| |
Firma Dr. Claus Fischer
|
|
Redundant Failsafe Internet Gateway
An Internet Gateway with VPN for a company with
several international subsidiaries.
Functionality
The customer is an Austrian company with several subsidiaries
around the globe. This solution implements basic Internet gateway
and Intranet functionality, including firewall and VPN,
mail server with virus check and IMAP service, internet proxy,
time and name server, intranet web server with SMB/CFS access,
and an LDAP database with central administration of all permissions.
The standard operational unit consists of four PC's with pair-wise
redundant functionality. A similar functional block is deployed in the
headquarters and in each subsidiary. The setup is symmetric;
administration is possible from any subsidiary, and data is
automatically synchronized. This allows administrator-less operation
in all subsidiaries.
Each operational unit is autonomous; when one subsidiary loses its
internet connections, the rest of the network continues to function
normally. Setup and integration of new subsidiaries is comparatively
easy.
The installation supercedes an older corporate frame relay, and
saves considerable costs while greatly extending the functionality.
A tight firewall, coupled with the use of proxy servers, creates a
double security barrier. Virus scanners and continuous monitoring
protect the inner corporate network.
Design Requirements
- Central administration
- All administration is done from the headquarters.
No qualified personnal is required in the subsidiaries.
All permissions can be adjusted in a central place.
- Autonomous operation
- When a subsidiary, or the headquarters, experience a
loss of power or internet connection, the system will
continue to function in the other subsidiaries. All required
data is kept local in each subsidiary.
- Easy replacement process
- Replacement of defective hardware can be done from headquarters.
The process is:
- Set up a standard PC, install the image
- Adjust a short list of settings for the subsidiary
- Adjust power supply (110/240V)
- Mark all connectors with a color scheme for unambiguous installation
by untrained personnel
- Ship to subsidiary
When the box is hooked up in the subsidiary, it will automatically
synchronize with the other server or firewall. There is no time pressure
since the system continues operation with only one server/firewall.
- Low cost components
- All software components except the virus scanner engine are
standard free software and can be duplicated without cost. All
hardware components are standard PC's.
- Low bandwidth usage
- Data synchronization is done with bandwidth saving protocols.
Architecture
The internet gateway is designed as a functional block of four
standard PC's. Two of them act as firewalls, two as servers.
Both firewall and server come in redundant pairs; should one
of them experience a hardware failure, the other one takes over
service automatically.
The firewall PC is a multi-line VPN endpoint. It operates dedicated
VPN connections to all firewalls of all other subsidiaries. Both
firewalls may be hooked up to different Internet providers for
redundancy. Firewalls automatically detect dead VPN connections and
change the routing accordingly.
The firewall PC also acts as a firewall with NAT (Network Address
Translation) for the servers in the block. Firewall logs are sent
to the servers for evaluation.
The server PC implements all networking related services, i.e. a
secure mail server with virus scanning and IMAP service, an Internet
proxy server for HTTP and FTP, time and name services (NTP and DNS),
an intranet web server with group-specific protected areas, and an
LDAP server.
The intranet service includes a web based administration front-end to
administrate users and adjust their access permissions for various
services and areas. It also offers a webmail interface to users
who prefer that.
All data is automatically synchronized between the servers in a
subsidiary and across subsidiaries.
Architectural Overview
