What is needed to protect the bank's local network?

F

FlyServer2021-05-26 10:35:36

Computer networks

FlyServer, 2021-05-26 10:35:36

We make a course on the security of computer networks. Actually, in general, neither networks nor their protection were explained to us. We are not network engineers, this is the first time we encounter this. Organization - a small bank, head office and several branches. Initially, we designed the bank's network "before", that is, just a network without any protection in Cicso Pocket Tracer. The network is elementary. And now we need to design this network in GNS3, but in a secure version. Standard architecture - LAN, DMZ, WAN zones, separated by a firewall. All Cisco equipment (switches and routers). LAN-zone - several VLANs with ordinary employees' computers, DMZ-zone - a server on ubuntu for the site and mail is planned, and a WAN-zone with a router for Internet access. Communication with branches is planned to be organized through IPSec tunnels. FortiGate was chosen as a firewall for two reasons - the presence of an image for GNS3 and an abundance of training materials. It is an NGFW with two profile-based and policy-based modes. For now, we've decided to organize everything using policy mode. Actually, these policies allow you to configure who, what and where you can / can not. The question is, will this be enough? What else needs to be added (it is desirable that this be implemented in gns3).

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

R

res2001, 2021-05-26
@FlyServer

In the banking network, as a rule, there are segments to which access from the local network is limited. Access to computers in this network has a limited circle of people, premises under their own alarm systems, etc. They stand behind their own firewall and are placed in a separate VLAN, but since access to banking resources may be required from this subnet, access to certain fixed addresses is allowed by the firewall.
Sometimes it happens that some network segments are physically separated from the Internet, i.e. a separate cable network and separate switches are used that are not connected to the Internet in any way, either through a gateway or through something else.
It is preferable to communicate with remote offices not via the Internet, but on the basis of some telecom operator (or several) to form your own corporate network. Traffic in such a network is transmitted through the VPN in encrypted form. If some remote offices cannot be connected to the corporate network, then they use the Internet + VPN. VPN on mind should be under construction with use of the certified means.
DLP systems are deployed on the network, especially computers in isolated subnets.
The presence of an antivirus, a corporate firewall - for granted.

S

Sergey Leshchev, 2021-06-03
@BMSerg

>What is needed to protect the bank's local network?
Much. Start by hiring the appropriate specialists :)
PS Regarding the "laboratory" - the internal CA infrastructure will be required: change all self-signed certificates of equipment, servers and workstations to their own release, do SSL inspection on FortiGate, configure VPN and 802.1X, and for many more things - the bank must have it.