Shared Support Center Solution  

May 2016

Business Case

• Cyber Defense center is  a shared support center operating form one single location at one of the office campus.

• Shared Support center users will have to provide their services to Multiple Customer Services form same single LAN in ‘Shared Support’ model.  

• Need to have Network connectivity with multiple customer networks so that all customer access is available from ‘Cyber Defense Center’.

Solution 

• Access to customer Network is Uni Directional,  from Shared Support Center to Customer Network.  None of Shared Support Center Hosts are accessible to Customer Network.

• Customer WAN is first landed on our corporate network first and then extended to Shared Support Center LAN with separate VLAN.

• None of Customer Network Routes are directly broadcasted inside ‘Shared Support Center’ LAN to avoid IP Conflict with multiple customer segments and ensure security among various customer networks.

• In order to access Remote destinations from customer network -  Destination NAT and Source PAT is configured on dedicated Cyber Defense Center firewall.

• Access will be provisioned to Identified limited destination IP addresses  and ports between Customer Network and ‘Shared Support Center’ network.

• For seamless complete access to Computing Hosts / Network Gears / Various Applications across Customer Network, it is recommended to have Remote Access based mechanism, for example having staging / landing / Jump Server / VDI  mechanism at customer environment.   

• Shared Support Center should have dedicated Firewall, Dedicated L3 Switch for this environment.

Customer Application Access Mechanism

Internet & Web Based Customer Application Access

• For Access to those Applications hosted on Public Internet or Cloud environments - it is recommended to have dedicated 100 Mbps Internet Bandwidth for identified customer Internet destinations.

• Source, Destination based access to be provisioned at location enterprise Internet Firewall and Category based CyDC Firewall.

• Access to customer environment can be enabled over Internet / Web based using specific remote access client app’s.

Private WAN (MPLS/S2S VPN) Based Customer Application Access

• For Direct Access to Customer Servers / Customer Hosts - Identified Customer’s private IP addresses, or IP ranges need to be propagated through the network of Shared Support Center.

• For Web Based / Browser based customer applications - access can be made available over Web using Application Client Software.

• Only MPLS or Site to Site VPN are recommended WAN access models.

• Note: Client to Site VPN Is not recommended.  This is because of shared support nature, when user is connected to a C2S VPN, his terminal is limited to that single customer and not allowed to access other customer Networks.

 Hardware BOM :

• Palo Alto PA 500 : 2 units  (HA Clustering)

• Cisco 3850 48 Port with 10 Gig uplink : 2 units. (Clustering)

• Check Point 4400: 1 unit  for Office intranet (Backbone) access.