Implement Document DC and DR v3.0 Final

Hardware Document
Project: EXIM Core Bank
DC
การควบคุมเอกสาร
สถานะเอกสาร (Document control) ฉบับเริ่มต้น
การจัดประเภทความปลอดภัย (Security Classification) ความลับของบริษัท (Company confidential)
ฉบับ (Version) 1.0

วันที่ออกเอกสาร (Issue date) 2 กุมภาพันธ์ 2567
วันที่ปรับปรุงเอกสาร (Revision date) 2 กุมภาพันธ์ 2567
ชื่อผู้จัดทำ (Author’s Name) นายธีรภัทร นามสัสดี
ชื่อผู้ตรวจสอบ (Reviewer’s Name) นายสุรศักดิ์ โชคกาญจนกุล
ประวัติการปรับปรุงเอกสาร
วันที่ ชื่อผูป้ รับปรุง Version การปรับปรุง
2 กุมภาพันธ์ 2567 นายธีรภัทร นามสัสดี V1.0 Initial Version

ผู้ตรวจสอบ
Name Position
นายสุรศักดิ์ โชคกาญจนกุล Senior Technical

ผู้ส่งสิ่งส่งมอบ
ผูส้ ง่ มอบ/สิง่ ส่งมอบ บทบาทในโครงการ ลงนาม วันที่
นาย อภิชาติ แจ่มแจ้ง ผู้จัดการโครงการ
นาย อูรชา พงษ์วัฒนา ผู้อำนวยการโครงการ

การสอบทานผลงาน/สิ่งส่งมอบ
รายชือ่ และ บทบาทในโครงการ ชื่อตำแหน่ง ลงนาม วันทีล่ งนาม
ผูส้ อบทานผลงาน/สิง่ ส่งมอบ
IT Architect & Security
นาย จรัส ขวัญพิเชษฐ์สกุล ผู้บริหารส่วนรักษาความปลอดภัย
เทคโนโลยีสารสนเทศ
นาย ชานนท์ แท่นทองจันทร์ ผู้ช่วยผู้บริหารส่วนรักษาความ
ปลอดภัยเทคโนโลยีสารสนเทศ
นาย พบธรรม พันธ์ครุฑ เจ้าหน้าที่ดูแลระบบ ส่วนบริหาร

จัดการโครงสร้างพื้นฐานและระบบ
เครือข่าย
Infrastructure
นาย นพพร ภูมิเรืองศรี ผู้บริหารส่วนบริหารจัดการโครงสร้าง
พื้นฐานและระบบเครือข่าย
นางสาว วิลาสินี คำเพ็ง ผู้ช่วยผู้บริหารส่วนบริหารจัดการ
โครงสร้างพื้นฐานและระบบเครือข่าย
PwC
นางสาว อรพรรณ อ่วมแจง PwC
นางสาว นันทนา ชินทศักดิ์ PwC
นางสาว เบญญาภา สายพินทอง PwC
นาย ธีรัตม์ ทัศนัย PwC
นาย ณัฐพิสิษฐ์ โลจนวณิช PwC

การยอมรับผลงาน/สิ่งส่งมอบ
รายชือ่ และ บทบาทในโครงการ ชื่อตำแหน่ง ลงนาม วันทีล่ งนาม
ผูล้ งนามยอมรับผลงาน/สิง่ ส่งมอบ
Technical Lead (Infrastructure)
IT Architect & Security Lead

นาย ประสิทธิ์ แซ่เบ๊ ผู้ช่วยผู้บริหารฝ่ายปฏิบัติการ
Infrastructure Lead
นาย พงษ์เทพ เลขะกุล ผู้ช่วยผู้บริหารฝ่ายปฏิบัติการ
ผูล้ งนามยอมรับผลงาน/สิง่ ส่งมอบ
__________________________________________
(นางสาว นารีมาลย์ เจียงประดิษฐ์)

ผู้ช่วยผู้บริหารองค์กร สายงานเทคโนโลยีสารสนเทศ
สารบัญ
การควบคุมเอกสาร ........................................................................................................................................................................... 2
ประวัติการปรับปรุงเอกสาร........................................................................................................................................................ 2
ผู้ตรวจสอบ................................................................................................................................................................................. 3
ผู้ส่งสิ่งส่งมอบ............................................................................................................................................................................. 4
การสอบทานผลงาน/สิ่งส่งมอบ.................................................................................................................................................. 5
การยอมรับผลงาน/สิ่งส่งมอบ..................................................................................................................................................... 6
Section 1: Executive Summary ................................................................................................................................................ 11
Server Load Balancing Solution ....................................................................................................................................... 12
Component Specification ............................................................................................................................................. 12
Section 2: Scope of work .......................................................................................................................................................... 13
Section 3: Implementation Plan ............................................................................................................................................. 15
Section 4: Network Diagram ..................................................................................................................................................... 17
Solution Diagram.................................................................................................................................................................. 17
Section 5: Pre-requisite Information Checklist ..................................................................................................................... 18
Management IP Address DC .............................................................................................................................................. 18
Management IP Address DR .............................................................................................................................................. 18
Devices installed DC ........................................................................................................................................................... 19
Devices installed DR............................................................................................................................................................ 21
Network Configuration - Alteon DC1_BCH4_LBF4_1.................................................................................................... 23
IP Interfaces ..................................................................................................................................................................... 23
Network Configuration - Alteon DC1_BCH4_LBF4_2.................................................................................................... 24
IP Interfaces ..................................................................................................................................................................... 24
7|Page
Network Configuration - Alteon DR_TCCT_LBF5_1 ...................................................................................................... 24
IP Interfaces ..................................................................................................................................................................... 24
Network Configuration - Alteon DR_TCCT_LBF5_2 ...................................................................................................... 26
IP Interfaces ..................................................................................................................................................................... 26
Network Configuration - High Availability ....................................................................................................................... 27
Floating IP DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2 ........................................................................................ 27
Floating IP DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2 ............................................................................................. 27
Proxy IP VLANs ..................................................................................................................................................................... 29
Proxy IP DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2 ............................................................................................. 29
Proxy IP DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2 .................................................................................................. 29
Virtual Service Configuration ............................................................................................................................................. 31
Real Server DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2....................................................................................... 31
Real Server DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2............................................................................................ 33
Group Server DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2 ................................................................................... 33
Group Server DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2 ........................................................................................ 35
Virtual Server DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2 ................................................................................... 36
Virtual Server DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2 ........................................................................................ 37
Section 6: Configuration Summary ......................................................................................................................................... 38
Hardening devices ............................................................................................................................................................... 38
User Accounts ................................................................................................................................................................. 38
SSH..................................................................................................................................................................................... 40
HTTPS Access .................................................................................................................................................................. 42
Telnet Access .................................................................................................................................................................. 44
Login Banner.................................................................................................................................................................... 46
Audit configuration ......................................................................................................................................................... 48
8|Page
Define the Subnets Allowed to Manage the Device .............................................................................................. 50
Disallow Management Access from Data Network ................................................................................................. 52
User Lockout ................................................................................................................................................................... 56
Management Session Idle Timeout............................................................................................................................ 58
SNMP Communities ....................................................................................................................................................... 60
General ............................................................................................................................................................................. 62
Configurations Network Setting ............................................................................................................................................... 72
VLANs ..................................................................................................................................................................................... 72
Interfaces ............................................................................................................................................................................... 74
Gateways ............................................................................................................................................................................... 76
Proxy IPs................................................................................................................................................................................. 78
Configurations High Availability (Master-Backup) ................................................................................................................. 80
High Availability .................................................................................................................................................................... 80
Status HA ............................................................................................................................................................................... 82
Virtual Servers & Real Servers .................................................................................................................................................. 84
Real Servers .......................................................................................................................................................................... 84
DC....................................................................................................................................................................................... 84
DR ....................................................................................................................................................................................... 84
Server Group ......................................................................................................................................................................... 85
DC....................................................................................................................................................................................... 85
DR ....................................................................................................................................................................................... 87
Virtual Servers....................................................................................................................................................................... 89
DC....................................................................................................................................................................................... 89
DR ....................................................................................................................................................................................... 89
Virtual Services ..................................................................................................................................................................... 90
9|Page
DC....................................................................................................................................................................................... 90
DR ....................................................................................................................................................................................... 92
Web Application Firewall .......................................................................................................................................................... 94
Secured Web Applications ................................................................................................................................................ 94
DC....................................................................................................................................................................................... 94
DR ....................................................................................................................................................................................... 94
Tunnels Configuration ........................................................................................................................................................ 95
DC....................................................................................................................................................................................... 95
DR ....................................................................................................................................................................................... 95
Web Applications Policies.................................................................................................................................................. 96
DC....................................................................................................................................................................................... 96
DR ....................................................................................................................................................................................... 96
DNS ................................................................................................................................................................................................ 97
DNS Responder VIP ............................................................................................................................................................. 97
DC....................................................................................................................................................................................... 97
DR ....................................................................................................................................................................................... 97
10 | P a g e
Section 1: Executive Summary
Application Delivery and Security

Application delivery services are critical to ensuring the availability, performance and protection of applications
deployed in any environment. Radware Alteon is an application delivery controller (ADC) that ensures
application availability, performance optimization and security, and can be deployed as a physical appliance,
virtual appliance, or cloud appliance, with a consistent feature set across all form factors and environments.
Alteon provides advanced application delivery service programmability, and its orchestration interfaces provide
ADC services to non-technical users. Alteon’s analytics deliver actionable insights so that organizations can
proactively manage application SLAs and protection
11 | P a g e
Server Load Balancing Solution
Component Specification
Alteon 5208 product specification detail
Performance and Functionality Alteon 5208

Throughput 6 Gbps
Layer 4 connections per second 630K
Maximum Layer 4 concurrent connections 50M
Layer 7 requests per second 850K
RSA CPS (2K Keys) 2.3K
ECC CPS (ECDSA-P256) 9K
PORTS 2 x 10 GbE SFP+

8 x 1 GbE RJ45
Dimensions (W x D x H) mm 436 mm W x 406 mm D x 44 mm (1U)
12 | P a g e
Section 2: Scope of work
In this section, provide details about implement plan.
Alteon 5208 Secure Scope of Implementation

No. Procedure Remark
A Pre-Implementation Phase
1 Internal hand-over meeting and for understanding project information and background Done
2 Kick-off meeting and concrete technical requirement Done
3 Provide "Solution Design" and summary information to customer Done
B Implementation
1 Alteon 5208 Initialization
- Hardware status checking and validation Done
- Initial Alteon 5208 with best practice version according to customer requirement Done
- Update signature to latest release Done
2 Activate and verify required license and subscription Done
3 Tune and hardening Alteon base on Radware best practice guideline Done
4 Network configuration provisioning
- Configure VLAN, trunk, and Spanning Tree Done
- Configure IP interface Done
- Configure static route and gateway Done
5 High Availability (If required)
- Configure HA for pair/cluster of Alteon Done
- Configure Alteon for achieving configuration synchronization Done
6 Server Load Balance (SLB) service configuration upto 10 virtual servers or 10 WAF
interception filter
- Configure Real Server and associate to server group Done
- Import SSL certificate and configure SSL policy (Maximum 10 SSL policies) Done
- Configure Network Class, Content Class Done
- Configure Content-based rule within Alteon Management interface Done
- Configure Virtual Server and Virtual Service Done
7 Global Server Load Balance (GSLB) service configuration up to 10 Domain names
- Configure Real Server for DR site
- Configure DNS Responseder
13 | P a g e
Alteon 5208 Secure Scope of Implementation
- Configure DNS Redirection rules
- Configure Client Network rules
8 AppWall configuration up to 5 applications Done
- Configure scheduling security update and geolocation update with Radware cloud Done
- Configure AppWall system for publishing security event to Apsolute Vision and 3rd party Done
SIEM
- Configure AppWall Tunnel and Tunnel property for protected applications Done
- Configure AppWall Tunel Parsing property Done
- Configure AppWall Security policy with protected filter included: Database, Vulnerability Done
and Allow list
9 AppWall Staging and Go-live
- Staging 5 protected application in monitor mode
- Review security event and summary policy review with customer
- Switch application from monitor mode to block mode
C Implementation Hand-Over
1 On The Job Training shall be limited to:
- Explanation on implementation topology, and relevant technology concept
- Relevant implemented configuration run through
- Provide basic/common troubleshooting
2 Project Documentation will be limited to:
- User Acceptance Test Document
- Implementation Hand-over document
14 | P a g e
Section 3: Implementation Plan
In this section, provide details about implement plan.
ID TASK DESCRIPTION Start Finish

A Pre-Implementation Phase
1 Internal hand-over meeting and for understanding project 8/2/2023 8/2/2023
information and background
2 Kick-off meeting and concrete technical requirement 16/3/2023 16/3/2023
3 Provide "Solution Design" and summary information to customer 13/7/2023 13/7/2023
B Implementation
1 Alteon 5208 Initialization
- Hardware status checking and validation 2/8/2023 2/8/2023
- Initial Alteon 5208 with best practice version according to 2/8/2023 2/8/2023
customer requirement
- Update signature to latest release 2/8/2023 2/8/2023
2 Activate and verify required license and subscription 2/8/2023 2/8/2023
3 Tune and hardening Alteon base on Radware best practice guideline 2/8/2023 2/8/2023
4 Network configuration provisioning
- Configure VLAN, trunk, and Spanning Tree 2/8/2023 2/8/2023
- Configure IP interface 2/8/2023 2/8/2023
- Configure static route and gateway 2/8/2023 2/8/2023
5 High Availability (If required)
- Configure HA for pair/cluster of Alteon 2/8/2023 2/8/2023
- Configure Alteon for achieving configuration synchronization 2/8/2023 2/8/2023
6 Server Load Balance (SLB) service configuration upto 10 virtual
servers or 10 WAF interception filter
- Configure Real Server and associate to server group 18/10//2023 18/10//2023
- Import SSL certificate and configure SSL policy (Maximum 10 SSL 18/10//2023 18/10//2023
policies)
- Configure Network Class, Content Class 18/10//2023 18/10//2023
- Configure Content-based rule within Alteon Management interface 18/10//2023 18/10//2023
- Configure Virtual Server and Virtual Service 18/10//2023 18/10//2023
15 | P a g e
ID TASK DESCRIPTION Start Finish
7 Global Server Load Balance (GSLB) service configuration up to 10
Domain names
- Configure Real Server for DR site
- Configure DNS Responseder
- Configure DNS Redirection rules
- Configure Client Network rules
8 AppWall configuration up to 5 applications 30/1/2024 30/1/2024
- Configure scheduling security update and geolocation update with 30/1/2024 30/1/2024
Radware cloud
- Configure AppWall system for publishing security event to 30/1/2024 30/1/2024
Apsolute Vision and 3rd party SIEM
- Configure AppWall Tunnel and Tunnel property for protected 30/1/2024 30/1/2024
applications
- Configure AppWall Tunel Parsing property 30/1/2024 30/1/2024
- Configure AppWall Security policy with protected filter included: 30/1/2024 30/1/2024
Database, Vulnerability and Allow list
9 AppWall Staging and Go-live
- Staging 5 protected application in monitor mode
- Review security event and summary policy review with customer
- Switch application from monitor mode to block mode
C Implementation Hand-Over
1 On The Job Training shall be limited to:
- Explanation on implementation topology, and relevant
technology concept
- Relevant implemented configuration run through
- Provide basic/common troubleshooting
2 Project Documentation will be limited to:
- User Acceptance Test Document
- Implementation Hand-over document
16 | P a g e
Section 4: Network Diagram
Solution Diagram
Solution Diagram
17 | P a g e
Section 5: Pre-requisite Information Checklist
Management IP Address DC
No Device IP Address IP Subnet Gateway Switch MAC Serial Version
1 DC1_BCH4_LBF4_1 172.16.150.16 255.255.255.0 172.16.150.254 OOB Switch 2c:b6:93:83:73:00 42301368 32.6.14.0
2 DC1_BCH4_LBF4_2 172.16.150.17 255.255.255.0 172.16.150.254 OOB Switch 2c:b6:93:83:61:00 42301334 32.6.14.0
3 Cyber Controller 172.16.150.18 255.255.255.0 172.16.150.254 OOB Switch 56:6f:b7:92:00:17 4017160681 10.2.0
Management IP Address DR
No Device IP Address IP Subnet Gateway Switch MAC Serial Version
1 DR_TCCT_LBF5_1 172.16.250.16 255.255.255.0 172.16.250.254 OOB Switch 2c:b6:93:7f:d1:00 42301228 32.6.14.0
2 DR_TCCT_LBF5_2 172.16.250.17 255.255.255.0 172.16.250.254 OOB Switch 2c:b6:93:83:4a:00 42301349 32.6.14.0
18 | P a g e
Devices installed DC
DR1_BCH4_LBF4_1 – Font
DR1_BCH4_LBF4_1 - Back
19 | P a g e
DR1_BCH4_LBF4_2 – Font
DR1_BCH4_LBF4_2 – Back
20 | P a g e
Devices installed DR
DR_TCCT_LBF5_1 – Font
DR_TCCT_LBF5_1 - Back
21 | P a g e
DR_TCCT_LBF5_2– Font
DR_TCCT_LBF5_2– Back
22 | P a g e
Network Configuration - Alteon DC1_BCH4_LBF4_1
IP Interfaces
No IP Address IP Subnet Gateway VLAN Interface Type Remark
(Client/Server/Proxy)
1 172.16.111.1 255.255.255.0 172.16.111.254 111 Client/Server
2 172.16.112.1 255.255.255.0 172.16.112.254 112 Client/Server

3 172.16.113.1 255.255.255.0 172.16.113.254 113 Client/Server
4 172.16.114.1 255.255.255.0 172.16.114.254 114 Client/Server
5 172.16.115.1 255.255.255.0 172.16.115.254 115 Client/Server
6 172.16.116.1 255.255.255.0 172.16.116.254 116 Client/Server
7 172.16.117.1 255.255.255.0 172.16.117.254 117 Client/Server
8 172.16.118.1 255.255.255.0 172.16.118.254 118 Client/Server
9 172.16.119.1 255.255.255.0 172.16.119.254 119 Client/Server
10 172.16.120.1 255.255.255.0 172.16.120.254 120 Client/Server
11 172.16.121.1 255.255.255.0 172.16.121.254 121 Client/Server
12 172.16.122.1 255.255.255.0 172.16.122.254 122 Client/Server
13 172.16.123.1 255.255.255.0 172.16.123.254 123 Client/Server
14 172.16.124.1 255.255.255.0 172.16.124.254 124 Client/Server
23 | P a g e
Network Configuration - Alteon DC1_BCH4_LBF4_2
IP Interfaces
(Client/Server/Proxy
)
1 172.16.111.2 255.255.255.0 172.16.111.254 111 Client/Server
2 172.16.112.2 255.255.255.0 172.16.112.254 112 Client/Server

3 172.16.113.2 255.255.255.0 172.16.113.254 113 Client/Server
4 172.16.114.2 255.255.255.0 172.16.114.254 114 Client/Server
5 172.16.115.2 255.255.255.0 172.16.115.254 115 Client/Server
6 172.16.116.2 255.255.255.0 172.16.116.254 116 Client/Server
7 172.16.117.2 255.255.255.0 172.16.117.254 117 Client/Server
8 172.16.118.2 255.255.255.0 172.16.118.254 118 Client/Server
9 172.16.119.2 255.255.255.0 172.16.119.254 119 Client/Server
10 172.16.120.2 255.255.255.0 172.16.120.254 120 Client/Server
11 172.16.121.2 255.255.255.0 172.16.121.254 121 Client/Server
12 172.16.122.2 255.255.255.0 172.16.122.254 122 Client/Server
13 172.16.123.2 255.255.255.0 172.16.123.254 123 Client/Server
14 172.16.124.2 255.255.255.0 172.16.124.254 124 Client/Server
Network Configuration - Alteon DR_TCCT_LBF5_1

IP Interfaces
(Client/Server/Proxy)
1 172.16.211.1 255.255.255.0 172.16.211.254 211 Client/Server
2 172.16.212.1 255.255.255.0 172.16.212.254 212 Client/Server

3 172.16.213.1 255.255.255.0 172.16.213.254 213 Client/Server
4 172.16.214.1 255.255.255.0 172.16.214.254 214 Client/Server
5 172.16.216.1 255.255.255.0 172.16.216.254 216 Client/Server
24 | P a g e
6 172.16.217.1 255.255.255.0 172.16.217.254 217 Client/Server
7 172.16.218.1 255.255.255.0 172.16.218.254 218 Client/Server
8 172.16.219.1 255.255.255.0 172.16.219.254 219 Client/Server
9 172.16.220.1 255.255.255.0 172.16.220.254 220 Client/Server
10 172.16.221.1 255.255.255.0 172.16.221.254 221 Client/Server
11 172.16.222.1 255.255.255.0 172.16.222.254 222 Client/Server
12 172.16.223.1 255.255.255.0 172.16.223.254 223 Client/Server
13 172.16.224.1 255.255.255.0 172.16.224.254 224 Client/Server
25 | P a g e
Network Configuration - Alteon DR_TCCT_LBF5_2
IP Interfaces
(Client/Server/Proxy
)
1 172.16.211.2 255.255.255.0 172.16.211.254 211 Client/Server
2 172.16.212.2 255.255.255.0 172.16.212.254 212 Client/Server

3 172.16.213.2 255.255.255.0 172.16.213.254 213 Client/Server
4 172.16.214.2 255.255.255.0 172.16.214.254 214 Client/Server
5 172.16.216.2 255.255.255.0 172.16.216.254 216 Client/Server
6 172.16.217.2 255.255.255.0 172.16.217.254 217 Client/Server
7 172.16.218.2 255.255.255.0 172.16.218.254 218 Client/Server
8 172.16.219.2 255.255.255.0 172.16.219.254 219 Client/Server
9 172.16.220.2 255.255.255.0 172.16.220.254 220 Client/Server
10 172.16.221.2 255.255.255.0 172.16.221.254 221 Client/Server
11 172.16.222.2 255.255.255.0 172.16.222.254 222 Client/Server
12 172.16.223.2 255.255.255.0 172.16.223.254 223 Client/Server
13 172.16.224.2 255.255.255.0 172.16.224.254 224 Client/Server
26 | P a g e
Network Configuration - High Availability
Floating IP DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2
No IP Address Remark
1 172.16.111.10
2 172.16.112.10
3 172.16.113.10
4 172.16.114.10
5 172.16.115.10
6 172.16.116.10
7 172.16.117.10
8 172.16.118.10
9 172.16.119.10
10 172.16.120.10
11 172.16.121.10
12 172.16.122.10
13 172.16.123.10
14 172.16.124.10
Floating IP DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2

No IP Address Remark
1 172.16.211.10
2 172.16.212.10
3 172.16.213.10
4 172.16.214.10
5 172.16.216.10
6 172.16.217.10
7 172.16.218.10
8 172.16.219.10
9 172.16.220.10
10 172.16.221.10
27 | P a g e
11 172.16.222.10
12 172.16.223.10
13 172.16.224.10
28 | P a g e
Proxy IP VLANs
Proxy IP DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2
No IP Address VLAN Remark
1 172.16.111.13 111
2 172.16.112.13 112
3 172.16.113.13 113
4 172.16.114.13 114
5 172.16.115.13 115
6 172.16.116.13 116
7 172.16.117.13 117
8 172.16.118.13 118
9 172.16.119.13 119
10 172.16.120.13 120
11 172.16.121.13 121
12 172.16.122.13 122
13 172.16.123.13 123
14 172.16.124.13 124
Proxy IP DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2

No IP Address VLAN Remark
1 172.16.211.13 211
2 172.16.212.13 212
3 172.16.213.13 213
4 172.16.214.13 214
5 172.16.216.13 216
6 172.16.217.13 217
7 172.16.218.13 218
8 172.16.219.13 219
9 172.16.220.13 220
10 172.16.221.13 221
29 | P a g e
11 172.16.222.13 222
12 172.16.223.13 223
13 172.16.224.13 224
30 | P a g e
Virtual Service Configuration
Real Server DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2
No Real Server ID IP Address Port / Health Check Remark
Service Type
1 PRD_DMZ- 172.16.123.51 - Inherit -
Dataplan01
2 PRD_DMZ- 172.16.123.52 - Inherit -
Dataplan02
3 PRD_DMZ- 172.16.123.51 - Inherit -
PostgreSQL01
4 PRD_DMZ- 172.16.123.52 - Inherit -
PostgreSQL02
5 PRD_INT-Dataplan01 172.16.122.51 - Inherit -
7 PRD_INT- 172.16.122.51 - Inherit -
PostgreSQL01
8 PRD_INT- 172.16.122.52 - Inherit -
PostgreSQL02
9 PRE-PRD_DMZ- 172.16.118.51 - Inherit -
Dataplan01
Dataplan02
PostgreSQL01
PostgreSQL02
13 PRE-PRD_INT- 172.16.117.51 - Inherit -
Dataplan01
Dataplan02
PostgreSQL01
31 | P a g e
PostgreSQL02
17 sdc1cbsiu1 172.16.113.51 - Inherit -
21 UAT_DMZ- 172.16.113.51 - Inherit -
Dataplan01
22 UAT_DMZ- 172.16.113.52 - Inherit -
Dataplan02
23 UAT_DMZ- 172.16.113.51 - Inherit -
PostgreSQL01
24 UAT_DMZ- 172.16.113.52 - Inherit -
PostgreSQL02
25 UAT_INT-Dataplan01 172.16.112.51 - Inherit -
26 UAT_INT-Dataplan02 172.16.112.52 - Inherit -
27 UAT_INT- 172.16.112.51 - Inherit -
PostgreSQL01
28 UAT_INT- 172.16.112.52 - Inherit -
PostgreSQL02
29 PRD_DMZ- 172.16.123.51 - Inherit -
Dataplan01
30 PRD_DMZ- 172.16.123.52 - Inherit -
Dataplan02
31 PRD_DMZ- 172.16.123.51 - Inherit -
PostgreSQL01
32 PRD_DMZ- 172.16.123.52 - Inherit -
PostgreSQL02
32 | P a g e
Real Server DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2
No Real Server ID IP Address Port / Health Check Remark
Service Type
1 PRD_DMZ- 172.16.223.51 - Inherit -
Dataplan01
2 PRD_DMZ- 172.16.223.52 - Inherit -
Dataplan02
3 PRD_DMZ- 172.16.223.51 - Inherit -
PostgreSQL01
4 PRD_DMZ- 172.16.223.52 - Inherit -
PostgreSQL02
7 PRD_INT- 172.16.222.51 - Inherit -
PostgreSQL01
8 PRD_INT- 172.16.222.52 - Inherit -
PostgreSQL02
Group Server DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2

No Group Server List Real Port / Service Health Check Metric Type Remark
ID Server Type
1 PRD_DMZ- PRD_DMZ- - TCP Least -

Dataplan Dataplan01 Connection
PRD_DMZ-
Dataplan02
2 PRD_DMZ- PRD_DMZ- - TCP_PostgreSQL Least Backup:

PostgreSQL PostgreSQL01 Connection rPRD_DMZ-
PostgreSQL02
3 PRD_INT- PRD_INT- - TCP Least -
33 | P a g e
PRD_INT-
Dataplan02
4 PRD_INT- PRD_INT- - TCP_PostgreSQL Least Backup:
PostgreSQL PostgreSQL01 Connection rPRD_INT-
PostgreSQL02
5 PRE- PRE- - TCP Least -
PRD_DMZ- PRD_DMZ- Connection
Dataplan Dataplan01
PRE-
PRD_DMZ-
Dataplan02
6 PRE- PRE- - TCP_PostgreSQL Least Backup: rPRE-
PRD_DMZ- PRD_DMZ- Connection PRD_DMZ-
PostgreSQL PostgreSQL01 PostgreSQL02
7 PRE-PRD_INT- PRE-PRD_INT- - TCP Least -
PRE-PRD_INT-
Dataplan02
8 PRE-PRD_INT- PRE-PRD_INT- - TCP_PostgreSQL Least Backup: rPRE-
PostgreSQL PostgreSQL01 Connection PRD_INT-
PostgreSQL02
9 UAT_DMZ- UAT_DMZ- - TCP Least -
UAT_DMZ-
Dataplan02
10 UAT_DMZ- UAT_DMZ- - TCP_PostgreSQL Least Backup:
PostgreSQL PostgreSQL01 Connection rUAT_DMZ-
PostgreSQL02
11 UAT_INT- UAT_INT- - TCP Least -
UAT_INT-
Dataplan02
34 | P a g e
12 UAT_INT- UAT_INT- - TCP_PostgreSQL Least Backup:
PostgreSQL PostgreSQL01 Connection rUAT_INT-
PostgreSQL02
Group Server DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2

No Group Server List Real Port / Service Health Check Metric Type Remark
ID Server Type
1 PRD_DMZ- PRD_DMZ- - TCP Least -

PRD_DMZ-
Dataplan02
2 PRD_DMZ- PRD_DMZ- - TCP_PostgreSQL Least Backup:

PostgreSQL PostgreSQL01 Connection rPRD_DMZ-
PostgreSQL02
3 PRD_INT- PRD_INT- - TCP Least -

PRD_INT-
Dataplan02
4 PRD_INT- PRD_INT- - TCP_PostgreSQL Least Backup:
PostgreSQL PostgreSQL01 Connection rPRD_INT-
PostgreSQL02
35 | P a g e
Virtual Server DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2
No Virtual Server IP Address Port / Service Group Server Remark
ID
1 PRD_DMZ- 172.16.123.21 443 PRD_DMZ- ProxyIP: Ingresss
Dataplan Dataplan
PostgreSQL PostgreSQL
3 PRD_INT- 172.16.122.21 443 PRD_INT- ProxyIP: Ingresss
Dataplan Dataplan
5 PRE- 172.16.118.21 443 PRE- ProxyIP: Ingresss
PRD_DMZ- PRD_DMZ-
Dataplan Dataplan
6 PRE- 172.16.118.22 5432 PRE- ProxyIP: Ingresss
PRD_DMZ- PRD_DMZ-
7 PRE-PRD_INT- 172.16.117.21 443 PRE-PRD_INT- ProxyIP: Ingresss
Dataplan Dataplan
8 PRE-PRD_INT- 172.16.117.22 5432 PRE-PRD_INT- ProxyIP: Ingresss
9 UAT_DMZ- 172.16.113.21 443 UAT_DMZ- ProxyIP: Ingresss
Dataplan Dataplan
10 UAT_DMZ- 172.16.113.22 5432 UAT_DMZ- ProxyIP: Ingresss
11 UAT_INT- 172.16.112.21 443 UAT_INT- ProxyIP: Ingresss
Dataplan Dataplan
12 UAT_INT- 172.16.112.22 5432 UAT_INT- ProxyIP: Ingresss
36 | P a g e
Virtual Server DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2
No Virtual Server IP Address Port / Service Group Server Remark
ID
Dataplan Dataplan
Dataplan Dataplan
37 | P a g e
Section 6: Configuration Summary
In this section, provide details of configuration related with Scope of Work.
Hardening devices
User Accounts
Radware recommends changing the default password of the predefined accounts
Configuration > System > Users > Local Users > Settings
Change password -> P@ssw0rdExim
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
38 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
39 | P a g e
SSH
By default, Alteon is accessible via SSH on TCP port 22. Consider changing the default ports and disabling SSH
version 1. In addition, consider using PKI for SSH login.
Configuration > System > Management Access > Management Protocols > SSH
Selected V2 only
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
40 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
41 | P a g e
HTTPS Access
Consider changing the default ports and disabling weak TLS versions.
Configuration > System > Management Access > Management Protocols > HTTPS
Selected TLS1.2 and TLS.1.3
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
42 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
43 | P a g e
Telnet Access
Ensure that Telnet access is not allowed.
Configuration > System > Management Access > Telnet
Unselected Enable Telnet
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
44 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
45 | P a g e
Login Banner
Radware recommends setting an appropriate timeout for a management session.
Note: The maximum allowed banner size is 319 characters.
Configuration > System > Management > CLI
Unauthorized ACCESS is Strictly Prohibited
This system is the property of the Export-Import Bank of Thailand
Disconnect IMMEDIATELY if you are not an authorized user.
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
46 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
47 | P a g e
Audit configuration
By default, Alteon does not log management events such as logins and information about configuration
changes. Analyzing these logs may assist in recognition of unauthorized access.
Configuration > System > Logging and Alerts
Enable All
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
48 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
49 | P a g e
Define the Subnets Allowed to Manage the Device
Radware recommends that the access to Alteon management be limited to set of specific subnets. By
default, all subnets are allowed. Additionally, you can specify the access methods in addition to the subnets.
Configuration > System > Management Access > Access Control > Allowed Protocols per Network > Add
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
50 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
51 | P a g e
Disallow Management Access from Data Network
Radware recommends allowing management access only via the management port.
Configuration > System > Management Access > Access Control > Data Port Access for Management Traffic
Change to Deny all
DC1_BCH4_LBF4_1
52 | P a g e
DC1_BCH4_LBF4_2
53 | P a g e
DR_TCCT_LBF5_1
54 | P a g e
DR_TCCT_LBF5_2
55 | P a g e
User Lockout
For mitigating brute force attacks to the Alteon management interface, Radware recommends locking users
after unsuccessful login attempts.
Configuration > System > Users > Local Users > Settings
Enable User > Login Failure Threshold: 5 times > User Logout Duration: 10 mins. >Lockout Reset Duration: 10
mins.
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
56 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
57 | P a g e
Management Session Idle Timeout
Radware recommends setting an appropriate timeout for a management session. For production
environments, Radware recommends keeping the idle timeout to the minimum value.
Configuration > System > Management Access
Idle Timeout : 20 mins
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
58 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
59 | P a g e
SNMP Communities
Radware recommends that if SNMP monitoring is enabled, use SNMv3 monitoring because it can be secured.
Using SNMPv1 or SNMPv2c is deprecated due to their use of clear text community strings.
Configuration > System > SNMP
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
60 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
61 | P a g e
General
NTP Server Configuration
Radware recommends keeping the time of the load balancer in sync with the local time.
Configuration > System > Time and Date
Set Primary IP Address : 172.16.150.254
Secondary IP Address : 0.0.0.0
DC1_BCH4_LBF4_1
62 | P a g e
DC1_BCH4_LBF4_2
63 | P a g e
DR_TCCT_LBF5_1
64 | P a g e
DR_TCCT_LBF5_2
65 | P a g e
Syslog Configuration
Radware also recommends exporting device logs to a unified location (such as a SIEM) to allow for security
events investigation.
Configuration > System > Logging and Alerts
Set Syslog IP Address : 172.16.150.20
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
66 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
67 | P a g e
DNS Server Configuration
Radware recommends configuring a DNS server for the Alteon device.
Configuration > System > DNS Client
Configure to Primary IP Address : 8.8.8.8
to secondary IP Address : 8.8.4.4
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
68 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
69 | P a g e
Device Name
Radware recommends displaying the device name at the CLI prompt.
Configuration > SNMP > System Name
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
70 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
71 | P a g e
Configurations Network Setting
VLANs
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
72 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
73 | P a g e
Interfaces
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
DR_TCCT_LBF5_1
74 | P a g e
DR_TCCT_LBF5_2
75 | P a g e
Gateways
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
DR_TCCT_LBF5_1
76 | P a g e
DR_TCCT_LBF5_2
77 | P a g e
Proxy IPs
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
78 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
79 | P a g e
Configurations High Availability (Master-Backup)
High Availability
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
80 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
81 | P a g e
Status HA
DC1_BCH4_LBF4_1
DC1_BCH4_LBF4_2
82 | P a g e
DR_TCCT_LBF5_1
DR_TCCT_LBF5_2
83 | P a g e
Virtual Servers & Real Servers
Real Servers
DC
DR
84 | P a g e
Server Group
DC
Dataplan
85 | P a g e
PostgreSQL
86 | P a g e
DR
Dataplan
87 | P a g e
PostgreSQL
88 | P a g e
Virtual Servers
DC
DR
89 | P a g e
Virtual Services
DC
Dataplan
90 | P a g e
PostgreSQL
91 | P a g e
DR
Dataplan
92 | P a g e
PostgreSQL
93 | P a g e
Web Application Firewall
Secured Web Applications
DC
DR
94 | P a g e
Tunnels Configuration
DC
DR
95 | P a g e
Web Applications Policies
DC
DR
96 | P a g e
DNS
DNS Responder VIP
DC
DR
97 | P a g e

Implement Document DC and DR v3.0 Final

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Implement Document DC and DR v3.0 Final

Uploaded by

Copyright:

Available Formats

Hardware Document

Project: EXIM Core Bank

การจัดประเภทความปลอดภัย (Security Classification) ความลับของบริษัท (Company confidential)

ฉบับ (Version) 1.0

วันที่ปรับปรุงเอกสาร (Revision date) 2 กุมภาพันธ์ 2567

ชื่อผู้จัดทำ (Author’s Name) นายธีรภัทร นามสัสดี

ชื่อผู้ตรวจสอบ (Reviewer’s Name) นายสุรศักดิ์ โชคกาญจนกุล

2 กุมภาพันธ์ 2567 นายธีรภัทร นามสัสดี V1.0 Initial Version

นายสุรศักดิ์ โชคกาญจนกุล Senior Technical

นาย อูรชา พงษ์วัฒนา ผู้อำนวยการโครงการ

นาย พบธรรม พันธ์ครุฑ เจ้าหน้าที่ดูแลระบบ ส่วนบริหาร

นางสาว นันทนา ชินทศักดิ์ PwC

นางสาว เบญญาภา สายพินทอง PwC

นาย ธีรัตม์ ทัศนัย PwC

นาย ณัฐพิสิษฐ์ โลจนวณิช PwC

IT Architect & Security Lead

ผูล้ งนามยอมรับผลงาน/สิง่ ส่งมอบ

(นางสาว นารีมาลย์ เจียงประดิษฐ์)

Application Delivery and Security

Alteon 5208 product specification detail

Performance and Functionality Alteon 5208

Layer 4 connections per second 630K

Maximum Layer 4 concurrent connections 50M

Layer 7 requests per second 850K

RSA CPS (2K Keys) 2.3K

ECC CPS (ECDSA-P256) 9K

PORTS 2 x 10 GbE SFP+

Alteon 5208 Secure Scope of Implementation

ID TASK DESCRIPTION Start Finish

1 DC1_BCH4_LBF4_1 172.16.150.16 255.255.255.0 172.16.150.254 OOB Switch 2c:b6:93:83:73:00 42301368 32.6.14.0

2 DC1_BCH4_LBF4_2 172.16.150.17 255.255.255.0 172.16.150.254 OOB Switch 2c:b6:93:83:61:00 42301334 32.6.14.0

1 DR_TCCT_LBF5_1 172.16.250.16 255.255.255.0 172.16.250.254 OOB Switch 2c:b6:93:7f:d1:00 42301228 32.6.14.0

2 DR_TCCT_LBF5_2 172.16.250.17 255.255.255.0 172.16.250.254 OOB Switch 2c:b6:93:83:4a:00 42301349 32.6.14.0

1 172.16.111.1 255.255.255.0 172.16.111.254 111 Client/Server

2 172.16.112.1 255.255.255.0 172.16.112.254 112 Client/Server

2 172.16.112.2 255.255.255.0 172.16.112.254 112 Client/Server

Network Configuration - Alteon DR_TCCT_LBF5_1

1 172.16.211.1 255.255.255.0 172.16.211.254 211 Client/Server

2 172.16.212.1 255.255.255.0 172.16.212.254 212 Client/Server

2 172.16.212.2 255.255.255.0 172.16.212.254 212 Client/Server

Floating IP DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2

Proxy IP DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2

Group Server DC1_BCH4_LBF4_1 and DC1_BCH4_LBF4_2

1 PRD_DMZ- PRD_DMZ- - TCP Least -

2 PRD_DMZ- PRD_DMZ- - TCP_PostgreSQL Least Backup:

Group Server DR_TCCT_LBF5_1 and DR_TCCT_LBF5_2

1 PRD_DMZ- PRD_DMZ- - TCP Least -

2 PRD_DMZ- PRD_DMZ- - TCP_PostgreSQL Least Backup:

3 PRD_INT- PRD_INT- - TCP Least -

You might also like