Extensive Modernization of CS Network Infrastructure in Collaboration with Cisco

CHALLENGE

Due to the company’s dynamic development and the rapid increase in cyberattacks worldwide, CS management decided on the necessity for a complete reorganization of the network infrastructure and implementation of advanced services to enhance operational security. This decision was dictated not only by the company’s internal needs but also by the general trend toward strengthening cybersecurity in the financial sector.

SOLUTION

For the implementation of these tasks, CS joined forces with the global leader in network technologies – Cisco. Together, they developed and implemented a unique, large-scale project to modernize the network infrastructure.

Network Infrastructure Reorganization

The first step was dividing the entire CS network into three global segments:

• User segment. Built on the Cisco Software Defined Access network fabric. This solution allowed implementing the network fabric concept for the campus network with centralized management, automation and orchestration tools, as well as monitoring and analytics.
• Data center segment. Here, the organizational approach was completely changed. The entire network is segmented into several levels:
  • according to the company’s structural diagram;
  • according to visibility scope;
  • according to risk domains.

This segmentation allowed, through firewall rules, to control all network interactions: user-service, service-service, service-internet.

• Public segment. For this segment, a dedicated autonomous system with an IP address block was purchased. This allowed simultaneous use of multiple providers, load balancing between them, and ensuring fault tolerance at the communications provider level. Pairs of firewalls and routers were also implemented, allowing control of all incoming and outgoing traffic, as well as providing complete fault tolerance.

Implementation of Security Services

The next important step was implementing a range of security services that analyze attacks, protect against viruses, block sites with poor reputation, conduct complete analysis of email messages, including links and attachments based on analytics collection, telemetry and tags. Among the implemented services:

• Cisco Email Security Appliance (ESA). This email security device simultaneously functions as a mail gateway for CS. It is responsible for processing, analyzing, and filtering all mail traffic, both outgoing and incoming. ESA not only protects corporate mail from spam and malware but also guarantees its integrity, confidentiality, marking, and protection against spoofing.
• Web Security Appliance (WSA). This web gateway combines advanced protection against malware, application identification and control system (AVC), acceptable Internet use control, informative reporting, and mobile security on a single platform.
• StealthWatch Enterprise (SWE). This NBA (Network Behavior Analysis) system is designed to detect network anomalies and monitor performance based on flow information (NetFlow, sFlow) collected from all network devices, including computers and virtual objects.
• DUO Security. Functions as the second factor in the two-factor VPN CISCO AnyConnect. Integrated into CS infrastructure (FMC, ISE, and AD) via DUO-proxy, this service prevents the user from authorizing until they pass the second factor – confirmation through the DUO mobile app.
• Cisco Advanced Malware Protection for Endpoints (AMP4E). This is part of the comprehensive CISCO AMP protection for endpoint workstations. AMP4E is a next-generation antivirus, focused not only on signature analysis. It fully provides real-time protection by analyzing all traffic, files, email attachments, behavior of services running on the PC, etc.
• Cisco Advanced Malware Protection (AMP). This is a unified advanced malware protection system that covers the entire attack period – from its beginning, during its execution, and after completion, with continuous analysis and advanced analytics. AMP supports Cisco’s retrospective security capabilities.
• Cisco Threat Response. This cloud platform allows implementing the Threat Hunting concept. It detects suspicious events in information arrays received from various Cisco products and third-party tools, while using IoC from Cisco Talos or other research centers. Cisco Threat Response is the connecting link between information security management in the organization and global Threat Intelligence sources.

RESULTS

The implemented project allowed updating the entire CS network infrastructure at all network levels. Key achievements include:

• Significant increase in network performance.
• Implementation of fault tolerance at all levels.
• Development and implementation of effective segmentation.
• Implementation of complete access control between all segments at any level.
• Provision of centralized management for all equipment.
• Implementation of various services for analytics and telemetry collection.
• Implementation of VPN with two-factor authorization and integration with security services.
• Integration of a large number of security services into a unified system.

This modernization not only increased the level of security and operational efficiency of CS but also created a powerful foundation for further development and scaling of the company.

Sergiy Lyashenko, Head of IT Department at CS:

We are ready to share our experience of collaboration with Cisco in modernizing the company’s network infrastructure and provide our network as a demonstration platform for partners and customers.

This project has become a prime example of successful collaboration between leading technology companies and demonstrates the capabilities of modern solutions in the field of network security and infrastructure.