Corporate networks today must defend against numerous threats while delivering high performance, availability and security and without impacting user productivity.
Multiple companies have engaged Involta to design and build secure corporate networks. While the specifics of each implementation will vary somewhat based on each company’s needs and existing configurations, here we provide a composite overview of a secure end-to-end network solution.
The days of throwing up a firewall at your network perimeter or taking the “traditional” approach to setting up a VPN (Virtual Private Network) are long gone.
IPsec (Internet Protocol Security) VPN tunnels don’t easily support QoS (Quality of Service) for voice and video traffic. Every new IPsec spoke added to a network also requires modifications of the headend firewall and core routing protocols since IPsec doesn’t support broadcast protocols like EIGRP (Enhanced Interior Gateway Routing Protocol) and OSPF (Open Shortest Path First).
When it comes to your corporate network, performance demands – and threat levels – have never been higher. Your network needs to be equipped for intrusion detection and prevention, malware defense, bring-your-own-device culture, remote users who may be using unsecured connections, the list goes on. And all this needs to be accomplished without hindering the productivity of end users.
Involta’s solution begins with Dynamic Multipoint Virtual Private Network (DMVPN), proven technology that allows clients to leverage inexpensive broadband Internet connections to smoothly and securely provide connections back to the home or other spoke offices.
The diagram depicts a DMVPN network with redundant “hubs.” Each of the “spoke” DMVPN routers is configured with two tunnels, one to each hub, for redundancy. At the headend (hub), a Cisco Adaptive Security Appliance (ASA) firewall filters web traffic for the spoke. This ASA firewall is equipped with Cisco FirePOWER Suite, which provides intrusion detection and prevention, advanced malware protection and logging.
Cisco Advanced Malware Protection (AMP) for endpoints can be installed on user devices and Cisco AnyConnect Secure Mobility Client software makes remote connectivity simple and safe – preventing a user with an infected device or unsecured connection from compromising your corporate IT infrastructure.
With the Involta network configuration described, you’ve locked down Internet access with secure site-to-site connectivity for all users, protected your corporate assets from dangerous malware and provided a way to proactively monitor the current and past status of your network.
In the unlikely event that malware gets past the FirePOWER ASA, the AMP endpoint agent will catch it and report back to the FireSIGHT server. Within FireSIGHT, you can investigate the malware targets and identify the path it took through the network — all valuable information needed to understand how to effectively quarantine and eradicate the threat.
AnyConnect is highly customizable and can enforce connectivity conditions like up-to-date antivirus definitions or securely-configured operating systems. When a user leaves the company, all the network administrator needs to do is disable the account. No more sending updated IPsec profiles to everyone.