Many organizations use cloud services or move equipment to
Data center. What makes sense to leave in the server room and what is the best way to organize the protection of the office network perimeter in such a situation?
Once upon a time everything was on the server
At the beginning of the development of the Runet, most companies resolved the issue of IT infrastructure according to approximately the same scheme: they allocated a room where they installed air conditioning and where almost all the network and server equipment was concentrated.
The system administrator set up one or more servers on FreeBSD, Linux, or OpenSolaris, etc. And then on this “host” he launched the necessary services: from a web server, corporate mail, up to a file hosting service.
When a company grows and develops, it inevitably faces a situation where the server room no longer meets the requirements. If you have money, you can build your own data center. It may be more profitable to rent racks from commercial data centers. High-quality power supply based on DRUPS, an industrial air conditioning system, a full staff of highly specialized specialists - these things are hardly available in the case of an office server room.
Following big business, in the minds of the management of medium and small companies there is gradually a transition from the psychology of “I carry everything I have with me” and “my home is my fortress” to “give it to someone else and not suffer.”
For small businesses, cloud providers have become such an “outsourced” option. If previously for a company of 40 people having its own mail server was something taken for granted, today the service from the same Google is winning over to its side all those who previously could not imagine working without their own Sendmail or Postfix.
Virtual systems provided great assistance in such a “relocation”. If before their appearance it was necessary to transport the entire physical server, or configure everything on new hardware, now it is enough to transfer the image of the virtual machine.
What will remain in that small room with air conditioning?
First of all, this is network equipment. Both active and passive. Often, behind the loud name “server” they understand a cross-connection with the remnants of network equipment. And for such cases, a special room with a powerful air conditioning system, power supply, and so on is not required.
The second group of equipment that is still difficult to remove from the server room is gateways
security.
But what are these gateways? As mentioned above, if in the recent past the system administrator had one or several servers at his disposal where he could deploy whatever his heart desired, now such luxury may not exist.
But the need to protect against external threats has not gone away. You can, of course, transfer all services and necessary equipment entirely to the data center and drive traffic from such a gateway to the office cross-connection via a secure channel, for example, via VPN.
This scheme looks attractive at first glance, if not for the increased load on existing channels. If you don’t want to pay for a thicker channel, this is not exactly what you need.
Another option is to purchase a specialized device for traffic protection, the architecture of which, due to its narrow focus, allows you to do without powerful energy-intensive and heat-generating components.
No need for a zoo
In the absence of a classic server room, it is much better to get several services “in one box” at once than to create a “zoo” in a small room, or even within a small cross-over cabinet. At the same time, the solution should be inexpensive, proven and have normal support in Russian.
Note. We are now talking about very small, medium and larger offices. We are not yet considering large companies that build their own data centers - in one article “it is impossible to grasp the immensity.”
And for every case, Zyxel already has a solution, within the same product line. In short, you won’t need a “zoo”.
ZyWALL ATP Security Gateways
We have previously talked about the principles of operation of such devices using the example Their main feature is the combination of a firewall with the Zyxel Cloud security service. Thanks to this distribution of responsibilities, ZyWALL ATP solves a fairly wide range of perimeter protection issues without requiring additional hardware resources.
The list of protection functions is quite rich (see Table 1), including SecuReporter analytics tools and Sandboxing - a “sandbox” for preliminary analysis of downloaded content.
It’s worth emphasizing once again that in this case we are simply transferring services from the local office to the cloud. Zyxel Cloud does everything else for us in anonymous mode. In addition to convenience, this approach provides effective protection against zero-day threats through machine learning and information exchange between ATP gateways around the world. An entire neural network has been built for protection.
: “When an unknown file is detected, Cloud Query quickly (within a couple of seconds) checks its hash code against the cloud database and determines whether it is dangerous or not. This service requires a minimum of network resources to operate, and therefore does not reduce the performance of the device. The effectiveness of threat protection is ensured by the use of a constantly updated cloud database containing data on billions of threats. Cloud Query also accelerates the intelligence of Zyxel Security Cloud's emerging threat detection capabilities, enhancing the malware protection of every ATP firewall."
Table 1. Technical characteristics of the ZyWALL ATP line.
Notes:
(1) Actual performance is highly dependent on network conditions and active applications.
(2) Maximum throughput is based on RFC 2544 (1,518-byte UDP packets).
(3) Measured VPN throughput is based on RFC 2544 (1,424-byte UDP packets).
(4) AV and IDP throughput metrics use the industry standard HTTP performance test (1,460-byte HTTP packets). Testing was performed in multi-threaded mode.
(5) When measuring the maximum possible number of sessions, industry standard tools were used - IXIA IxLoad testing tool.
(6) 1Gbps WAN speed test results were conducted under real-world conditions and may vary slightly depending on link quality.
(7): After the Gold Pack expires, only 2 APs will be supported.
(8): You can enable or expand functionality by purchasing additional licenses for Zyxel services.
Pay attention to the supported set of VPN services. Almost everything necessary for communication with the headquarters or home office is already “in one bottle,” so we can safely recommend this device both as a final communication node for a branch and to support remote work of employees.
Solutions for small offices
Small offices can be divided into two groups: independent enterprises and branches of large companies.
Independent ones are newly born enterprises and those that are destined to remain small. For example, design bureaus, architectural studios, editorial offices of small media, and so on. Such business units often use cloud services, at least mail and file sharing.
Branches of larger organizations - the main thing for them is to have a stable connection with the central office. Everything else is in the “Center”.
Often such “babies” need a simple interface for control. A network administrator from headquarters often does not have the opportunity to quickly rush to distant lands to solve a problem in a new branch. Local small companies do not have this opportunity at all. We have to resort to the services of a “coming
admin." For such cases, it is necessary to control according to the principle “the simpler, the more reliable.”
For small offices, it makes sense to use the ZyWALL ATP100 and ZyWALL ATP200 models.
Network Gateway appeared relatively recently, but has already entered .
The main difference from its older brother () - that it is designed for a smaller load, and does not have mounts for a 19-inch rack. Recommended for home offices, small companies, branches and so on.
Figure 1. ZyWALL ATP100.
Design features: ATP100 and ATP200 are fanless models. Why this is good: firstly, there is no noise, and secondly, there is no need to change the fan. In a situation with an “incoming admin”, this is a fairly important indicator.
Figure 2. ZyWALL ATP200.
The ATP200 model supports two WAN ports and can connect to two independent lines, for example, from different providers.
As mentioned above, for a small office, the most important thing after a stable supply of electricity is a stable connection. Unfortunately, local providers cannot always guarantee that there will be no accidents. We have to look for backup options.
IMPORTANT! In addition to dedicated WAN ports, ATP models have USB ports to which you can connect USB modems and use them as a WAN. This feature is available to all ATPs.
If the device has an SFP port, this can also be used as a WAN. This feature is available for all ATPs.
Here is a life hack from Zyxel.
Medium companies
For medium-sized companies, Zyxel has its own good hardware -
It is a next-generation gateway with advanced protection against evolving threats.
Among the interesting features:
7 configurable ports allow flexible configuration, for example, 2 WAN, 2 DMZ and 3 LAN ports while connecting 3 separate VLANs for internal use. There is also 1 SFP port.
Figure 3. ZyWALL ATP500.
It is possible to operate in Device HA Pro high availability cluster mode from two ZyWALL ATP500. If one is inoperative, the second will still provide communication.
Using the ATP500 functions in full, you can get flexible,
highly reliable, secure communication with the outside world or a separate node, for example,
headquarters.
Larger offices
For them, the most powerful version of this line is recommended - ATP800.
This model has a decent number of ports: 12 RJ-45 and 2 SFP, all of them can be configured in WAN, LAN or DNZ mode, which allows you to use several WLANs, organize several DMZs and still have the opportunity to connect to an external network for complex internal infrastructure. Suitable for fairly large offices with a developed network and high requirements for security and access control.
Figure 4. ZyWALL ATP800.
It is also worth noting that this model is recommended for purchase with a tendency to “grow.” If you plan to grow your company, for example, develop a local chain of stores, then it makes sense to immediately purchase a more powerful model so as not to spend money twice.
As you can see, even under the most spartan conditions it is possible to provide a good level of protection, fault tolerance and flexibility in operation.
Technical support, advice, discussions, news, promotions and announcements - contact us on Telegram!
Useful links
Source: habr.com