Announcement

Collapse
No announcement yet.

NEED HELP - Optimize LAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • NEED HELP - Optimize LAN

    I have a project with which I would like some professional help or suggestions. I have a LAN that is made up of the following components.

    1 Cisco-LinkSys RV042 Router (Dual WAN connections - Internet/VPN)
    3 Cisco-LinkSys SRW2024 Switches
    1 VOIP Modem
    1 Windows Server 2008 64-bit (2 NICs)
    1 Windows Server 2003 32-bit
    1 Ubuntu Linux (Proxy)
    4 Network Printers
    70 Client Computers (Windows XP/Vista/7)
    9 Departments (ranging from 1 to 15 computers)


    Current Setup
    At present the LAN uses a peer-to-peer architecture, primary resources are stored on the x64, the 32bit Windows server hosts legacy programs and the Linux is used as the default gateway for almost all clients as proxy for internet access. Five other remote locations connect to the resources of the servers as well using the VPN. The router connects the Internet connection and the VPN connection to the switches.

    The Problem
    Increased security issues including wire-fraud

    The Objective
    1. Increase security so tight the DoD would review it for tips
    2. Create a LAN so efficient that would make the water-cycle red with envy.
    OK, maybe a bit exaggerated, but you get the idea.

    I have suggested the use of Active Directory, but I was told that the company tried that once but had performance issues (IMPORTANT, the equipment was not the same @ the time). They are willing to try again, but only if performance can be guaranteed. Someone suggested the use of VLANs as well, but I am not sure how that would pan out as the primary server (x64) only has 2 NICs.

    Ideally, I would like to get rid of the 32bit server and use some kind of emulator on x64. I would also prefer a hardware based proxy instead of the current Linux setup. It would be a dream come true if I could segment the LAN by department, keeping traffic isolated within each department while @ the same time using the x64 server for AD services.

    So, who's up for suggestions?

  • #2
    Re: NEED HELP - Optimize LAN

    Originally posted by Squigy View Post
    Increase security so tight the DoD would review it for tips
    If security is that important, then your first move would be to hire a consultant.

    Originally posted by Squigy View Post
    They are willing to try again, but only if performance can be guaranteed.
    If you design the system well, put appropriate hardware in place, implement the system well and maintain it well then performance can be guaranteed.

    Sounds like you need to get your consultant lined up before moving ahead.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: NEED HELP - Optimize LAN

      For something of this scale you would be well to invest in a good consultant who knows e.g. legal requirements for your country and business sector (neither of which we know)

      A few immediate suggestions:
      Can you give us a bit more information about the security issues you currently face?

      You can use HyperV on server 2008 to virtualise your 2003 server, but then again, if it works OK, what will you gain apart from a slightly lower electricity bill

      Security is a trade off. I have seen completely secure servers, but then I unpack them and switch them on There is a balance between keeping users happy and security and you cannot (or are very unlikely to) have both

      With 70 users, I suggest AD is a must as it will (a) increase security and (b) reduce management/increase control. What performance issues were met previously and what equipment was it on?

      IMHO VLANS are useful if you really need to segregate traffic (e.g. VOIP) but all of your departments will need to talk to the server so what is the point?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: NEED HELP - Optimize LAN

        Vlans not only segregate traffic but they also define different broadcast domains and yes it is a LAN optimization tool. With all clients on the same vlan any broadcast on the wire is going to be sent to all clients of that vlan whether they want it or not. If security is such a concern update your routers and switches and get a real firewall appliance (ASA etc)
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: NEED HELP - Optimize LAN

          Thanks to all of you for chipping in. I took your advice where applicable.
          This is still in the planning stage so no physical changes have been made as yet.

          Applied advice
          1. We're retiring the legacy programs, so there in no need any more for the Win2K3 server (Someone suggested using it for load balancing NLB).
          2. The legacy programs will be migrated to web applications therefore removing the need for the VPN and remote access.
          3. The Network printers will be inspected to ensure that they only use TCP/IP

          What's left to be done?
          1. Configure the x64 2K8 Server for AD.
          2. Find a hardware/appliance solution that can replace the need for the Ubuntu proxy
          3. Enforce Kerberos, disable LMHash

          Background to performance issues
          I was not told exactly the specifics of the performance issues the company had with AD previously. The only thing I know is that they were using Win2K3 server and older routers and switches. We suspect faulty cabling and collisions from mis-configurations of the switches, routers, clients and Win2K3.

          Background to security issues
          Several security infractions have been discovered including keyloggers and trojans. However we suspect someone is sniffing traffic and cracking passwords with bruteforcers and/or Rainbow tables. A major infraction resulted in what seems like a cloning the server's HDD or credentials data which allowed the attacker to illegally transfer funds from a bank account.

          I appreciate any suggestions you may have, security or otherwise. Thanks again Ossian and auglan.

          Comment


          • #6
            Re: NEED HELP - Optimize LAN

            Thank you updated the post.

            Comment


            • #7
              Re: NEED HELP - Optimize LAN

              Surely moving applications to webapps exposed to the world, rather than using VPN, greatly increases your security risks?
              Gareth Howells

              BSc (Hons), MBCS, MCP, MCDST, ICCE

              Any advice is given in good faith and without warranty.

              Please give reputation points if somebody has helped you.

              "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

              "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

              Comment


              • #8
                Re: NEED HELP - Optimize LAN

                Thanks Gareth, but in this case it will a simple ASP or WPF app, accessible through HTTP. The principal reason for this move however was the cost. The company currently leases a fiber connection to provide VPN access. This can be eliminated by migrating to a web based version.

                For security reasons, we believed that securing a web server would be a better alternative than giving five remote locations direct VPN access to the server. We are more concerned about the internal threat, as that is where we are seeing the more serious issues.

                Comment


                • #9
                  Re: NEED HELP - Optimize LAN

                  I hope you mean HTTPS in your first sentence!

                  We still don't know the country and line of business as that may lead to some specific suggestions.
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: NEED HELP - Optimize LAN

                    Originally posted by Squigy View Post
                    For security reasons, we believed that securing a web server would be a better alternative than giving five remote locations direct VPN access to the server. We are more concerned about the internal threat, as that is where we are seeing the more serious issues.
                    I honestly think you should revise this.

                    A VPN tunnel is secure and encrypted and depending on the equipment used you can get your users to login to ensure they are who they say they are. The VPN tunel can stay down until such times as this is authenticated.

                    What equipment are you using to control you VPN tunnels???

                    What other endpoint security are you using??

                    You do know that the weakest link in any form of security is your end users.

                    Comment


                    • #11
                      Re: NEED HELP - Optimize LAN

                      Thanks a lot for all your replies. They say a picture paints a thousand words, so here is the layout of the current LAN.

                      The legacy program that is being run on Win2K3 server is a DOS based app, therefore the admins gave elevated privileges to the remote users. This program has been scheduled to be replaced, so are thinking of migrating it to ASP or WPF.

                      The country is Colombia, the LOB is Security (as in armed guards and bodyguards) and the remote locations are spread out across the country.

                      Ideally, we would like to eliminate the need for the fiber connection, replacing it with VPN Tunneling software (open to suggestions).

                      The current architecture is Peer-to-Peer, we will be moving this over to a Client-Server model using AD, so any suggestions for optimization of that side are welcome as well.

                      Finally, I was thinking of using the Cisco ProtectLink Gateway to replace the Ubuntu proxy. What do you all think?
                      Attached Files

                      Comment


                      • #12
                        Re: NEED HELP - Optimize LAN

                        Hmmm, no comments. I guess I'm beoming a bother. Well, thanks anyway.

                        Comment


                        • #13
                          Re: NEED HELP - Optimize LAN

                          We are a community of volunteers who give up free time to help others here. No answer in 36 hours doesnt mean you are a bother, it just means no-one has had the time to give a considered response.

                          You want faster -- pay for a consultant!
                          Tom Jones
                          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                          PhD, MSc, FIAP, MIITT
                          IT Trainer / Consultant
                          Ossian Ltd
                          Scotland

                          ** Remember to give credit where credit is due and leave reputation points where appropriate **

                          Comment


                          • #14
                            Re: NEED HELP - Optimize LAN

                            Hear you loud and clear Ossian, let's not escalate this into a fight. To be honest with you this is my first contract and it means a lot to me. I would be happy to hire a consultant... if I could afford one. But I can't, so that is why I am asking the community for help. So please excuse me if I came off as rude, but try to understand, time isn't on my side.

                            BTW, did you review the image I posted?

                            Comment


                            • #15
                              Re: NEED HELP - Optimize LAN

                              I think you might be missing the point.
                              Firstly, you CAN'T expect a timely answer and/or solution from a volunteer community who only use their free time to contribute here.
                              Secondly, most user here contribute based on their experience and or little research about the presented topic.
                              Sometimes these topics might be a bit more complex, therefore requiring more time and effort to come up with a suggestion. This is how forums work, that's why the alternative suggestion for a consultant was made.
                              Caesar's cipher - 3

                              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                              SFX JNRS FC U6 MNGR

                              Comment

                              Working...
                              X