February 6th, 2004, 08:18 PM
Network Design Questions
I have been a little lazy in posting on the Forum. But I have now a
couple of questions regarding the network design stuff. I know that this might not be
the right place to post, since antionline is a network security forum, not a network
design discussion forum (And since I'll always consider myself a newbie so I 'll post my
question here in Newbies Question ). But antionline has played such a massive role in
my learning, that I want to share these questions as well with antionline community.
People like MsMittens, Memory, HTRegz,The3ntropy, NullDevice, gore, Cybr1d and nihil
have been such a great source of learning and inspiration. Now wont make my text more
lengthy and boring, coming to the issue.
Scenario is that I have a gigabit backbone,and I have tologically divide it in three
sections. And everything has to be in a LAN, connected to each othr
i) MainFrame Apps
ii) Unix OS for scientific apps
iii) Novell Netware and Microsoft Windows hybrid environment for commercial
Well here goes the questions for network design.
1) I have to incorporate an IBM mainframe OS OS390 that is being used for legacy
customer applications (SAP, General Ledger accounting, etc.) Now many confusions.One
issue is that how would I interface an individual computer (running Windows/Linux) to
IBM mainframe. I have been able to figure out some controllers, but not clear with the
issue yet.Please let me know how can I interface computers (not dumb terminals) with
Mainframe. And how would I then interface all the traffic coming from the MainFrame to
my backbone of the network. Would there be something in-between main frame and
Gigabit backbone (any special switch or intermediary device).
2) Second issue is Remote storage and Manipulation of Applications in a Centralised
way. All applications used in-house and remotely are provided by and supported from
headquarters through the pvt. Network. Now this is replication and coherency issue. The
other region which would be manipulating applications and storing it in a centralised
way, would be countries apart but in the same continent. What solution should be
provided in order to have a centralised application servers, with clients in far away
countries. Another Confusion????
3) Third issue is to provide the travelling employers remote connectivity to the
headquarter's network for corporate email server and remote logon facility. How would I
do that. Should I be lookin for RAS(remote access server) and VPN thing? I am looking
over this closely. Any suggestions??
4) Another important issue is providing internet connectivity to the organisation,
considering the fact that they would like to have VOIP, Video Confrencing, Centralised
application server (accessed by clients in many countries), remote logons etc. Do you
guys think that T-1 lines would do the trick? What type of routers would I require for
VOIP and video confrencing. Any Recomendations??
5) They are using Frame Relay at the moment with FRAD's, Do you guys think that they
should be upgraded to ATM for cost affective and effcient improvement,since ATM with
VBR(variable Bit Rate ) seems to be good choice for vedio confrencing and audio
6) What issues at Client's end should be considered keeping all the scenario in mind?
7) For remote administration I am looking into Telnet and SSH Servers and I guess it
would be good enough?
8) Security is something which I really learned from Antionline? I have considered
following things for security that I am going to deploy in this network design..
Intrusion Detection System, HoneyPots, Sniffers, AntiViruses ,FireWalls and use of
cryptography for important messages. did I left anything else.Any other
recommendations would be appreciated.
9) I am working on Disaster Recovery Planning? Maybe coming up with more confusions
I guess its apretty lengthy post and I must terminate it. A word of thanx for all those
who read this thread. I already appreciate their effort and expect a reply with helpful
links and piece of advice.
Thank you antionliner's
Please help me out with these confusions, so that I might be able to contribute to the
community with all my knowledge that I gathered from Gurus.
February 6th, 2004, 08:20 PM
sorry about the formatting of the post. I typed it in Notepad and pasted it in browser. And it made it a little more spacious
February 7th, 2004, 01:49 AM
What topology will you use?
February 7th, 2004, 03:07 AM
for your critical points(honeypots, IDS, etc.....)
I would use port knocking on the mission critical points to lock down access to the critical servers/comps........on top of the honeypots, I would turn them into stinging pots(respond to the intruder and destroy)........also, an interesting idea would be to make all your computers respond as windows 95, especially on the IDS/honeypots...don't forget to setup your tarpits, and lockers.....
February 7th, 2004, 03:24 AM
I'm gonna work on the other questions, but as far as disaster recovery goes, I would of course go with tape backups, or you could even hire a company to host your data for you on different computer somewhere else. That way if something happened to your backups and computers, you would still have recent data on a different computer in a different location.
Also I would say a T1 would be ok, but if your needing to run applications from a centralized server then I would say you might need more than a T1 especially if your having clients for other countries needing apps from the server. Maybe a Fractional T3 if your company can afford it.
I'll see what I can't come up with on the rest of the stuff.
February 7th, 2004, 09:15 AM
ummm...hard candy... I am going to use a hybrid sort of topology that includes a bus as a backbone which is going to be a gigabit backbone and the medium would be Fibre Optic(I am further looking into its specifications). Now the nodes connected to the backbone would be switches which would be responsible for handling departments(Mainframe, Unix,Novell and Microsoft) traffic internally and then be able to send it to backbone. Are there any special switches which are used for interfacing to the optic fibre? This makes it a Star topolgy and the medium, to be used internally, I guess would be CAT5. So its a hybrid of BUS and STAR.
shaded3l33t, thanx for the suggestion. I would look into port knocking, setting up tarpits and Lock downs. Indeed a great help. I guess setting up an IDS would deal with the port scans as well.
cheyenne1212 , thanx for looking into it. As for disaster recovery plan, I did have some backup methodologies in my mind But ,alongwith hosting it to a company is a good back up plan. And may be for security the tapes can be stored at a secure place like Banks.
And for security purposes, I am thinking to make a dark room for servers with KVM switches for avoiding physical access to my server.
looking forward for further advice. Please someone look at the mainframe, centrallised application server, replacing frame relay with ATM and client side issues as well.
February 7th, 2004, 10:00 AM
I must admit that I don't have much experience with large networks. But I'll try to give you some ideas to work on for centralised applications. All your clients will be connected to main office either with T1(or other solution) or with RAS server(that is most of the time modem connection on client side). You could consider two tipes of app server.
1. Linux/Unix app server with telnet/ssh access (I'm not sure if you could have GUI)
2. W2K app server with terminal services (GUI will work... tested)
In both cases 33.6 kbs per user will do, because all processing is done on server. Secon solution would probably ask for more hardware power (cluster???) but ofers classic MS GUI that most users are used to work with.
I hope I was helpfull
for more info about MS solution search knowledge base at support.microsoft.com
Make your knowledge your deadliest weapon.
February 7th, 2004, 03:39 PM
I have attempted to at least provide you with a started on each area, if you could provide more info on what you are going to do, how many users etc.. that would be useful.
Use Multiplexers to provide the connection between the mainframe and your users. I think you can run a connection from your Ethernet to the multiplexer which then passes traffic onto the mainframe. End-users then use terminal emulation software to connect to the mainframe (i.e. HyperTerminal on windows). I think that the mainframe sits on the network like anything else with the multiplexer providing connectivity.
Issue no.2 I`m not to clear on what you mean, it seems like you are talking about the use of NAS? Could you elaborate more on this?
Issue no.3 I`d go with a VPN solution. Dial in solutions are fine for a few people but don`t scale too well. You can go with an opensource solution such as OpenVPN with OpenSSL etc.. or a commercial package such as Cisco VPN, or Securemote (if using checkpoint). These will need to authenticate against something (typically a Radius server, we can discuss this more in depth if you need to). The VPN servers should sit in the DMZ, do not place them directly in your network as naturally this presents a security risk as it’s a box that can be reached from the outside. If possible use two factor authentication for the connections, don`t just use a password!
What connectivity you have is going to depend on how much traffic we are talking about, is this a large organization? Do they want to expand their bandwidth over time, in which case T1’s may not be the way to go, there are bigger lines out there T3. OC3 etc… so how much traffic are you actually talking about having?
Frame Relay may be fine, again depending on how much traffic, how many users are we talking about? Also Frame relays can provide a decent speed as it can be upgraded.
On the client end, if they are employees then you need to ensure that they have anti virus and personal firewalls in order to prevent their machines from potentially being used as a piggy back into your network. If they are actual clients from outside organizations then try and keep their connectivity as simple as possible, i.e. allow connections over as few ports as possible. If they are large clients you may be looking at setting up an extranet where you have a private connection between your organization and the client with for example a dedicated T1 line. Again, this needs to terminate n a DMZ area as it is still an outside connection, do not allow anyone direct access into your network.
For remote admin, perhaps you could pipe that through the VPN, that way you are on a semi-trusted segment and therefore can prohibit your devices from allowing any connections from external address.
As for security, if this is the early stages of the network then forget about honeypots, and maybe even IDS for now. Get a decent firewall infrastructure in place and an antivirus solution. Then over time look to expand your security infrastructure.
DR is a massive area, what are your specific problems?
Quis custodiet ipsos custodes
February 7th, 2004, 08:11 PM
well thank you for ur reply..I am going to look into your reply and would answer your questions..I a m going to bed right now..But Thanx all the ways...
February 7th, 2004, 08:27 PM
One thing to keep in mind as well is who he signing the checks for all this? If you have to go to a CIO, CTO etc... you are going to need to keep their budgets in mind, there is always an ideal that we would like to have, but in reality you need to keep in mind that it all costs money so be sure to choose wisely.
Quis custodiet ipsos custodes