Security Design and Implementation of a new Cisco enterprise network

ProNetExpert recently completed the implementation of a highly redundant network of dual Internet feeds, redundant Cisco 2800 routers, redundant Cisco ASA 5510 firewalls and a failover pair of Cisco Content CSS11501 Switches for a popular social networking company. The London based client contacted ProNetExpert because their web architecture network was growing rapidly and they felt it was time to look carefully at their network design to ensure scalability, redundancy and security.

ProNetExpert's Cisco ASA Consultants first considered the network perimeter. The current structure provided the web servers with only one circuit for Internet access meaning failure of this circuit meant failure of the entire network. ProNetExpert proposed an additional uplink running on a separate Cisco router. The two routers would provide hardware redundancy by using Cisco HSRP and would use BGP to communicate local external network availability with the ISP.

Directly behind the Cisco routers two Cisco ASA 5510 firewalls were placed. The firewalls were set up in Active Standby mode with one Cisco ASA providing network security and access control whilst replicating its configuration to the backup firewall, which would become active if the primary firewall experienced complete hardware or link failure. As well as providing separation between the hosted web servers and the outside world the ASA firewalls also provided for DMZs were external website developers could undertake testing in a limited access environment.

On the Cisco ASA firewalls full permanent IPSec VPN tunnels were established to the customer management office as well as to ProNetExpert, who took over control of monitoring and management of the network. Separate Remote Access VPNs were also enabled for management access as well as for a more controlled access for the website’s external developers.

Adding two new Cisco Catalyst 48 port 2960 Gigabit switches provided the client with some much needed additional ports for their rapidly expanding network, allowing the existing Cisco 2960 switches to serve as standby hardware failovers. The switches were configured with Per-VLAN Rapid Spanning Tree Protocol to allow them not only to ensure that their redundant network remained loop free, but that the switch capability was maximized to ensure an efficient network. Using PVRSTP the VLAN traffic could be divided to flow across both core switches simultaneously. Spanning-Tree portfast and Spanning-Tree BPDUGuard then allowed for any non-trunking ports to progress quickly into a forwarding state on host connection. VLAN Trunking Protocol (VTP) was implemented to provide simple VLAN information propagation.

A redundant pair of Cisco Content Services Switches (CSS 11501s) were installed to provide Layer 4 to Layer 7 load-balancing to the data centre hosted web servers. Each CSS was configured to take on half of the traffic flow to the web servers with one CSS looking after standard HTTP traffic whilst the other serviced HTTPS traffic, with either Cisco CSS Switch able to take on the full load on failure of one of the devices.