Opened 4 years ago

Closed 4 years ago

#1962 closed defect (fixed)

Develop a new network scheme

Reported by: matze Assignee: fred
Priority: P2 Milestone:
Module: Office-IT Keywords:
Cc: Blocked By:
Blocking: #1961 Platform: Unknown
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

Description

In order to divide our internal network and further improve on security and performance, we first have to create a concept or draft of the target layout. This must include all of the following:

  • Reasons and motivation for re-structuring
  • Definition of the exact requirements
  • Description of one or more possible solutions
  • Recommendation for either one, incl. rationale

Also, please make sure to incorporate some information on the current network hardware and try to re-integrate it with the new concept.

Change History (3)

comment:1 Changed 4 years ago by fred

Reasons and motivation for re-structuring:

The current Eyeo office network (LAN) is kind of a “wild-west” environment where no defined security level can be established because there is no one establishing and enforcing security rules. That is okay from a user’s point of view because no one gets limited in how they setup and use their devices (computers, smartphones, etc.).

But from a company perspective this is probably not so great because it comes with some risks:

Why is the current LAN not secure?

  • Everyone can bring any device into the (wireless) network, they just need to know the shared WPA password or simply plug the device into a LAN outlet. These devices might be compromised / infected with viruses/malware/etc without their owners knowing.
  • There is no central network access control system (e.g. via Radius), so it is not possible to control which devices are using our network

Such infected devices could be used for hacker attacks from the inside (circumventing the firewall) and currently can directly communicate and therefor attack others users’ devices, servers and infrastructure components (phone system, switches, routers, printers).

Results could be:

  • Damage / Denial of service leading to productivity loss
  • Data / information leaks / theft

Suggested solution:
A separate secure / managed network would only allow access to defined devices that are known to be safe because they are

  • either directly managed by Office-IT or
  • by someone following the security rules defined by Office-IT.

Also, all devices in the “secure network” could be subject to regular (automated) vulnerability scans and/or manual inspections.
An IDS (intrusion detection system) could further enhance the security of that secured network.
Certain types of devices (e.g. smartphones which are also used for private use) would not be permitted on the secure network at all. (They can still be used on the unmanaged network as before.)

Last edited 4 years ago by fred (previous) (diff)

comment:2 Changed 4 years ago by matze

The current status of the concept is tracked in an own Google Docs folder.

comment:3 Changed 4 years ago by matze

  • Resolution set to fixed
  • Status changed from new to closed
  • Tester set to Unknown
  • Verified working unset

Since the network scheme has already been agreed on and we in fact have applied many of the modifications already, I consider this ticket complete. Further adjustments may follow, however, but that's to be expected during operation anyway.

Note: See TracTickets for help on using tickets.