Engineers from La Salle-URL share the latest news and projects in the field of network solutions in telematic engineering.

23 February 2017 | Posted by Redacción Data Center

Guidelines to a DataCenter

The guidelines for a financial Data Center

When designing a Data Center, we must take into account, as well as the technological requirements to handle the necessary tasks, as the various external agents that may damage our machines, in this post, we will show some guidelines to design a Data Center:
Let's start with the non-technological guidelines, in terms of temperature, all manufacturers advise that their equipment work within a certain margin, it is important that the temperature to which they are exposed does not exceed these margins.
Also important are fire control systems, it is necessary to check the type of fire extinguisher that is in a data center, it is necessary to use fire extinguishers of nebulized water, because the gas extinguishers are corrosive.
The vigilance, in the case of a data center for a financial entity, is important to take into account, it is necessary to have a control of who accesses and what does in our Data Center and more if our information is critical. Therefore special care must be taken in physical security measures and access controls, the data center only has to accessed by authorized personnel.

vigilance

some physical considerations:

https://www.ibm.com/support/knowledgecenter/P8ESS/p8ebe/p8ebe_generalgui...

After this point, it is necessary to define the different technological requirements that a Data Center of a financial entity has:
- It is necessary to maintain high availability, when handling monetary movements and sensitive information, the system cannot fail in the middle of an operation.
- It has to be able to manage a large number of connections, high capacity.
- A high level of security, due to the importance of the information being handled.
- Stability and reliability in their processes through redundancy.
- Scalability in case the entity grows in the future.
- Quality / cost ratio.
Let's introduce our guidelines in order to comply with these different points, it is necessary to first secure the data. To do this, periodically backups of both configuration and content must be done, so it is necessary to have storage units, such as a SAN using a Raid of disks.

We must have Access and high-capacity devices such as 10 or 40 gigabit Ethernet in order to maintain the system accesible for all it's users.
In terms of security we can differentiate it in several fields: perimeter security and DMZ, network segmentation, intrusion prevention and detection and the use of secure protocols.
Perimeter security:
It is our first barrier against possible attacks. It is important that access to the outside (Internet) of our network is unique to facilitate its inspection, different devices intervene in this, from the routers or firewalls that through ACLs, accept traffic or deny another, Dynamic or stateful firewalls that inspect more the packets, and DPI or deep packet inspection, which scan application-level data to detect malware.
Another devices are proxies, which can prevent access to various malicious websites.
The services that are published on the Internet, such as web servers, mail and dns, necessary in our financial institution, must be protected, but when they are accessible from outside, they must be separated from our internal network in a DMZ zone.

Network Segmentation:
Because there is no complete protection, it is possible for an attacker to gain access to our network, to prevent it to infect our entire network or to access all the information, it is necessary to segment the network, this also serves to limit access to the financial entity workers, give them access to just what they need. The simplest way to segment the network is through VLANs, another way is to use firewalls, separating each zone with a firewall.

IDPS:
These are to complement the perimeter security, the IDS are devices that are used to detect unauthorized access to our resources, once detected the IDPS intervene, being able to stop the attack, reconfigure firewalls or simulate the attacked environment in order to collect statistics.
Finally, monitoring devices are necessary to regularly check logs, alerts and notifications to identify possible breaches of security or malfunction of our equipment and to be able to do a good maintenance.

attacker

We will keep you informed of our research on the subject, so stay tuned!

See you in future posts!

Share