Hoe ontwerp en realiseer je een

‘digitale wasstraat’?

Basis

Browsing

Introductie

Conclusie & Contact

Context

Hosting

Wie zijn wij

Jeroen van der Meer

In IT sinds 1984

CTO

Systems programming

Datacenter design & Automated operations

Outsourcing achtergrond

Marc Guardiola

In IT sinds 1997

Lead Engineer & Manager Innovation

Engineering & architecture met Linux, Networking & Security

CISSP-ISSAP, CEH

Bitbrains is

gespecialiseerd in

high performance

computing en

ultrasnelle levering van

PoC’s

ASP4all is

gespecialiseerd in

migratie, hosting

en beheer van

bedrijfskritische

applicaties.

ASP4all Bitbrains

Top 3

175+ Personeel

3000+

Servers

Marktontwikkelingen

Werkveld is veranderd van Managed Hosting naar “Reputation Hosting”

Security technologie “versnipperd”

Patriot Act en NSA

DDoS

Context

REPUTATION Secured

zones

Secured

mail

Secured

web

Secured

systems

Content

scanning

Reverse

proxy

Encryption

Disaster

recovery

Infra

scaling

Bandwidth

mgmt

DDoS

Intrusion

prevention

Klant

Basis infra

Public Internet

Trusted partners

Internal WAN

Zonering

Public Internet

Trusted partners

Internal WAN

Zonering

DC1 DC2

Encryption

Encryption

Encryption

Encryption

External

Internal

A

A

A

A

A

Zonering en componenten

Zonefirewall

Diensten

11

12

13

VLAN TL2: Besloten

31

32

33

21

22

23

34

35

36

37

Mail

Forward ProxyResolving DNS

Authoritative DNS

VLAN TL1: PubliekVLAN AL1: Beperkt

File

24

25

Mail

Forward Proxy

26

Forward Proxy AV

NTP

10G 10G

27

Authoritative DNS

Zonefirewall

Diensten

11

12

13

VLAN TL2: Besloten

31

32

33

21

22

23

34

35

36

37

Mail

Forward ProxyResolving DNS

Authoritative DNS

VLAN TL1: PubliekVLAN AL1: Beperkt

File

24

25

Mail

Forward Proxy

26

Forward Proxy AV

NTP

10G 10G

27

Authoritative DNS

Zonefirewall

Diensten

11

12

13

VLAN TL2: Besloten

31

32

33

21

22

23

34

35

36

37

Mail

Forward ProxyResolving DNS

Authoritative DNS

VLAN TL1: PubliekVLAN AL1: Beperkt

File

24

25

Mail

Forward Proxy

26

Forward Proxy AV

NTP

10G 10G

27

Authoritative DNS

Zone firewall

Diensten

10G 10G

AL1: Beperkt

Scheiding

Fysieke versus logische scheiding

Snijverliezen, investering

End-to-end logische scheiding

Zone firewall

Switch

Compute

Virtualization

Scheiding

FEX A

FIA FIB

FEX B

21

22

23

11

12

13

1

2

3

VLAN

Publiek

VLAN

Beperkt

VLAN

BeslotenVmware server 1

Besloten Beperkt Publiek

A1 A2 B1 B2

1 2 3 456 7 8 9

Portchannel Portchannel

Secondary path

Primary path

256 vNICs

FC1 FC2vSwitch

TL2vSwitch

TL1vSwitch

AL1NFS

OS / Hypervisor Visibility

4

3

2

1

4

3

2

1

1240 VIC

VN-TAG Trunk

802.1Q Trunk

1

16 Host ports 16 Host ports

2 1 2

1 2Zone firewall

1 2 3 4 5 6

Scheiding

FEX A

FIA FIB

FEX B

21

22

23

11

12

13

1

2

3

VLAN

Publiek

VLAN

Beperkt

VLAN

BeslotenVmware server 1

Besloten Beperkt Publiek

A1 A2 B1 B2

1 2 3 456 7 8 9

Portchannel Portchannel

Secondary path

Primary path

256 vNICs

FC1 FC2vSwitch

TL2vSwitch

TL1vSwitch

AL1NFS

OS / Hypervisor Visibility

4

3

2

1

4

3

2

1

1240 VIC

VN-TAG Trunk

802.1Q Trunk

1

16 Host ports 16 Host ports

2 1 2

1 2Zone firewall

VMware server 1

1 2 3 4 5 6

Design for failure

Webbrowsing

Customer Wasstraat Internet

Anti-Virus

App check

CONNECT

www.google.nl:443

ACL

Blacklisting

Categorize App check

App check Anti-Virus

Anti-Malware

App check

Anti-Virus

Anti-Malware

Mail

Customer Wasstraat Internet

App check

DKIM

SPF

DMARC App check

App check DKIM SPF

DMARC Anti-Virus

Anti-Malware Blacklisting

Quarantaine

App check

Anti-DDoS

Anti-Virus

Anti-Malware

Hosting

Webserver Wasstraat Internet

Anti-Virus

Anti-Malware

Anti-Vulnerability

Loadbalancing

WAF

Caching

SSL Offloading

App check

DDoS check

Anti-Virus

Anti-Malware

App check Caching App check

Conclusie: Defence in-depth!

Policies, Procedures,

Awareness

Physical

Perimeter

Internal network

Host

Application

Data

ISO27001, ISAE3402 type II

Tier3+ Datacenters

Anti-DDoS, L7 Firewall / IDP

WAF, Zoning/IDP, Web&Mail

security

Hardened OS & Middleware

Standard frameworks, patched &

audited

Enterprise storage

“Een ontwerp kan

sterven in schoonheid…”

Conclusie

Conclusie

Maar… ASP4all & Securelink hebben dit daadwerkelijk gerealiseerd!

>36000 end users

400 servers

75 koppelingen met externe netwerken

70 TB raw storage

Binnen budget, binnen tijd

Meer weten ?

Jeroen van der Meer: jmeer@asp4all.nl

Marc Guardiola: mguardiola@asp4all.nl

Voorbeeld klantcase:

http://www.asp4all.nl/over-asp4all/klantervaringen/

ministerie-van-veiligheid-en-justitie

Bedankt voor uw aandacht!