Interview Question...about a Network Infrastructure

Hello Guys,

I was asked this question when I attended an Internship interview. Hope this will be of some help and donot forget to discuss the prob and the solution. Try it out yourself.

They handed me their company's existing infrastructure diagram and asked me to design a “secure” infrastructure.

Below is a company's infraStructure. (You can find it either by clicking on the link below or typing,)

http://www.geocities.com/pvkkishorereddy/infra.JPG directly into your browser.

Company's InfraStructure

They asked me to assume that they have recently had a break-in and suffered a defacement attack of their main web-site and the destruction of their production FTP distribution server. Assuming that I am hired, what changes would I propose to their infrastructure to ensure that this doesn’t happen again.

All you need to do is find any problems with the diagram and recommend changes to the existing system & hardware to meet their needs

Because the company is leaving their currently “open” environment, they have some requirements which will need to be addressed.

Here are some more close insights on the infrastructure

The company is broken down into 8 different groups. The groups and the # of machines alloted to each group is as follows,


1. Software Development (existing software lines) – 26 Solaris, 1 PCs, 1 Mac, 1 Linux

2. Research and Development (new software and hardware ventures) – 31 Linux

3. Quality Assurance – 12 PCs

4. Network Administration – 5 Linux

5. System Administration – 8 Solaris

6. Product Sales – 15 PCs

7. Customer Support – 15 PCs

8. Financial – 8 PCs


These groups are separate entities, however they utilize a core set of resources which are common to all. The following systems are used by all groups to accomplish their tasks, some are internal only, others are publicly accessible:

1. File Services (clustered NFS file servers providing home directories, development directories and redundant storage)

2. Backup Services (2 tape backup systems)

3. E-mail Services (2 clustered Exchange servers providing redundancy)

4. Web Services (allows for registration and access to downloadable products, also hosts internal web sites for documentation, announcements, etc.)

5. FTP Services (allows for downloads of licensed and evaluation copies of software products as well as move software from development to the QA group)

6. Database services (clustered, allows storage of development and testing data as well as customer data and other important information)

------------------------------------->>>

Business Requirements:

In order for company to continue to work, they need to support the following:

1. Core services need to be available to all groups in one form or another

2. Users need to be able to reach the internal resources from the road (while visiting customers) and from home

3. Customers need to be able to communicate with the company via e-mail

4. Customers need to be able to access information on both the web server and the FTP server

5. Development groups need to be able to move software to the QA group for analysis

6. Customer support and sales needs to be able to interact with customers outside the infrastructure

7. Network and Systems Administration needs access to computers and network equipment for management

8. Financial systems are to be isolated from everyone

------------------------------------->>>

My recommendations were,

Have the FTP & database servers on a https and put a firewall and the Intrusion detection system. I know this is not enough, if anyone can think of something pls recommend.

Any help is very much appreciated.

Thanx in advance.
Kishore

well you seem to miss the most obvious ( to me anyway ). the biggest problem with this is there is no DMZ. by only spending 2 minutes looking at their visio and reading only part of what you had to say (cause Im lazy LOL) I would recommend this..

Redesign of Internet access...
router ->PIX firewall 515 with DMZ card -> mcaffee webshield in bridge mode -> cisco 3550 switch (these can do inter-VLAN routing) with VLANs for each department allowing access via ACLs to each other restricting access to financial VLAN but allowing them out.

Move FTP server into DMZ, move web server into DMZ, add new e-mail server running OWA in DMZ for web access using HTTPS for access. Enable built in IDS in PIX and log to syslog server. create client - site VPN for remote user access using RADIUS athentication.

Blah I could keep going but that should be sufficient for now.

Thanx for your reply Juniperr. I'll try to redesign the infra structure (keeping u r recommendations in mind) and post it so that you can take a look at that.

I'll greatly appreciate that if you could take a look that when I am done and let me know if its OK.

Kishore

Hello guys here is the new modified architecture.

please take a look at that & let me know if the infrastructure is secure now.

New Architecture

http://www.geocities.com/pvkkishorereddy/arch.jpg

Just in case you wanna take a look at the proevious version, here it is,

Old Architecture
http://www.geocities.com/pvkkishorereddy/infra.JPG

Hard to tell what is going on with your VLANs in your diagram.
Basicly you would setup a VLAN for management of the network lets just say VLAN 1, all switches would be in this VLAN and no network traffic would be on it. The reason you do this is security (only give admins access to this network for administration of the switches) and when doing VTP domains and prunning all the switches would need to have to set up ISL or 802.1q trunking over an untagged connection (which is the management VLAN1) after that put all servers and the base group of users into VLAN2 then create a VLAN for each addition group of PCs. All network traffic will be on tagged VLANs. (cisco best practice). I see you whent with the 3750 over the 3550 good choice you can get the 24 port 1GB, you could also get 2948G switches that are 48 port 1GB over copper to speed things up to the workstations without changing wiring if your comfortable with the CatOS (set commands same as 4000 series switches). other then that I have no other comments at the moment (cause Im in a hurry hehe)