The document describes a network security project for a large South Indian bank. The project aimed to implement network security across the bank's datacenter addressing various network segments. Key challenges included a lack of datacenter firewalls and proactive defense mechanisms. The solution implemented Cisco firewall, IDS, and security management technologies to logically segment the network and provide layered defenses, resulting in no security issues during the implementation period.

1. CASE STUDY
TITLE
Fourth Dimension
Datacenter Network Security Project
“A leading Private Sector bank
based in South India, with a
turnover of $20 billion and
serving millions of retail
customer and thousands of
Corporates”
Executive Summary
The project was aimed at design and implementation of Network
security for datacenter, addressing the IT management network,
Intranet, Internet edge, partner networks and internet banking.
Challenges
The primary challenges around the existing network were;
 Only Perimeter security for Internet.
 Lack of Datacenter firewall
 Lack of proactive defence mechanisms
CASE STUDY TITLE:
Datacenter Network
Security Implementation

2. CASE STUDY
TITLE
Fourth Dimension
 Unprotected partner networks
 Only VLAN based segregation of IT
management team in datacenter
How the solution helped
The design was delivered us the Defence in
depth approach. Various logical
components including IT management
network, Intranet, Internet edge, partner
networks and internet banking were
identified and moved under independent
firewall based segment.
The Datacenter server environment was
protected using the Cisco Catalyst 6500
series Firewall Service modules. This
offered tremendous performance and
scalability upto 20 Gbps. The Switches
themselves were configured on VSS to
enable continuous performance. The
various datacenter servers themselves
were segregated by business/application.
Additional protection was delivered using
the IDSM-2 modules for Intrusion detection.
The Various network segment are
protected using Cisco ASA firewall.
The Critical servers themselves was
protected using host based protection. The
entire Security infrastructure is managed
using Cisco Security manger 3.0.
On implementation the security
infrastructure was managed for a period of
3 years on 24X7 basis.
Results, Return on Investment and Future Plans
The design was validated and certified by an independent security
consulting organization. The fact that the Bank faced no security
issues during our contract period is testimony to design and the
robustness of our implementation.
This enabled the bank to roll out several new applications to support
their business needs and also allowed them to connect many new
partners to render more services for their customers.
0
7206
2
4
6
1
5
3
Web Front end ServerDatabase Servers
CONSOLE AUXETHERNET 1
ACTLINK ACTLINK
ETHERNET 0
Cisco 2611
VOICE
W 1 W 0
Cisco 2600XM+
Router
ISP A ISP B
BGPInternet
CONSOLE AUXETHERNET 1
ACTLINK ACTLINK
ETHERNET 0
Cisco 2611
VOICE
W 1 W 0
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst2950SERIES10Base-T/100Base-TX
BANKNET
FAN
STATUS
1
2
3
4
5
6
7
8
9
Power Supply 1 Power Supply 2
Catalyst 6500 SERIES
Cisco 7200 Router
Cisco 6509E with
FWSM and IDSM
Application Servers
WIN 2K
CSA 4.0
AIX
ISS Real Secure
Corporate Servers
WIN2K
CSA 4.0
Web App Backend Server
GlobalServer ID - Verisign SSL
Web Server Certificates
CSA 4.0
FDXFDXLink
FAILOVER
PIX-515
Link100 Mbps100 Mbps
10/100 ETHERNET 0/0 10/100 ETHERNET 0/0 CONSOLE
FDXFDXLink
FAILOVER
PIX-515
Link100 Mbps100 Mbps
10/100 ETHERNET 0/0 10/100 ETHERNET 0/0 CONSOLE
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst2950SERIES10Base-T/100Base-TX
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst2950SERIES10Base-T/100Base-TX
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst2950SERIES10Base-T/100Base-TX
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst2950SERIES10Base-T/100Base-TX
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst2950SERIES10Base-T/100Base-TX
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst2950SERIES10Base-T/100Base-TX
www.kvb.co.in
CSA 4.0
Mail Servers
CSA 4.0
Branches
ASA 5520 with Active/
ActiveFailover
WIC 1 OKWIC 0 OK
Model
Cisco 1721 -5,-12,+12 VDC
MOD OK
10/100 ETHERNET AUX
CONSOLE
100 LINKFDX WIC 1 OKWIC 0 OK
Model
Cisco 1721 -5,-12,+12 VDC
MOD OK
10/100 ETHERNET AUX
CONSOLE
100 LINKFDX
Extranet
WIC 1 OKWIC 0 OK
Model
Cisco 1721 -5,-12,+12 VDC
MOD OK
10/100 ETHERNET AUX
CONSOLE
100 LINKFDX
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst2950SERIES10Base-T/100Base-TX
L2 Switch
FS/ UTI/VISA HCL Comnet RBI RTGS
Cisco 7200 Router
100-240 V~
16 A
60/50 Hz
INPUT
OK
FAN
OK
OUTPUT
FAIL
RUN
INSTALL
INPUT
WS-SUP720
SUPERVISOR 720 WITH INTEGRATED SWITCH FABRIC
SYSTEMSTATUS ACTIVE
PWR
MGMT
EJECT
DISK 0
EJECT
DISK 1
CONSOLE PORT 2
PORT 1
LINK LINK LINK
RESET
STATUS
FIREWALL SERVICES MODULE
DO NOT REMOVE CARD WHILE
STATUS LED IS GREEN OR
DISK CORRUPTION MAY OCCUR
WS-SVC-FWM-1
SHUTDOWN
STATUS PHONE
WS-X6148-GE-TX 47
48
373835
36
25
26
23
24
131411
12
1
2
4 8 P O R T
12119 107 85 63 41 2 242321 2219 2017 1815 1613 14 363533 3431 3229 3027 2825 26 484745 4643 4441 4239 4037 38
10/100/1000
B A S E - T
SWITCHING MODULE
FAN
STATUS
1
2
3
4
5
6
7
8
9
Power Supply 1 Power Supply 2
Catalyst 6500 SERIES
100-240 V~
16 A
60/50 Hz
INPUT
OK
FAN
OK
OUTPUT
FAIL
RUN
INSTALL
INPUT
WS-SUP720
SUPERVISOR 720 WITH INTEGRATED SWITCH FABRIC
SYSTEMSTATUS ACTIVE
PWR
MGMT
EJECT
DISK 0
EJECT
DISK 1
CONSOLE PORT 2
PORT 1
LINK LINK LINK
RESET
STATUS
FIREWALL SERVICES MODULE
DO NOT REMOVE CARD WHILE
STATUS LED IS GREEN OR
DISK CORRUPTION MAY OCCUR
WS-SVC-FWM-1
SHUTDOWN
STATUS PHONE
WS-X6148-GE-TX 47
48
373835
36
25
26
23
24
131411
12
1
2
4 8 P O R T
12119 107 85 63 41 2 242321 2219 2017 1815 1613 14 363533 3431 3229 3027 2825 26 484745 4643 4441 4239 4037 38
10/100/1000
B A S E - T
SWITCHING MODULE
EN
0 1 2 3 4 5 6 7
SERIAL-V35MULTICHANNEL DS1-PRI
ENABLED
0 1 2 3 4 5 6 7
53
42
1
0
7
6
LINK
0
7206
2
4
6
1
5
3
CONSOLE
LINK
TXGBICRX
EN
GIGABIT ETHERNET 0/1
RJ45
LINK
TXGBICRX
EN
GIGABIT ETHERNET 0/2
RJ45
LINK
TXGBICRX
EN
GIGABIT ETHERNET 0/3
RJ45 COMPACT FLASH
CPU
RESET
NETWORK PROCESSING ENGINE – G1 SLOT
ACTIVE
POWER
ON
AUX
NPE-G1
MULTICHANNEL DS1-PRI
ENABLED
0 1 2 3 4 5 6 7
53
42
1
0
7
6
LINK
EN
0 1 2 3 4 5 6 7
SERIAL-V35
CONSOLE
LINK
TXGBICRX
EN
GIGABIT ETHERNET 0/1
RJ45
LINK
TXGBICRX
EN
GIGABIT ETHERNET 0/2
RJ45
LINK
TXGBICRX
EN
GIGABIT ETHERNET 0/3
RJ45 COMPACT FLASH
CPU
RESET
NETWORK PROCESSING ENGINE – G1 SLOT
ACTIVE
POWER
ON
AUX
NPE-G1
SYST RPS
STRT DUPLXSPEEDUTIL
MODE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Catalyst2950SERIES10Base-T/100Base-TX
Ethernet
Security Management Cisco
Security Manager3.0 ISS Site
Protector
MAC Based Filtering
Datacenter Admin LAN
10 GIGABIT ETHERNET
WS-X6502-10 GE
STATUS
RX TX
10G BASE - LR Serial 1310nm Optical Interface Module
WS - G6488
LINK
10 GIGABIT ETHERNET
WS-X6502-10 GE
STATUS
RX TX
10G BASE - LR Serial 1310nm Optical Interface Module
WS - G6488
LINK
100-240 V~
16 A
60/50 Hz
INPUT
OK
FAN
OK
OUTPUT
FAIL
RUN
INSTALL
INPUT
100-240 V~
16 A
60/50 Hz
INPUT
OK
FAN
OK
OUTPUT
FAIL
RUN
INSTALL
INPUT
The defence in depth based network security architecture