Building a comprehensive secure remote access system
- Customer
- BORJOMI
- IT Provider
- Softline
- Year of project completion
- 2022
- Project timeline
- August, 2021 - January, 2022
- Project scope
- 2500 automated workstations
- Goals
-
- Organization of the security system of the customer's corporate information network.
- Traffic management.
- Access control to the corporate information network.
- Control over the use of the customer's information resources.
The system was created to achieve the following results:
- Ensuring secure operation and legitimacy of remote users when interacting with the resources of the corporate information computing network.
- Preventing computer attacks and intrusions against the corporate information network.
- Complying with the requirements of regulations in the field of information security.
- Ensuring the security and sustainable operation of the corporate information network.
The uniqueness of the project
- The geographically distributed infrastructure of the customer consists of three sites located in different countries.
- The presence of 2.5 thousand users in the company, distributed between sites and connecting in a remote format, which requires authentication of connected employees and comfortable availability of internal services.
- The specific administrative characteristic of the organization implies the legal distribution of the accounts of the functional components of the Cisco DUO Single-Sign ON into three different accounts in the vendor's system. This is an atypical case that required testing of various architecture options to ensure fault tolerance when synchronizing users of different domains. As a result, it was possible to form a workable architecture, test the solution integration scenario with debugging of functional components, as well as organize a secure remote access system taking into account the customer's requirements
- Used software
-
The system consists of three distributed access control subsystems, each of which includes three functional modules:
1. Network access authentication, authorization and audit module. It is implemented by Cisco Identity Service Engine component. Cisco Identity Service Engine is a virtual platform for securing the network infrastructure to which users and devices connect. The platform provides dynamic, authorized policy enforcement to control network access with a high level of security and allows for software-defined access with automated segmentation.
2. The remote access provisioning module. Implemented by the components: Cisco AnyConnect and Cisco ASAv. Cisco AnyConnect - software that provides secure remote access to the corporate network for mobile workers. Cisco ASAv - a gateway with VPN capabilities, providing secure remote access. 3.
Strong access authentication module. Implemented by the Cisco DUO component. Cisco DUO - cloud service for providing secure access functions, which has in its composition local (on-premise) technical means and provides verification of user identification data with regard to two-factor authentication, as well as assessment of device security and application of adaptive policies for application access protection.
- Difficulty of implementation
-
The main difficulties in implementation were related to setting up a working bundle of functional modules of the system, namely: Cisco ASAv + Cisco Identity Service Engine (ISE) with the involvement of Posturing functionality (checking for compliance with the requirements of the organization of the end device when connecting to the infrastructure) and application for three different accounts Cisco DUO Single Sign-On (single sign-on technology) in accordance with the affiliation of geographically distributed customer units.
To test implementation scenarios, a mock-up of system components, in particular Cisco DUO, was organized at three sites, including:
1. Development of the stand layout.
2. Deployment of the stand with a simulation of the company's infrastructure.
Configuring the certification center, issuing certificates for Cisco Identity Service Engine, Cisco ASAv.
4. Basic configuration of Cisco ASAv at three sites (IP-addresses, routing, NAT, ACL, Site-to-Site VPN).
5. Deployment of the domain with three sites.
6. Configuring a bundle of three sites with three Cisco DUO accounts.
7. Configuring Cisco ISE in a fault-tolerant version with Remote Access (RA) VPN functionality for domain users.
8. Testing disaster scenarios for DUO in case of failure of the main sites.
As a result of the mockup, the functionality of the working bundles of functional modules of the system was successfully tested: the interaction of components was configured, switching to a backup site is successfully performed (including successfully tested Optimal Gateway Selection, OGS), automatic substitution in Cisco AnyConnect client of the site group (country), to which the user belongs, and the algorithm for configuring synchronization of Active Directory with DUO Single-On was tested.
- Project Description
-
The project consisted of several stages:
1. Pre-project survey, where a survey of network segments and analysis of the current IT infrastructure were performed. Based on the results, an organizational and technological work plan and target system architecture were created.
2. technical design and development of operational documentation, including requirements specification, program and methodology of acceptance tests, block diagram of the complex of technical means, switching diagram.
3. Software delivery, including Cisco Identity Service Engine, Cisco AnyConnect, Cisco ASAv Cisco DUO components.
4. Start-up and adjustment works with equipment adjustment according to technical requirements and system transfer into trial operation.
5. Pilot operation, including support and adaptation of the solution.
6. Acceptance testing and transfer into commercial operation. In the course of the stage a set of tests was carried out, as a result of which the compliance of the system with the requirements of the specification was confirmed.
- Project geography
- CIS countries