top of page

Security Architecture: Record & Documentation of 2nd Place Winner


Our team of 4 participated in the UH Cloudathon and achieved 2nd place in the Security Architecture Challenge. It was an extraordinary experience since none of us had worked together before. We all came from diverse backgrounds in cybersecurity.


While I brought a business and strategy background to the table, my teammates had a strong technological foundation to support me. Despite the time constraints, we successfully collaborated and worked together to map out our attack plan. With everyone's willingness to contribute and support each other, we were able to create a thorough and detailed security architecture report.


Google Doc Security Architecture Full-Report: Link



UH CLOUDATHON REPORT SAMPLE


NETWORKING DIAGRAM FOR CITY CENTER CONCEPT IN ENERGY CORRIDOR

DESIGN PHASE: OVERALL NETWORK ARCHITECTURE


Figure 1.0 (Overall Logical Networking Diagram)



Description of Logical Network Diagram

The network diagram has been crafted using the traditional 3-tier architecture, which comprises the access layer, distribution layer, and core layer. We have included a fourth layer, which is known as the egress layer, where the routers are located. This is where the packets leave the wide area network (WAN). We chose to utilize traditional architecture instead of spine-leaf architecture because our traffic mainly moves from north to south rather than east to west. We opted for a 3-tier architecture for our project, given its large scope that covers multiple buildings. While a 2-tier architecture would suffice for a mid-sized company, our project's scale, and complexity demanded a more robust approach. By implementing a 3-tier architecture, we can distribute the application's functions across multiple layers, improving scalability, maintainability, and security.


Our network architecture has been designed with security, manageability, and scalability in mind. To achieve this, we separated our architecture into 5 different sections - building 1, building 2, building 3, building 4, and an extra wireless access point. The extra wireless access point represents the wireless pole mount that would be placed in the center of the area to prevent any wifi dead zone as shown below in Figure 1.1. Moreover, each VLAN and layer is equipped with redundant components such as switches and routers to minimize the risk of a single point of failure and maximize network availability.


Egress Layer + Core Layer (Physical Network Diagram)


Figure 1.2 (Physical Network Diagram)



Figure 1.2.1 (Logical Network Diagram)


Description of Egress + Core Layer Network Diagram

The diagram shows how the routers from the core layer (campus core backbone) would connect together with cables. There are 2 routers to provide redundancy and core switch in each building to distribute them to the correct location. The core layers are all connected to one router each, which might lead to a single point of failure. However, Figure 1.3 will solve the single point of failure issue by having a partial-mesh topology. When traffic from the internet comes in, our first layer of our firewall will filter out threats and serve as barriers between the outside world and our network.


Core Layer + Distribution Layer (Physical Network Diagram)


Figure 1.3 (Physical Network Diagram)


Figure 1.3.1 (Logical Network Diagram)


Description of Core Layer + Distribution (Physical Network Diagram)

The core layer has a single point of failure because each of them is connected to a router as mentioned above. However as you can see in the distribution layer, which is the second layer switch, the switches are partially meshed. WhThiseans a switch in each building is connected to a switch in another building. Core switches are connected to different routers, which means that if one router fails, there is another layer of redundancy. There is a firewall between each layer to ensure an extra layer of security, if a threat passes through the first firewall, the second firewall will filter the incoming traffic to prevent it from reaching users on the network.


Core Layer + Distribution Layer + Access Layer (Physical Network Diagram)



Figure 1.4 (Physical Network Diagram)


Figure 1.4.1 (Logical Network Diagram)


Description of Core Layer + Distribution Layer + Access Layer (Physical Network Diagram)

Access layer is made of full mesh topology to provide maximum efficiency of processing data, and to prevent a single point of failure. There are two switches on the access layer, and two on the distribution layer. If any of the switches on either layer fails, the entire network will not be affected. Two access points are installed in each building to reach the maximum number of people in the building. There is a wireless access point in the center of the area to cover dead zones, and make sure that users can access Wi-Fi even when they are not in the buildings.





DESIGN PHASE: FLOOR NETWORK ARCHITECTURE


Floor Physical Network Component Diagram


Figure 2.1 (Floor Plant + Components)



Floor Physical Network Component Diagram Description

The first image shows the general layout for each of the buildings and how the components are organized throughout each building. Each building has a core layer, made up of the main switches, and an egress layer made of routers and firewalls. Two of the buildings have a distribution layer, which involves installing a router on the first floor, and installing two separate firewalls for each building.


The 2nd floor of each building has an access layer made up of two wireless access points and two switches. This is to ensure that there is a steady connection throughout the building. There is also an access point in the center between the buildings. This placement is to help patch up any dead zones.


Floor Physical Network Component & Cable Diagram


Figure 2.2 (Floor 2 for Building 1, 2, 3, 4: Components + Simplified Cabling)


The second floor for each building has WPA (Wireless Access Points) to ensure that more people have access to wifi more often in more places in the building.



Figure 2.3 (Floor 1 for Building 1 & :4 Components + Simplified Cabling)

There is a router on the first floor of buildings 1 & 4. One of the requirements is to have two routers.


Figure 2.4 (Floor 1 for Building 2 & 3: Components + Simplified Cabling)

Each first floor of each building has a main switch used to control traffic between the other switches.





DESIGN PHASE: OVERALL NETWORK ARCHITECTURE


Network Addresses, IP Addresses, and Subnetting Table

Table 1: Public Access Wifi (Building 1)


Table 2: Public Access Wifi (Building 2)



IMPLEMENTATION PHASE: COMPONENT PRICING TRACKER + MANUFACTURER


Network Component Tracker and Manufacturers List

Routers (2) (Price for 1 = $6,709.99)




Network Component Explanation

Website Use for Components (Vendor): https://www.cdw.com/

For maximum security, we've chosen components from different manufacturers, each with its own unique algorithm for the built-in firewall. This adds an extra layer of protection to our network. Additionally, we've carefully selected each device based on our business needs as a medium-sized enterprise using racks to mount our equipment.



DESIGN PHASE EXTRA: ADDITION OF OPERATION TEAM



Operations Teams

It was mentioned to have an operations team, but we were not told where they should be, so we decided that they would be working from a different building. We created a VLAN for them, the VLAN consists of 2 firewalls and 4 switches in a full mesh for redundancy in case anything fails. The Operations Team also has 4 different pcs for their team.


Table 7: Operation team / Class C Addresses



Komentáře


bottom of page