Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Network Design Questions

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    142

    Network Design Questions

    Hello everyone..
    I have been a little lazy in posting on the Forum. But I have now a

    couple of questions regarding the network design stuff. I know that this might not be

    the right place to post, since antionline is a network security forum, not a network

    design discussion forum (And since I'll always consider myself a newbie so I 'll post my

    question here in Newbies Question ). But antionline has played such a massive role in

    my learning, that I want to share these questions as well with antionline community.

    People like MsMittens, Memory, HTRegz,The3ntropy, NullDevice, gore, Cybr1d and nihil

    have been such a great source of learning and inspiration. Now wont make my text more

    lengthy and boring, coming to the issue.


    Scenario is that I have a gigabit backbone,and I have tologically divide it in three

    sections. And everything has to be in a LAN, connected to each othr

    i) MainFrame Apps
    ii) Unix OS for scientific apps
    iii) Novell Netware and Microsoft Windows hybrid environment for commercial

    apps.

    Well here goes the questions for network design.

    1) I have to incorporate an IBM mainframe OS OS390 that is being used for legacy

    customer applications (SAP, General Ledger accounting, etc.) Now many confusions.One

    issue is that how would I interface an individual computer (running Windows/Linux) to

    IBM mainframe. I have been able to figure out some controllers, but not clear with the

    issue yet.Please let me know how can I interface computers (not dumb terminals) with

    Mainframe. And how would I then interface all the traffic coming from the MainFrame to

    my backbone of the network. Would there be something in-between main frame and

    Gigabit backbone (any special switch or intermediary device).

    2) Second issue is Remote storage and Manipulation of Applications in a Centralised

    way. All applications used in-house and remotely are provided by and supported from

    headquarters through the pvt. Network. Now this is replication and coherency issue. The

    other region which would be manipulating applications and storing it in a centralised

    way, would be countries apart but in the same continent. What solution should be

    provided in order to have a centralised application servers, with clients in far away

    countries. Another Confusion????

    3) Third issue is to provide the travelling employers remote connectivity to the

    headquarter's network for corporate email server and remote logon facility. How would I

    do that. Should I be lookin for RAS(remote access server) and VPN thing? I am looking

    over this closely. Any suggestions??

    4) Another important issue is providing internet connectivity to the organisation,

    considering the fact that they would like to have VOIP, Video Confrencing, Centralised

    application server (accessed by clients in many countries), remote logons etc. Do you

    guys think that T-1 lines would do the trick? What type of routers would I require for

    VOIP and video confrencing. Any Recomendations??

    5) They are using Frame Relay at the moment with FRAD's, Do you guys think that they

    should be upgraded to ATM for cost affective and effcient improvement,since ATM with

    VBR(variable Bit Rate ) seems to be good choice for vedio confrencing and audio

    Confrencing?

    6) What issues at Client's end should be considered keeping all the scenario in mind?

    7) For remote administration I am looking into Telnet and SSH Servers and I guess it

    would be good enough?

    8) Security is something which I really learned from Antionline? I have considered

    following things for security that I am going to deploy in this network design..
    Intrusion Detection System, HoneyPots, Sniffers, AntiViruses ,FireWalls and use of

    cryptography for important messages. did I left anything else.Any other

    recommendations would be appreciated.

    9) I am working on Disaster Recovery Planning? Maybe coming up with more confusions



    I guess its apretty lengthy post and I must terminate it. A word of thanx for all those

    who read this thread. I already appreciate their effort and expect a reply with helpful

    links and piece of advice.
    Thank you antionliner's
    Please help me out with these confusions, so that I might be able to contribute to the

    community with all my knowledge that I gathered from Gurus.
    Ommy

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    142
    sorry about the formatting of the post. I typed it in Notepad and pasted it in browser. And it made it a little more spacious

  3. #3
    What topology will you use?

  4. #4
    Junior Member
    Join Date
    Oct 2003
    Posts
    18

    for your critical points(honeypots, IDS, etc.....)

    I would use port knocking on the mission critical points to lock down access to the critical servers/comps........on top of the honeypots, I would turn them into stinging pots(respond to the intruder and destroy)........also, an interesting idea would be to make all your computers respond as windows 95, especially on the IDS/honeypots...don't forget to setup your tarpits, and lockers.....

  5. #5
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I'm gonna work on the other questions, but as far as disaster recovery goes, I would of course go with tape backups, or you could even hire a company to host your data for you on different computer somewhere else. That way if something happened to your backups and computers, you would still have recent data on a different computer in a different location.

    Also I would say a T1 would be ok, but if your needing to run applications from a centralized server then I would say you might need more than a T1 especially if your having clients for other countries needing apps from the server. Maybe a Fractional T3 if your company can afford it.

    I'll see what I can't come up with on the rest of the stuff.
    =

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    142
    ummm...hard candy... I am going to use a hybrid sort of topology that includes a bus as a backbone which is going to be a gigabit backbone and the medium would be Fibre Optic(I am further looking into its specifications). Now the nodes connected to the backbone would be switches which would be responsible for handling departments(Mainframe, Unix,Novell and Microsoft) traffic internally and then be able to send it to backbone. Are there any special switches which are used for interfacing to the optic fibre? This makes it a Star topolgy and the medium, to be used internally, I guess would be CAT5. So its a hybrid of BUS and STAR.

    shaded3l33t, thanx for the suggestion. I would look into port knocking, setting up tarpits and Lock downs. Indeed a great help. I guess setting up an IDS would deal with the port scans as well.

    cheyenne1212 , thanx for looking into it. As for disaster recovery plan, I did have some backup methodologies in my mind But ,alongwith hosting it to a company is a good back up plan. And may be for security the tapes can be stored at a secure place like Banks.
    And for security purposes, I am thinking to make a dark room for servers with KVM switches for avoiding physical access to my server.

    looking forward for further advice. Please someone look at the mainframe, centrallised application server, replacing frame relay with ATM and client side issues as well.

    Thank you

  7. #7
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    I must admit that I don't have much experience with large networks. But I'll try to give you some ideas to work on for centralised applications. All your clients will be connected to main office either with T1(or other solution) or with RAS server(that is most of the time modem connection on client side). You could consider two tipes of app server.
    1. Linux/Unix app server with telnet/ssh access (I'm not sure if you could have GUI)
    2. W2K app server with terminal services (GUI will work... tested)

    In both cases 33.6 kbs per user will do, because all processing is done on server. Secon solution would probably ask for more hardware power (cluster???) but ofers classic MS GUI that most users are used to work with.

    I hope I was helpfull
    for more info about MS solution search knowledge base at support.microsoft.com
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    I have attempted to at least provide you with a started on each area, if you could provide more info on what you are going to do, how many users etc.. that would be useful.

    Use Multiplexers to provide the connection between the mainframe and your users. I think you can run a connection from your Ethernet to the multiplexer which then passes traffic onto the mainframe. End-users then use terminal emulation software to connect to the mainframe (i.e. HyperTerminal on windows). I think that the mainframe sits on the network like anything else with the multiplexer providing connectivity.

    Issue no.2 I`m not to clear on what you mean, it seems like you are talking about the use of NAS? Could you elaborate more on this?

    Issue no.3 I`d go with a VPN solution. Dial in solutions are fine for a few people but don`t scale too well. You can go with an opensource solution such as OpenVPN with OpenSSL etc.. or a commercial package such as Cisco VPN, or Securemote (if using checkpoint). These will need to authenticate against something (typically a Radius server, we can discuss this more in depth if you need to). The VPN servers should sit in the DMZ, do not place them directly in your network as naturally this presents a security risk as it’s a box that can be reached from the outside. If possible use two factor authentication for the connections, don`t just use a password!

    What connectivity you have is going to depend on how much traffic we are talking about, is this a large organization? Do they want to expand their bandwidth over time, in which case T1’s may not be the way to go, there are bigger lines out there T3. OC3 etc… so how much traffic are you actually talking about having?


    Frame Relay may be fine, again depending on how much traffic, how many users are we talking about? Also Frame relays can provide a decent speed as it can be upgraded.

    On the client end, if they are employees then you need to ensure that they have anti virus and personal firewalls in order to prevent their machines from potentially being used as a piggy back into your network. If they are actual clients from outside organizations then try and keep their connectivity as simple as possible, i.e. allow connections over as few ports as possible. If they are large clients you may be looking at setting up an extranet where you have a private connection between your organization and the client with for example a dedicated T1 line. Again, this needs to terminate n a DMZ area as it is still an outside connection, do not allow anyone direct access into your network.

    For remote admin, perhaps you could pipe that through the VPN, that way you are on a semi-trusted segment and therefore can prohibit your devices from allowing any connections from external address.

    As for security, if this is the early stages of the network then forget about honeypots, and maybe even IDS for now. Get a decent firewall infrastructure in place and an antivirus solution. Then over time look to expand your security infrastructure.

    DR is a massive area, what are your specific problems?
    Quis custodiet ipsos custodes

  9. #9
    Senior Member
    Join Date
    Jun 2003
    Posts
    142
    well thank you for ur reply..I am going to look into your reply and would answer your questions..I a m going to bed right now..But Thanx all the ways...

  10. #10
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    One thing to keep in mind as well is who he signing the checks for all this? If you have to go to a CIO, CTO etc... you are going to need to keep their budgets in mind, there is always an ideal that we would like to have, but in reality you need to keep in mind that it all costs money so be sure to choose wisely.
    Quis custodiet ipsos custodes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •