I'm proposing a newer site "edge" design at my current workplace and I'd love the community's feedback on the different options I can put forward.
Organisation has multiple resorts spread across the country (12+ and expanding). It also has 20+ retail stores to sell its products and services.
Current Setup:
Each hospitality site has 3 classes of networks :
- Guest - Guest/Conference wifi and wired connections.
- Corporate - Corporate apps, hospitality management systems, O365.
- Third Party - CCTV,BMS, HVAC, Car Parking, In-room entertainment etc
The resort has a "core/edge" Cisco Catalyst stack hosting the gateways for Corporate and Third Party networks. Guest networks have their gateways hosted on the Service Provider ISR routers' "Guest VRF". The access layer is a standard Cisco setup -just Layer 2.
The Catalyst switch participates in dynamic routing with the "Corporate VRF" on the SP Router. Internet on the Guest VRF is provided via a local breakout. Corporate VRF gets its internet via DC default route(s). The site also has a Riverbed( for corporate traffic) and a NetEqualizer (for shaping Guest internet).
Problem:
Segmentation between the networks is quite ugly and manual - several stateless ACLs configured on the core switch SVIs. We have many 3rd party cookie-cutter solutions deployed that require connectivity between 3rd Party and Corporate. Some of these solutions give the Security team and myself nightmares. An ACL is really not scalable.
Someone before my time decided that extending Cisco ISE from Corporate HQ to the resorts would "segment" the network. We are now deploying it at these locations but I have made it clear that ISE isn't a silver bullet- it only prevents unauthorised access to the network at this stage.
The business is also looking at the following tech to transform the network:
- DNA Center - I chased the reps away, asking them to come back in 2 years when the product is stable.
- SDWAN (provided & managed by the MPLS SP) - on current Cisco ISR 4k, with ridiculous pricing that completely takes away the benefits of decomming MPLS.
Solution Option 1:
- A new L3 edge device like a Fortigate with 3 VDOMs for Guest, Corporate and Third Party.
- Provision and manage these networks via Fortimanager.
- Provide inter-VDOM routing & Firewalling where required.
- Use Traffic and App shaping for Guest and Corp traffic. Decommission the extra boxes.
- Participate in WAN routing with the ISRs for now. Plan a move to SDWAN when
- FGT's implementation of SDWAN is more mature and/or
- MPLS links are at the end of their contract
Pros :
- Actual network segmentation and NGFW capabilities at the edge.
- Easier to deploy and manage networks using a "stable" version of Fortimanager.
- Sets us up well for SDWAN in the future.
- Fairly simple migration.
Cons:
- Our DC edges run PA. We'd have to get another head-end "firewall" during SDWAN implementation.
- The perception of yet another firewall blocking people trying to get stuff done.
Solution Option 2:
- Go All-In/Whole Enchilada on the SDWAN solution.
- Use a reliable "Secure SDWAN" solution that provides network segmentation features from Day 1 (the GUI ACLs on Meraki don't count).
Pros:
- Getting network segmentation and SDWAN ticked under one project.
Cons:
- It is hard to find a vendor that does all the things well- we lose out on the various NGFW capabilities that a Fortigate would have provided.
- Just a mental thing about SDWAN still in its infancy where as basic firewall + MPLS solution would keep chugging along just fine.
Apologies for the long post, keen to hear your thoughts. How would you approach this?
TDLR : Org uses heaps of ACLs on core-switches at sites, but also wants to move towards SDWAN. Need segmentation method (now) that can also do SDWAN-like stuff (in the future).
No comments:
Post a Comment