Industry – Public Sector
Challenge –
Nigerian Financial Intelligence Unit (NFIU) is the Central National Agency responsible for the receipt of disclosures from reporting organisations, the analyses of these disclosures and the production of intelligence for dissemination to competent authorities.
NFIU was moving to a new work location; this demanded a total upgrade of their previous network infrastructure while solving the incessant concerns their previous LAN infrastructure and network security posed to their overall efficiency.
Previously, NFIU’s CISCO ASA Firewall posed a challenge when downloads where initiated and data into ASA firewall from the Internet was not supportive of organisational growth in network utilization.
Selection Criteria – NFIU was in search for Network partners capable of providing a Comprehensive Threat Protection, a scalable performance and adequate network segmentation that allows tailored policies for their security and LAN infrastructure:
- A network segmentation that allows administrators to tailor security and policies.
- System and network resiliency that ensures carrier-class reliability from redundant hardware, components, and Junos software.
- An interface flexibility that meets the needs of any network.
- A scalable performance that enables additional services without degradation.
- A comprehensive threat protection that includes multi-gigabit firewall, intrusion detection and prevention, denial of service, network address translation and QoS.
- A robust routing engine that separates data and control planes to allow deployment of consolidated routing and security
- Juniper devices.
The Result –
NFIU was provided with internet connection from Layer3 Point of Presence (POP) Abuja to their Data Center at Wuse II. This connection was shared among all office buildings. Layer3 provided NFIU with the following:
- A SRX550 connection to the fiber from Layer3 Point of Presence serving as the breakout to internet. The same SRX550 also served as the security gateway.
- The core segment comprises of 2EX4600-24P clustered (Virtual chassis) provided a single management interface.
- The core segment had 2 physical interface connection to the SRX550 and some of the access switches where necessary were bundled to form aggregated ethernet interface (aeX) for resiliency and higher throughput.
- NFIU-WUSEEII-FW firewall was configured to have its WAN facing interface configured with an IP address in the same subnet as the network facing IP address of the ISP’s routers. The IP address on ISP router was configured as the Firewall’s (NFIU-WUSEEII-FW) default gateway.
- The LAN / Network facing aggregated interface of the NFIU-WUSEEII-FW had a trunk (VLAN Tag) connection to the core ‘NFIU-AGGREGATED-SW’ switch carrying various VLANs and corresponding networks.
- Zone: Detailed zones and network relationship were configured.
- Untrust Zone: which is the public interface or allocated to the service provider(s)
- NAT: All users were natted to the internet via the Firewall WAN public address. Destination nat was configured for all public facing servers.
- Policies: Policies and permissions were configured based on production needs. Conventional polices such as internal users to Internet (WAN) were configured. There were port and service restrictions to servers.
- Core switch Configuration: All the corresponding VLANs on the LAN interface of the NFIU-WUSEEII-FW firewall were configured on the receiving interface of the stacked ‘NFIU-AGGREGATED-SW’ core switch. The VLANs were then configured on access or trunk interfaces facing the NFIU-ACSW-xx access switches.
- Access Switch Configuration: Access was configured with the required VLANs and extended to the core switch