Corporation Network Help

[Adigo]

For class we have to upgrade an imaginary law firm network. We are allowed to get suggestions from any source. The assignment doesn't specify the existing hardware or budget. We have three large sites (Denver, Chicago, and New York), and 10 small remote sites. This is what we currently have. Any suggestions and/or tips are appreciated.

1. Dedicated T1 backbone between Denver, Chicago, New York.
2. The 10 small remote sites will use local DSL and be able to remote to our main offices.
3. Each workstation will be using Windows XP (IP's controlled/set remotely)
4. Server/s will be blade systems with backup hardware. We'll have weekly backups.
5. We will have battery power backups for the server/s.
6. Server/s will be running Windows Server 2008.

We are currently looking into firewall solutions for security as well if necessary. Not sure how secure the remote access will be. Any tips?

 

[ViviTheMage]

Site to site VPN with your DSL connections, and MPLS cloud with those T1's.

DHCP server at each branch, one WAN point at one of the larger sites...soo all traffic is logged/tagged/websensed/firewalled...that way you have ONE firewall to manage, and just the routers/servers. Unless you get some sort of WAN accelerators to optimize traffic (if you needed it), and get rid of servers at branches and use DHCP on cisco routers...granted those little T1's would get beat pretty good with those bigger DSL lines. Might consider a T3 as your backbone...and 10+MB for fiber to the net at your largest branch.

 

[Jamsan]

For backups, weekly is far too little. Consider weekly fulls with daily differentials (easier to restore). If you have to get specific, include a disk-to-disk-to-tape solution (backup to disk first - faster/cheaper to backup/restore from and then to tape for long term archiving).

Depending on availability requirements, consider generators for the main and backup data centers.

Go into specifics about virtualization if you plan on using that for your redundancy/failover. If so, include a SAN for shared storage, backup strategy for that, etc.

 

[imagoon]

Site to site VPN with your DSL connections, and MPLS cloud with those T1's.

DHCP server at each branch, one WAN point at one of the larger sites...soo all traffic is logged/tagged/websensed/firewalled...that way you have ONE firewall to manage, and just the routers/servers. Unless you get some sort of WAN accelerators to optimize traffic (if you needed it), and get rid of servers at branches and use DHCP on cisco routers...granted those little T1's would get beat pretty good with those bigger DSL lines. Might consider a T3 as your backbone...and 10+MB for fiber to the net at your largest branch.

Personally, I would use MPLS DSL lines (instead of DSL VPN point to points) and drop the need for all the VPN equipment. I use them a ton here and they are fantastic.

What are your space and usage requirements? Blade servers have no/minimal value unless your short on dataroom space. They cost a lot more and tend to be much more complex to set up and maintain. Remember Blades typically need some sort of SAN to hang off of because local disk is normally only 1 or 2 2.5" SAS disk slots (if any, newer blades are diskless.) Depending on the size and SAN might be needed even for U sized 19" servers.

 

[Cable God]

Personally, I would use MPLS DSL lines (instead of DSL VPN point to points) and drop the need for all the VPN equipment. I use them a ton here and they are fantastic.

What are your space and usage requirements? Blade servers have no/minimal value unless your short on dataroom space. They cost a lot more and tend to be much more complex to set up and maintain. Remember Blades typically need some sort of SAN to hang off of because local disk is normally only 1 or 2 2.5" SAS disk slots (if any, newer blades are diskless.) Depending on the size and SAN might be needed even for U sized 19" servers.

Right. Drop the blades. Unless you are tight on space, blades suck far too much power and require a larger amount of cooling. Since you are using Windows 2008, go with HyperV for virtualization. Backup/DR, look at Backup Exec System Recovery. It has restore anywhere, which can restore a physical server as a virtual server and vice-versa.
VPN gear, look at Juniper Networks.

 

[seepy83]

I feel like this assignment is way too open-ended. You aren't given a budget, you aren't told what their existing infrastructure is. Do they give you any information at all that suggests what their requirements are and how this should be sized?

From the Security perspective, how to do you know if you need (to name a few)...
Network IDS? Host/Client IDS?
Network IPS? Host/Client IPS?
NAC?
Client VPN?
Secure/Encrypted Email Gateway?
Whole Disk Encryption?
Two-Factor Authentication?
Web/Email Content Filtering?
SIEM?
DLP?

And that's, potentially, just a portion of the security picture. You've still got Network, Servers, Storage, Thick/Thin Clients, Telecom, etc to design.

I'd be asking your teacher/instructor/professor for more info before designing a solution. If it is left up to your imagination, in my opinion, you can design whatever the hell you want, for whatever reasons you might come up with, and you would get an A on the assignment.

 

[ViviTheMage]

Shit ....no budget? Let your imagination roll.

 

[joeybaker]

Agree that blade servers are overkill.

Also agree that this assignment is far too open-ended – which is probably why you settled on the blade servers – there's no cost restrictions.

Other things you'll want to consider:
• A RADIUS server
• Will you be outsourcing email? Google Apps? Exchange? (It's a law firm, so there may be legal implications to using Cloud)
• Do you need to support blackberries/iPhones?
• What about wifi?
• Think about file sharing? Will you have a dedicated server or use the cloud (Sugar Sync, dropbox)

 

[Adigo]

I feel like this assignment is way too open-ended. You aren't given a budget, you aren't told what their existing infrastructure is. Do they give you any information at all that suggests what their requirements are and how this should be sized?

From the Security perspective, how to do you know if you need (to name a few)...
Network IDS? Host/Client IDS?
Network IPS? Host/Client IPS?
NAC?
Client VPN?
Secure/Encrypted Email Gateway?
Whole Disk Encryption?
Two-Factor Authentication?
Web/Email Content Filtering?
SIEM?
DLP?

And that's, potentially, just a portion of the security picture. You've still got Network, Servers, Storage, Thick/Thin Clients, Telecom, etc to design.

I'd be asking your teacher/instructor/professor for more info before designing a solution. If it is left up to your imagination, in my opinion, you can design whatever the hell you want, for whatever reasons you might come up with, and you would get an A on the assignment.

The only information provided on the "current network" is:

Running T1 connections to every one of its remote offices. The existing is built on Windows 2003, offering DHCP and WINS services. Lists basic information about local offices and the use of HUBS. Doesn't specify any exact details. Keep in mind this is a intro to networking class (go figure).

 

[seepy83]

The only information provided on the "current network" is:

Running T1 connections to every one of its remote offices. The existing is built on Windows 2003, offering DHCP and WINS services. Lists basic information about local offices and the use of HUBS. Doesn't specify any exact details. Keep in mind this is a intro to networking class (go figure).

It would be nice if it said "Running T1's to each remote office, but file transfers between offices are too slow" or something along those lines...then you would know that you need an upgrade there.

It would depend on if any applications they are running requires WINS, but (if possible) I would highly recommend turning off WINS and using only DNS.

Upgrade the Hubs to Switches.

This assignment is wide open...go crazy...spend a few hundred million dollars...

edit: since this is a law firm, if you're hosting Email in-house, I would recommend some email archiving software (there are a lot of options here...Symantec Enterprise Vault is the one I'm familiar with). They probably have a big need for email archiving and retention policies.

 

[imagoon]

The only information provided on the "current network" is:

Running T1 connections to every one of its remote offices. The existing is built on Windows 2003, offering DHCP and WINS services. Lists basic information about local offices and the use of HUBS. Doesn't specify any exact details. Keep in mind this is a intro to networking class (go figure).

Never understood the obsession with 'hubs' and school classes. You barely can buy a HUB anymore yet every scenario seems to have them.

Law firms also suck as an example as they tend to have a lot more 'special cases' than other. Things like large storage requirements, integrated document tracking and usage, chain of custody, backup requirements, change management, document history management, document security, etc.

At the very basic end: rack based servers to switches (cisco/hp whichever). Firewall of some sort to the internet (Juniper?) 3.0 - 4.5 meg pipe might be fine. Redundant internet if you want to get fancy. MPLS core for all the sites. Prob something around 3.0 - 4.5 in to the MPLS core from 'corp' and then hang the mpls T1's to the other big sites and to the DSL lines.

Big sites I would assume would have on site servers with replication or something running. Multiple sites offer good BCPing.

These are very rough 'project' like answers. Would need to do real review to see if those were sane.

Generally you can't loose with Cisco switches/routers and Juniper firewalls if you have no budget to worry about.

 

[Adigo]

I really appreciate the replies, this is going to help allot. Thanks!

 

[RadiclDreamer]

Never understood the obsession with 'hubs' and school classes. You barely can buy a HUB anymore yet every scenario seems to have them.

Law firms also suck as an example as they tend to have a lot more 'special cases' than other. Things like large storage requirements, integrated document tracking and usage, chain of custody, backup requirements, change management, document history management, document security, etc.

At the very basic end: rack based servers to switches (cisco/hp whichever). Firewall of some sort to the internet (Juniper?) 3.0 - 4.5 meg pipe might be fine. Redundant internet if you want to get fancy. MPLS core for all the sites. Prob something around 3.0 - 4.5 in to the MPLS core from 'corp' and then hang the mpls T1's to the other big sites and to the DSL lines.

Big sites I would assume would have on site servers with replication or something running. Multiple sites offer good BCPing.

These are very rough 'project' like answers. Would need to do real review to see if those were sane.

Generally you can't loose with Cisco switches/routers and Juniper firewalls if you have no budget to worry about.

Only reason this is used so much is so people understand why hubs should be replaced with switches

 

[jlazzaro]

Only reason this is used so much is so people understand why hubs should be replaced with switches

its one of the foundational OSI model topics to explain layer 1 vs layer 2

 

[imagoon]

its one of the foundational OSI model topics to explain layer 1 vs layer 2

Ah true true... seems like forever ago I was learning all that.