View Source

Diagrams

(from Google Docs)

Typical Switchroom

ISB

Logical Interconnect and Monitoring Diagram

Priorities

ISB
- 2x 8-port Gig-E blades (ISB-6509-1,ISB-6509-2)
- 2x Supervisor (ISB-6509-2)
CAS,BUR
- 2x 8-port Gig-E blades (CAS-6509-1, BUR-6509-1)
VPN
- Can we support a VPN where clients can be either inside or outside the limited-access network?
HIL
- Candidate for off-campus connectivity
- 8-port Gig-E (HIL-6509-1)
OWE,SHA
- 2x 8-port Gig-E (OWE-6509-1,SHA-6509-1)

Notes

None of this equipment can be in scope for the PCI network.
All of the ISO tools shown can be used for any traffic on the network, not just the PII network.
The firewall/IPS will probably require 10Gbps interfaces to scale beyond the initial 300-user group.
GigaView switches are managed by the ISO. They do not participate in forwarding production network traffic.
?? Are the ports for the management of the ISO equipment billed monthly, or paid for up front?
?? What about remote sites?
?? VPN
?? availability level?
- Firewall/inline equipment fail open or closed? Manual bypass?
?? Firewall policy?
??NAT? What device does the NAT?
?? Role or Marc's TMG?

Existing equipment and connections

GigaMon

?? SPAN vs tap with the complications of PHY?

New equipment and connections

Failover Bypass for IPS/Firewall

Will automatically bypass IPS/Firewall in the event of failure.
Needed for initial deployment?
Some requirements.
- 1G ports, but this will eventually be 10G
- SNMP management/monitoring
?? Routing config here? Is the distribution a different VRF than the PII backbone VRF? If these are different VRFs, can we do the bypass in the core router?
?? PB: Maybe firewall/IPS is best as a single instance in ISB.

Firewall Network Topology

The restricted network is segregated from the campus and the Internet by a pair of Cisco ASA-5585X security appliances (firewalls). ISB-ASA-1 and ISB-ASA-2. They are configured in a "Primary/Standby" architecture where ASA-1 is considered to be the Primary during normal operations. The interfaces to the restricted network and the 'public' network are monitored for failures. Any HW failure or change in interface status on any of the monitored interfaces will result in a failover to the standby. There is no 'preempt' feature, so the standby will remain active even when the primary is healthy and will have to be manually moved back if desired "no failover active". The two ASA's share state, so most connections will survive a failover situation. Interfaces Gi0/0 (on both ASA's) are the dedicated failover links. Gi0/1's are a dedicated failover and state link.

IPv4 Routing

ISB-6509-1 is the 'default originate' for the RLAN network (172.26.0.0/16) within the 'rlan' VRF. A static default route sends all traffic (destined outside of the RLAN) to the 'restricted' interface on the Active ASA. The ASA's will NAT all RLAN traffic destined off campus to a pool of addresses in the 198.82.248.0/24 subnet. RLAN traffic destined to on-campus networks (currently 128.173.0.0/16 and 198.82.0.0/16) will not be NAT'd. It is imperative that on campus servers not block the 172.26.0.0/16 networks. ISB-6509-2 contains static routes for all on-campus traffic destined to RLAN networks and off-campus traffic destined to the NAT'd pool into the 'public' interface on the ASA's. ISB-6509-2 redistributes the RLAN network into the campus default IGP.

Security Community > Network Topology > RLAN VRF IPv4 ASA Architecture.png

IPv6 Routing

Coming soon....Require IOS upgrades on our Catalyst 6500's to support IPv6 in the RLAN VRF. Scheduled for Nov. 23rd, 2012.

Security Community > Network Topology > RLAN VRF IPv6 ASA Architecture.png

Firewall Rules

The ASA's are configured to block all traffic (ingress and egress) except as approved by the ITSO. The following network services are required to be permitted throught the firewall:

DNS/DHCP limited to campus DNS/DHCP servers
ICMP currently allowed, but could be limited if ITSO determines. NI&S will want ICMP from atleast the mgmt networks, select NI&S machines, and the VTOC network.
NTP limited to campus NTP servers

The ITSO will request additional firewall permissions through a yet to be determined procedure.