off site. We want immutable backups. 3-2-1 backups.
Monitoring, graphing, alerting, PTRG, Netflow, SNMP
Security monitoring from the network / firewall endpoing
NTP server
TFTP server
NTP server
TFTP server
syslog (syslog-ng)
config backup
radius and MFA (DUO) where possible
DNS protection opendns (Cisco umbrella / dnsfilter)
config backup
radius and MFA (DUO) where possible
DNS protection opendns (Cisco umbrella / dnsfilter)
NAT all DNS requests to the umbrella VA's ? or block on firewall other DNS requests
IPS on edge firewalls
SIEM security onion (needs lots of resources)
Nessus scans on internal and external IPs.
Emails security with SPF, DMAR etc.
Multiple DMZs or Private VLANS in your DMZ alternatively consider reverse proxy for extra security.
Subscribe to:
Posts (Atom)