Government DMZ Design

Any medium-large organisation that are presenting services to the Internet need to secure and separate their hosting servers from the outside world and this is where a Network Demiliterised Zone (DMZ) is used.

To meet security compliance requirements (Government Connect and PSN-IA), a Government client needed to uplift their aging DMZ network with new hardware and further protection against the risks of both internal and external threats.

Utopian IT first reviewed the existing topology and discussed existing functionality and support issues with the in-house support teams and then developed an updated design, focusing on meeting the business needs over the next 5 years and protection-in-depth. The design upgraded existing Cisco firewalls, switches and routers and enhanced network path resilience through the use of resilient power and data-stack technologies as well as active-active clustering. Additional access control components were implemented by Utopian IT, including a Citrix Netscaler SDX reverse proxy platform and ActivIdentity (ActivID/HID) Authentication Appliances. Additional network protection was also put in place through the use of McAfee Intrusion Detection and Prevention appliances, capable of further mitigating against attacks to the application layer.

Further design work saw the inclusion of a new mirrored DMZ at a secondary Data-Centre, able to mitigate against a complete site failure using Cisco Nexus Switching and diverse service provider routes. This secondary Data-Centre allowed the client to host critical applications from both Data Centres simultaneously and live-migrate virtual servers during planned outages.