As the title suggests, I put the 'S' in SMB, with a total staff count of 1 who is currently responsible for sales, marketing, development, engineering, IT, etc. Basically, a one-man shop. I have a couple of 'products' that I have developed that are used by a small number of people. It's a side activity more than anything, my main role is Senior Software engineer at another large institution. I use this side activity as a way to increase my knowledge and as a hobby, albeit one that does provide an income.
My network has grown from a single firewall without no switches and 1 server to multiple firewalls, multiple switches, a VMware cluster (3 nodes) and a number of additional physical devices. This has grown more out of me wanted to do so, more than the infrastructure becoming overworked.
I liked to think that I at least had a general idea of do's and don'ts, but I have been humbled by researching some topics over the last week or so as I want to upgrade my cluster and was looking up how to do things with a new version. The net result of that is that I now fear I am potentially doing less than what I should be doing and I need schooling.
What I currently have is;
2 firewalls
4 switches (2 x 48port 1/10 and 2 x 16 port 10Gbe)
5 servers
1 NAS
Everything is currently on a 10.0.0.0/8 network.
Multi-homed incoming ethernet connection from my ISP
2 cisco asa-x 5506 rewalls in an active/passive configuration with only a single external and single internal interface in play. I have an external VLAN (2) that the incoming feed goes into as well as my external interface. Each firewall is plugged into separate switches with the same config and there is a trunk for VLAN2 between the 2 switches.
Internal interface for the firewalls is then plugged plugged into VLAN1.
48 port 1/10Gbe Switches are managed cisco but I have bought 2 netgear M4300-52G to replace them with. 16 port 10Gbe are netgear XS716T. I have connected all of these up in a mesh configuration, every switch has a connection to all the others.
Each server has a connection in both switches for 1gb and both switches for 10Gbe (where applicable).
STP (rapid?) is configured across all switches.
I have deployed the ESXi using vSAN and even this is currently on VLAN 1 (this is the change I was looking up as I am moving to all-flash and want to put vSAN on separate VLAN.
On top of ESXi, I have a number of linux boxes (email, dns, proxy in, proxy out) and also a number of windows boxes with an internal domain (this only real purpose of this is for internal DNS and being able to use the same account across all windows boxes. I am the only user in the Domain. I also have a virtual SQL server install and a physical MySQL server.
All web traffic from external goes through a pair of HAProxy nodes in active/passive, there is no direct access to these externally.
I also have a physical window storage server which is primarily used as a backup server for which I use Veeam and simply backup the contents of the cluster to. There is also a NAS which is mounted on each of the linux boxes which is used for both shared storage (to server files from multiple servers) and backup of config (this is probably overkill but it allows me to keep more copies than veeam)
Each of these boxes has an internal firewall on them. I allow Http/Https/SSH/RDP/SQL where applicable. The external firewall has limited ports open to the public, http/https
I assume ESXi has a certain amount of protection out of the box.
There are also connections to DRAC cards, etc which are plugged into one of the switches in a random nature, again all on VLAN1.
I connect to the machines directly via RDP or SSH via an ACL that allows my (static) IP and others which I have control of (AWS/Azure).
There is also 2 servers which I look after for another company, long time friend. Unfortunately as it stands, these cannot change much so are out of scope (they need to stay on the 10.0.0.0/8 network) . I am free however to change anything for my own kit.
There is probably more, but I think the above is a good overview of what is there and how. There is nothing intricate, but that might well be the problem.
I am here asking this question on the basis that I feel a lot of what I read is for large enterprises that have to cater for users, more traffic, direct access to LAN, etc, which I do not. So I am trying to weigh up what I need to change in order to at least assure myself I am doing the minimum. Maybe I already am, but I doubt that and more than willing to be schooled/roasted/etc.
What do I think I should do;
Connect to site via VPN (however I need to be able to access most of the VLANS either directly or through a jump station)
Move ESXi management to a subnet/VLAN 10 (192.168.10.0/24) security level 100
Move 'Production' servers to subnet/VLAN 40 (192.168.40.0/24) 100
Move DBs to subnet VLAN 30 (192.168.30.0/24) 80
Move Web VMs (DMZ?) to a subnet/VLAN 50 (192.168.50.0/24) 50
I need to be able to access all but the vSAN VLAN directly.
VLAN 50 needs to access specific ip/ports on VLAN 40 and specific ip/ports on VLAN 30 only. I would do this via layer 3 routing and ACLs on the switch
VLAN 40 needs to access certain ip/ports on certain VMs. I would do this via layer 3 routing and ACLs on the switch.
I have the option to add virtual interfaces on the firewalls or even use some of the remaining 7 ports and have physical cabling per VLAN. I do have a concern about using the firewall to route everything, so I am hoping to only send traffic to this that is north/west, leaving east-west on the switch.
One of my concerns is about touching vlan 1 at all, I don't want to take the network offline and I also don't want to lock myself out should I mess up. I do the majority of work remotely. That said, I have 2 new switches that I can run in parallel to the existing and as long as I can cater for the fact I need to leave a number of servers on 10.0.0./8 I can adjust that new config and then plug these into the 10Gbe which at present have limited configuration.
Apologies for the long post. Feel free to ignore, slate, add comments, laugh, repost to r/HolUp, etc.
More than happy to add further details and answer any questions
Happy Sunday.
No comments:
Post a Comment