Many organizations use cloud services or move equipment to
Data center. What makes sense to leave in the server room and how best to organize the protection of the perimeter of the office network in this situation?
Once upon a time everything was on the server
At the beginning of the development of the Runet, most companies solved the issue of IT infrastructure in approximately the same way: a room stood out where they put the air conditioner and where almost all the network and server equipment was concentrated.
The system administrator set up one or several servers on FreeBSD, Linux, or OpenSolaris, etc. And then on this "farm" he launched the necessary services: from a web server, corporate mail up to file sharing.
When a company grows and develops, it will inevitably be faced with a situation where the server one no longer meets the requirements. If you have money, you can build your own data center. It may be more profitable to rent racks in commercial data centers. High-quality power supply based on DRUPS, an industrial air conditioning system, a full staff of highly specialized specialists - these things are hardly available in the case of an office server.
Following the big business, in the minds of the management of medium and small companies, there is a gradual transition from the psychology of "I carry everything with me" and "my house is my castle" to "give to the side and not be tormented."
For small businesses, this option "on the side" were cloud providers. If previously for a company of 40 people, having your own mail server was a matter of course, today a service from the same Google is pulling all those who previously could not imagine working without their own Sendmail or Postfix to their side.
Great help in such a "relocation" was provided by virtual systems. If before their appearance it was necessary to transport the entire physical server, or configure everything on a new hardware, now it’s enough to transfer the image of the virtual machine.
What will remain in that very small room with air conditioning?
This is primarily network equipment. Both active and passive. Often behind the big name "server" they understand the cross with the remnants of network equipment. And for such cases, a special room with a powerful air conditioning system, power supply and so on is not required.
The second group of equipment that is still difficult to remove from the server is gateways
security.
But what are these gateways? As mentioned above, if in the recent past the system administrator had one or several servers where it was possible to deploy what the soul wanted, then now there may not be such a luxury.
But the need for protection against external threats has not disappeared. You can, of course, transfer all services and necessary equipment entirely to the data center and drive traffic from such a gateway to the office cross over a secure channel, for example, via VPN.
Such a scheme at first glance looks attractive, if not for an increase in the load on existing channels. If there is no desire to pay for a thicker channel, this is not quite what you need.
Another option is to purchase a specialized device for protecting traffic, whose architecture, due to its narrow focus, allows you to do without powerful energy-consuming and heat-generating components.
"Zoo" is not needed
In the absence of a classic server room, it is much better to get several “in-one-box” services at once than to plant a “zoo” in a small room, or even within a small crossover cabinet. In this case, the solution should not be expensive, tested and have normal support in Russian.
Note. We are now talking about very small, medium and larger offices. Large companies that are building their own data centers are not yet considered - in one article “it is impossible to embrace the immensity”.
And for every case, Zyxel already has a solution, while within the framework of one product line. In a word, a “zoo” is not needed.
ZyWALL ATP Security Gateways
Earlier we talked about the principles of operation of such devices using the ZyWALL ATP200 as an example. Their main feature is the combination of a firewall with the Zyxel Cloud cloud security service. Thanks to this distribution of responsibilities, ZyWALL ATPs resolve a fairly wide range of perimeter security issues without requiring additional hardware resources.
The list of protection functions is quite rich (see table 1), including SecuReporter analytics tools and Sandboxing, a sandbox for preliminary analysis of downloaded content.
Once again, it is worth emphasizing - in this case, we simply transfer services from the local office to the cloud. Everything else is done for us by Zyxel Cloud in anonymous mode. In addition to convenience, this approach provides effective protection against zero-day threats thanks to machine learning and the exchange of information between ATP gateways around the world. A whole neural network has been built for protection.
Quote : “When an unknown file is detected, Cloud Query quickly (within a couple of seconds) checks its hash code on the cloud database and determines whether it is dangerous or not. This service requires a minimum of network resources, and therefore it does not reduce device performance Efficiency of protection against threats is ensured by the use of a constantly updated cloud database containing data on billions of threats. Cloud query also accelerates the work of intelligent functions of detection of new threats Zyxel Security Cloud, which Enhances the protection against malicious code on each ATP firewall. "
Table 1. Technical specifications of the ZyWALL ATP line .
Notes:
(1) Actual performance is highly dependent on network status and active applications.
(2) Maximum throughput is based on RFC 2544 (1.518-byte UDP packets).
(3) The measured VPN throughput is based on RFC 2544 (1,424-byte UDP packets).
(4) AV and IDP bandwidth metrics use the industry standard HTTP performance test (1,460-byte HTTP packets). Testing was performed in multithreaded mode.
(5) When measuring the maximum possible number of sessions, the industry standard instrumentation, the IXIA IxLoad testing tool, was used.
(6) The test results of the connection speed with 1Gbps WAN were carried out in real conditions and may have slight differences depending on the quality of the channel.
(7): After the Gold Pack expires, only 2 APs will be supported.
(8): You can enable or expand the functionality by purchasing additional licenses for Zyxel services.
Pay attention to the supported set of VPN services. Almost everything necessary for communication with headquarters or home office is already “in one bottle”, therefore, you can safely recommend this device both as the final communication center for the branch and to support remote work of employees.
Small Office Solutions
Small offices can be divided into two groups: independent enterprises and branches of large companies.
Independent - these are newly born enterprises and even those that are destined to remain small. For example, design bureaus, architectural studios, editorial offices of small media and so on. Such business units often use cloud services, at least mail and file sharing.
Branches of larger organizations - the main thing for them is to have a stable connection with the central office. Everything else is in the "Center".
Often such "kids" need a simple interface for management. The network administrator at headquarters often does not have the opportunity to quickly dash to distant lands to solve the problem of a new branch. Local small companies do not have such an opportunity at all. I have to resort to the services of "coming
admin. " For such cases, management is necessary on the principle of "the simpler - the more reliable."
For small offices, it makes sense to use the ZyWALL ATP100 and ZyWALL ATP200 models.
The ATP100 network gateway appeared relatively recently, but has already gone on sale .
The main difference from the older brother ( ATP200 ) is that it is designed for less load, and does not have a 19-inch rack mount. Recommended for home offices, small companies, branches and so on.
Figure 1. ZyWALL ATP100.
From design features: ATP100 and ATP200 are fanless models. What is good about it: firstly, there is no noise, and secondly, there is no need to change the fan. In a situation with the "coming administrator" it is quite an important indicator.
Figure 2. ZyWALL ATP200.
The ATP200 model supports two WAN ports and can connect to two independent lines, for example, from different providers.
As mentioned above, for a small office, the most important thing after a stable supply of electricity is a stable connection. Unfortunately, local providers can not always guarantee the absence of accidents. I have to look for backup options.
IMPORTANT! In addition to special WAN ports, ATP models have USB ports to which you can connect USB modems and use as WAN. This feature is available to all ATPs.
If the device has an SFP port, it can also be used as a WAN. This feature is available for all ATP.
Here's a life hack from Zyxel.
Medium-sized companies
For medium-sized companies Zyxel has its own good hardware - ZyWALL ATP500
This is the next-generation gateway with enhanced protection against evolving threats.
Of the interesting features:
7 configurable ports allow for flexible configuration, for example, 2 WAN, 2 DMZ and 3 LAN ports when connecting 3 separate VLANs for internal use. There is also 1 SFP port.
Figure 3. ZyWALL ATP500.
There is the possibility of working in high availability cluster mode Device HA Pro from two ZyWALL ATP500. If one is inoperative, the second will still provide communication.
Using the functions of the ATP500 for the "full program" you can get flexible,
highly reliable, secure communication with the outside world or a single node, for example,
headquarters.
Larger Offices
For them, the most powerful version of this line is recommended - ATP800.
This model has a decent number of ports: 12 RJ-45 and 2 SFP, all of them can be configured in WAN, LAN or DNZ mode, which allows you to use multiple WLANs, organize multiple DMZs and there will still be the opportunity to access an external network for complex internal infrastructure. Suitable for large offices with a developed network and high requirements for security and access control.
Figure 4. ZyWALL ATP800.
It is also worth noting that this model is recommended for purchase with a growth trend. If you plan to grow a company, for example, developing a local chain of stores, it makes sense to immediately acquire a more powerful model so as not to spend money twice.
As you can see, even under the most Spartan conditions, it is possible to provide a good level of protection, fault tolerance and flexibility during operation.
Technical support, tips, discussions, news, promotions and announcements - Join us on Telegram!