Have you thaught about a as400 to help with security they are very handy for storage and traffic?
Printable View
Have you thaught about a as400 to help with security they are very handy for storage and traffic?
Try WRQ They have some terminal emulation software that may help you.Quote:
1) I have to incorporate an IBM mainframe OS OS390 that is being used for legacy ........
You will get more bang for the buck if you went with web/http enabled applicatioins and used something like what Neoteris has to offer, they were purchased by Netscreen and have an awesome SSL VPN gateway.Quote:
2) Second issue is Remote storage and Manipulation of Applications in a Centralised ......
Again somebody like Netscreen would handle this challenge. You don't have to redesign your internal applications.Quote:
3) Third issue is to provide the travelling employers remote connectivity to the ......
It all depends on what you will be using the internet connectivity for, Web Browsing, vpn access, ftp, remote administration? how many users will need internet access? VOIP is something you definitely want to do a little design work on. Bandwidth, QOS are very important pieces when it comes to VOIP. Talk to a VOIP vendor and let them tell you what you need. Video conferenceing tends to be a bandwidth hog and will soak up as much bandwidth as you give it. I think a single T-1 will not be enough for your applikcations.Quote:
4) Another important issue is providing internet connectivity to the organisation,.......
Do you have a bandwidth problem with the existing Frame, an upgrade is not cost effective unless you can show good ROI. Upgrading bandwidth is hard to show ROI unless you have serioius latency issues or some other application that will run on it that can justify the upgrade.Quote:
5) They are using Frame Relay at the moment with FRAD's, Do you guys think that they
Make sure your outer network perimeter is guarded (ie firewalls, IDS, DMZ's, etc.), make sure you have all client computers virus proteceted and patched. If you have no written policy's, then you need to get upper management to back you on getting some written and abide by them.Quote:
6) What issues at Client's end should be considered keeping all the scenario in mind?.....
Remote adminstratioin for what? Each device has it's own way of administration. It may be SSH or telnet, or some GUI based admin tool. But I get your point.Quote:
7) For remote administration I am looking into Telnet and SSH Servers and I guess it
Antifvirus, IDS, HIDS, firewalls, sniffers are a must have in most medium to large businesses. Honepots, are a different story. It looks to me like you have your hands full with getting a network up and running and in place. If it were me, I would spend less time putting some device on my network that specifically invites the hackers in. Read up a little more on Honeypots and see if you in fact would like to use one on your network. I view honeypots as being more of a research tool, and with the projects you are embarking on, when will you have time to administer a honeypot?Quote:
8) Security is something which I really learned from Antionline? I have considered.......
Why not get some proposals from Novell, Redhat, IBM,etc? Not only would you get some idea of the price range but you would also get some ideas of how to accomplish your goals. It sounds as if you really need a professional's input since corporate info could be accessed and security is the one of the highest considerations. I hope you're not building a network based on what you learn in a forum.
well R0n1n ..
I have read yourpost in detail. Indeed very helpful. My vision is getting better with Mainframes and their terminals. Thank you for that. Now for your related questions, here goes my answers
All I wanted was a centralised application server located in Headquarters(which is malaysia), from where client(from Malaysia, Singapore, Hong Kong) in other countries can run their applications. And all the manipulation done by clients on application should be stored centrally at that central application server. I guess, I am making myself clear this time. :)Quote:
Issue no.2 I`m not to clear on what you mean, it seems like you are talking about the use of NAS? Could you elaborate more on this?
Can you elaborate a little more on this. What is a two factor authentication. Really woul add up in my knowledge.Quote:
.........two factor authentication for the connections, don`t just use a password!
yes, scalability is one of the most important issues and we should consider it. As for connectivity, the applications that are bandwidth hungry includes Video Confrencing, maybe VOIP to some extent, and the centralised application server which is supposed to be accessed by may clients in many countries simultaneously(concrency and coherency issues). My idea is a fractional T3 or OC3 line would be good enough.Quote:
What connectivity you have is going to depend on how much traffic we are talking about, is this a large organization? Do they want to expand their bandwidth over time, in which case T1’s may not be the way to go, there are bigger lines out there T3. OC3 etc… so how much traffic are you actually talking about having?
Again, all applications that would require more bandwidth are mentioned above. As far as users are concerned, there would be around 400 to 500 LAN users and similarly 100's of WAN clients(accessing centralised application server,video confrencing etc.). What Frame Relay upgradation do you suggest?Quote:
Frame Relay may be fine, again depending on how much traffic, how many users are we talking about? Also Frame relays can provide a decent speed as it can be upgraded.
Yes I must admit that the network is already in early development/upgradation phase and may not require honeypots, but wont it be a good idea to deploy Snort.Quote:
As for security, if this is the early stages of the network then forget about honeypots, and maybe even IDS for now
I am not going far in DR. But issues in my mind regarding DR is backup plans on tape drives, hosting it at some other company, making a smart network where alternate solutions can be provided in case of any disaster to provide maximum possible services. Moreover, using RAID 0 and backing up some network equipment in storage would be a good idea. I am further looking into it.Quote:
DR is a massive area, what are your specific problems?
And Thank you for your advices bout Mainframes, VPN,SSL,remote administration and client side issues. Thumbs upto you. If you could PM me your rmail ,may be I could send you the document describing whole scenario.
__________________________________________________________________________
well swarisd thank you for your efforts and looking into the problem.. I would love to solve this problem...
Remote administration for infact the whole network, it can be any server like web server,DNS,DHCP, FTP, Mail server. Infact the purpose of this Telnet/SSH server would provide an interface to the system administrator to the configuration interface of these servers and even some network equipment like a switch or a router's IOS.Quote:
Remote adminstratioin for what? Each device has it's own way of administration
Yes, I do agree with this. I was probably overdoing this. I would look for a strong firewall infrastructure. But wont a Honeypot looks good if you want to divert a Cracker'sQuote:
If it were me, I would spend less time putting some device on my network that specifically invites the hackers in. Read up a little more on Honeypots and see if you in fact would like to use one on your network. I view honeypots as being more of a research tool, and with the projects you........
attention towards a loosely configured machine. Your thoughts on this??
___________________________________________________________________________
well hard candy, my objective here is to learn a good and secure network design and If I hire someone more professional, the whole aspect of learning would be gone. I hope your are getting me :). Moreover, for me this is more like a research oriented project aimed at coming up with a network design proposal , though it wont be that professional. But I'll definitely get to learn something new. And, I am learning something new everyday :).Quote:
It sounds as if you really need a professional's input since corporate info could be accessed and security is the one of the highest considerations. I hope you're not building a network based on what you learn in a forum.
___________________________________________________________________________
Thank you all for your replies. You all have been really helpful.I 'll certainly look into budgetry and finance issues.
I am looking further for your advice,suggestions and recommendations.
Ommy
Since this is a learning experience, here are some links,
Smartdraw has a 30 day free trial, is downloadable, and is used for network design diagrams.
Good network design examples from Lebanon of all places. Cisco has some good design principles, pay attention to the 80/20 rule.
Microsoft
has some good reference material.
Remember, the best security setups have one achilles heel- the users. It used to be p2p was opening backdoors but now it's IRC and IM. Also, file downloads of any type can set up trojans, etc. I'm not sure if it would be effective but spyblaster or spyware search and destroy set to run at bootup (and restricted to administrator configuration) would help a lot. We thought we had pretty well secured our network from the blaster worm/virus but someone with a laptop using vpn loaded it into the network. So be pretty careful of vpn, its handy but does have a cost. Especially overtime when the techs have to scan servers, etc.
I don't see the need for a go between for devices that use telnet/ssh for administration. I do see a use for a radius/tacacs type solutioin to authenticate your administrators. As we know, there's nothing secure about Telnet, since everything is in the clear. You may want to rethink what you are doing here and deal with administration on a case by case basis. I can see where you may require SSH over telnet, if the device supports it. As powerful as computers have become now, I don't see a need for a go between box as you describe. I think you will find this out as you go along.Quote:
Remote administration for infact the whole network, it can be any server like web server,DNS,DHCP, FTP, Mail server. Infact the purpose of this Telnet/SSH server would provide an interface to the system administrator to the configuration interface of these servers and even some network equipment like a switch or a router's IOS.
Wow how does that whole thing work
ok following on from your comments:
"All I wanted was a centralised application server located in Headquarters(which is malaysia), from where client(from Malaysia, Singapore, Hong Kong) in other countries can run their applications. And all the manipulation done by clients on application should be stored centrally at that central application server. I guess, I am making myself clear this time".
- How about some kind of terminal server/citrix setup? that way folks all work on your central server. Easy to scale up, easy to manage, and would seem to solve your probs.
Two factor authentication means that users need two things to access the system - these are commonly split into something you have (e.g. a secureid token) something you know (e.g. password) and something you are (e.g. fingerprint). So maybe users have a password and a secureid token to access your system remotely.
Yes a fractional T3 or OC3 should meet your bandwidth needs.
As far as the frame relay network, i`ve seen them operating a decent speeds, will your users be accessing streaming data? or just the occassional pull down from the server?
As for security, sure play around with snort, but concentrate on a good firewall architecture and policies and procedures in place to ensure that all your servers are pacthed and passwords are strong.
DR is going to dependent on a) how much you can afford b) how critical your data is c) how quick you are going to want to get it, and d) how much you can afford.
Send me the stuff if you like and I`ll be happy to take a look.