Preface: I was "gifted" a network over a year ago. The SM fiber between the sites has always been there because I managed a department at that site as it required CJI compliance. I adopted it from a team of two, which one was arrested for distributing and taking meth and the other committed suicide about 4 months later. It has been a nightmare but I'm making a lot of progress with it. Because of security risks/reasons, these are still two totally different networks with just a few firewall rules between the Cisco 5525x and Cisco 2110 for me to manage them. At this time it's still two separate forests, two internet paths, two independent firewalls, two core/distribution layers ect. I had to move all the servers out of Site D because it didn't meet my standards for a server room. There is only a UPS with a 20amp A and B side. A split forced air unit that wasn't on backup power. The first 6 months I was managing that network the site lost power 4 times, 2 of those events lasted over 2 hours. The UPSs couldn't even support the servers so 3 of them immediately lost power at every event. So all the servers are at site C and I trunked the fiber connection to maintain my secure network and allow the servers to live in a real server room.
Figure 1 Current - The diagram is kind of wrong, there is a tunnel between the sites for compliant data. Data that doesn't need to be encrypted isn't. There are two different networks.
Figure 2 Goal - Site B is under construction and should be completed in spring. It's a remote site so only microwave will reach them, but it's close to a CenturyLink fiber so I can demarc fiber there. It will also be a real server room with 100amps A and B service, backup generator, redundant air conditioning ect. Then tunnel it back to the Switch datacenter where I can have access to multiple ISPs for redundancy. I rent 2RUs from my lower level ISP who has a direct L2 connection to many ISPs. With the current AT&T tunnel, that means I'd have two fiber paths that are 100% separate until they converge at Switch at two different sites with a ring to bring them back together so I'd be pretty prepared for any kind of physical failure.
My biggest consideration is 140-2 compliance.
MACsec seems like it would be the easiest way to handle this. My understanding is if I get a switch that is MACsec capable, like the c9300, it has very little to no performance hit while still provided encryption from switch to swtich. But I'm misunderstanding the differences when discussing FIPS compliant modules and services. From what I've read, MACsec is non-compliant.
For the Cisco 9300, here is a report from Acumen stating:
Acumen Security confirmed that the following features leverage the embedded cryptographic module to provide cryptographic services for SSH, TLS, IKEv2, IPsec and SNMPv3.
• Session establishment supporting each service,
• All underlying cryptographic algorithms supporting each services’ key derivation functions,
• Hashing for each service.
• Symmetric encryption for each service.
From my understanding is, MACsec is not any of those services. However, MACsec still uses the module these services use. When I'm reading directly from NIST it doesn't talk about the tested services my Acumen. It does, however, say that AES-GCM-128 or 256 is a FIPS algorithm which is what MACsec would use. My opinion of the matter is based on the information on NISTs website I should be good.
I really don't want to reach out to my security officer or auditors to ask questions unless I know 100% that they'll say, "No problem, send me an updated map for me to approve and we'll be good." When I compared the cost of the 9300s to their performance, I don't see me hitting their performance limit anytime soon which is why I don't find it necessary for something like an ASR or Nexus. I figure why not just get the needed distribution ports if the c9300 gives me all the routing protocols I need and performance.
Right now c3650s are the core route and distribution. Static routes to 5525x HA or 2110 HA depending on the network, and a 3900 or 1941 on the edge depending on the network.
Past the firewalls, I don't need the encryption through the tunnels. From there, any CJI data will be encrypted with a site-to-site with the firewalls.
As for the equipment at Site A, a c9300 is overkill. I think I can just take some of the c3650s I replace, stack 2 together so 1 tunnel drops off on switch 1, another tunnel drops off on switch 2, and LACP back to the provider from each switch so I can say there is redundancy at every conceivable level. It's just routing the internet traffic which is going to be like 500/500 at most, and the TSoIP traffic or ~1750mbps at full capacity which is just nothing.
Next is, I've never used firewalls in an active/active configuration. Can I put one of the 2110s at site C, the other at B, and just route traffic to the pair? I know in active/standby that wouldn't work but I just don't know enough about active/active. Or do I just keep the 5525x pair at C and the 2110 pair at B and ospf from the c9300s to two different firewalls?
Does any of this seem reasonable or am I just an idiot?
No comments:
Post a Comment