background Layer 1

Building a comprehensive secure remote access system

Customer
BORJOMI
IT Provider
Softline
Year of project completion
2022
Project timeline
August, 2021 - January, 2022
Project scope
2500 automated workstations
Goals
- Organization of the security system of the customer's corporate information network.
- Traffic management.
- Access control to the corporate information network.
- Control over the use of the customer's information resources.
The system was created to achieve the following results:
- Ensuring secure operation and legitimacy of remote users when interacting with the resources of the corporate information computing network.
- Preventing computer attacks and intrusions against the corporate information network.
- Complying with the requirements of regulations in the field of information security.
- Ensuring the security and sustainable operation of the corporate information network.

The uniqueness of the project

  • The geographically distributed infrastructure of the customer consists of three sites located in different countries.
  • The presence of 2.5 thousand users in the company, distributed between sites and connecting in a remote format, which requires authentication of connected employees and comfortable availability of internal services.
  • The specific administrative characteristic of the organization implies the legal distribution of the accounts of the functional components of the Cisco DUO Single-Sign ON into three different accounts in the vendor's system. This is an atypical case that required testing of various architecture options to ensure fault tolerance when synchronizing users of different domains. As a result, it was possible to form a workable architecture, test the solution integration scenario with debugging of functional components, as well as organize a secure remote access system taking into account the customer's requirements
Used software
The system consists of three distributed access control subsystems, each of which includes three functional modules:

1. Network access authentication, authorization and audit module. It is implemented by Cisco Identity Service Engine component. Cisco Identity Service Engine is a virtual platform for securing the network infrastructure to which users and devices connect. The platform provides dynamic, authorized policy enforcement to control network access with a high level of security and allows for software-defined access with automated segmentation.

2. The remote access provisioning module. Implemented by the components: Cisco AnyConnect and Cisco ASAv. Cisco AnyConnect - software that provides secure remote access to the corporate network for mobile workers. Cisco ASAv - a gateway with VPN capabilities, providing secure remote access. 3.

Strong access authentication module. Implemented by the Cisco DUO component. Cisco DUO - cloud service for providing secure access functions, which has in its composition local (on-premise) technical means and provides verification of user identification data with regard to two-factor authentication, as well as assessment of device security and application of adaptive policies for application access protection.
Difficulty of implementation
The main difficulties in implementation were related to setting up a working bundle of functional modules of the system, namely: Cisco ASAv + Cisco Identity Service Engine (ISE) with the involvement of Posturing functionality (checking for compliance with the requirements of the organization of the end device when connecting to the infrastructure) and application for three different accounts Cisco DUO Single Sign-On (single sign-on technology) in accordance with the affiliation of geographically distributed customer units.

To test implementation scenarios, a mock-up of system components, in particular Cisco DUO, was organized at three sites, including:

1. Development of the stand layout.

2. Deployment of the stand with a simulation of the company's infrastructure.

Configuring the certification center, issuing certificates for Cisco Identity Service Engine, Cisco ASAv.

4. Basic configuration of Cisco ASAv at three sites (IP-addresses, routing, NAT, ACL, Site-to-Site VPN).

5. Deployment of the domain with three sites.

6. Configuring a bundle of three sites with three Cisco DUO accounts.

7. Configuring Cisco ISE in a fault-tolerant version with Remote Access (RA) VPN functionality for domain users.

8. Testing disaster scenarios for DUO in case of failure of the main sites.

As a result of the mockup, the functionality of the working bundles of functional modules of the system was successfully tested: the interaction of components was configured, switching to a backup site is successfully performed (including successfully tested Optimal Gateway Selection, OGS), automatic substitution in Cisco AnyConnect client of the site group (country), to which the user belongs, and the algorithm for configuring synchronization of Active Directory with DUO Single-On was tested.
Project Description
The project consisted of several stages:

1. Pre-project survey, where a survey of network segments and analysis of the current IT infrastructure were performed. Based on the results, an organizational and technological work plan and target system architecture were created.

2. technical design and development of operational documentation, including requirements specification, program and methodology of acceptance tests, block diagram of the complex of technical means, switching diagram.

3. Software delivery, including Cisco Identity Service Engine, Cisco AnyConnect, Cisco ASAv Cisco DUO components.

4. Start-up and adjustment works with equipment adjustment according to technical requirements and system transfer into trial operation.

5. Pilot operation, including support and adaptation of the solution.

6. Acceptance testing and transfer into commercial operation. In the course of the stage a set of tests was carried out, as a result of which the compliance of the system with the requirements of the specification was confirmed.
Project geography
CIS countries
The international IT professionals' community has announced the 'Top 100 IT Leaders' project. It is a global initiative that allows top IT managers to share their experience, expand their professional network and showcase the best digitalization practices of their companies. Here we will answer the basic questions about the project.

April was full of new initiatives from vendors as well as some fascinating news on the technology front. With Olympics in Paris approaching, more  news will be flowing in from the capital of France.

Given the current job market situation, one may find a need to maintain a strong LinkedIn profile. AI can streamline the process and make it easier to connect with the right people and opportunities.

The integration of Artificial Intelligence (AI) into business operations marks a transformative era, enhancing efficiency and innovation across industries. From revolutionizing HR with automated recruitment to aiding early disease detection in healthcare, AI's impact is profound. It enables predictive cybersecurity, personalized customer interactions, and accelerated software development in IT. 

Lots of news from technology vendors and modern cases on how to use data analytics for operations excellence – this is what March brought us this year.

We use cookies for analytical purposes and to deliver you the best experience with our website. Continuing to the site, you agree to the Cookie Policy.