New WAN infrastructure

“Confidence and innovation" is the enduring motto of Rawlplug, the company that started a revolution in the construction industry. Since John Joseph Rawlings (co-founder of Rawlplug) invented and patented the first dowel in 1913, the history of fastener manufacturing has remained steadfastly linked to Rawlplug. Today, the company has 72 branches on 3 continents around the world and faces new challenges, such as the redevelopment of the ICT network. Planning and implementing a new WAN infrastructure for such a large environment, assuming the continuity of key systems, is not a simple task, requiring a great deal of knowledge, experience and, above all, a precise plan. This extremely responsible task was entrusted to the network engineers of SNP Poland (currently All for one Poland).

Project assumptions

The main objective of the project was to build a new network environment that would raise the security, reliability and scalability of the entire infrastructure. The project included a complete modernization of Rawlplug’s headquarters and selected branch offices. The changes were to include modernization of routers at the company’s headquarters, Site-to-Site VP N between branches and Personal VPN solutions.

Embarking on such a complex project required, as a first step, the execution of an audit, which allowed us to identify directions and proposals for change. After performing a review of the existing infrastructure, we proceeded to make a detailed implementation plan. The prepared document included proposals for changes to the infrastructure, along with scenarios for migrating individual network segments to the new Rawlplug network environment. Due to the need to maintain continuity of systems operation, the project envisaged parallel operation of two Rawlplug network environments (the old and the new) so that a smooth migration of individual network segments would be possible. This state was to be maintained until all services were migrated to the new network infrastructure. Once the implementation plan was approved, implementation proceeded.

A modern approach

One of the first steps was to acquire PI (Provider Independent) IPv4 addressing for Rawlplug. By obtaining its own IPv4 block and AS number, Rawlplug became independent of ISP addressing. Having its own IPv4 address space has opened up completely new opportunities for Rawlplug to increase reliability. SNP Poland (now All for One Poland) proposed to revolutionize existing WAN connections. A new network backbone topology was designed and implemented, where the point of interconnection with operators became two edge routers, on which two BGP sessions each (primary and backup) with two different telecom operators were set up. This approach resulted in an infrastructure that was resilient to single points of failure, which directly improved the availability of Rawlplug’s services and systems.

In the next stage, work proceeded on the implementation of the main firewall at Rawlplug’s headquarters. The new heart of the network was a firewall cluster consisting of two Fortigate units, connected redundantly to the backbone switches via 10G port aggregation. Communication with the edge routers was implemented using the OSPF dynamic routing protocol. The Fortigate cluster was integrated with Active Directory, which made it possible to realize administrative access based on the LDAP database. As designed, a mechanism for regulating access to systems based on FSSO (Fortinet Single Sign-On) was also implemented. This required the integration of the Fortigate cluster with the domain controllers, on which the agent and FSSO collectors responsible for maintaining a consistent database on logged-in domain users were installed and configured. Security policies implementing access to systems based on users’ membership in domain groups, is not only a significant increase in security, but also a great convenience in terms of privilege management. As part of the implementation, a set of policies was prepared based on FSSO, while indicating the best practices used in the implementation of access control to systems.

Remote access

Remote access is one of the functionalities that greatly facilitates the operation of any company. Reachability of corporate resources from anywhere in the world after setting up an encrypted connection is an extremely convenient and secure method to accomplish tasks when employees are away from the company’s headquarters. SSLVPN is another Fortigate functionality that has been implemented by SNP Poland, replacing Rawlplug’s current VPN solutions. The SSLVPN concentrator has been configured to allow connections to be established through both a web browser and a special client provided by Fortinet. SSLVPN accounts have been integrated into the Rawlplug domain, so remote access to resources is realized based on membership in the appropriate domain groups. In addition, a second SSLVPN portal dedicated to subcontractors was also launched as part of the implementation.

Reorganization of branches

Rawlplug is a huge company with numerous subsidiaries present on 3 continents around the world, the heart of which is the headquarters located in Wroclaw. This is where most of the systems to which uninterrupted access must be realized are located. The project involved the implementation of Fortinet solutions for the offices designated by Rawlplug. Connections between individual branches and the headquarters were realized using Site-to-Site VPN connections. It is worth noting that the branches that have redundant Internet connections were connected to the headquarters using two VPN tunnels, and on each of the tunnel connections the dynamic routing protocol OSPF was activated, which in case of failure of the primary link causes automatic switching of traffic to the backup tunnel.

Efficient use of resources is one of the basic principles of business, which is why Rawlplug offices with redundant Internet links can use the SD-WAN mechanism implemented by SNP (currently All for One Poland). This functionality, when properly configured, enables traffic balancing between operators, and, combined with the implemented QoS mechanisms, allows efficient use of available resources.

Rafal Klysiewicz, IT Director, Rawlplug

Highest standards for network solutions
In a rapidly growing company like ours, it is very important to ensure flexibility and at the same time secure access to data.
Standardization and ease of management of multiple access sites are key for us. That’s why we decided to thoroughly modernize the infrastructure at headquarters and selected branches. We opted for a market standard by moving away from proprietary, hard-to-maintain solutions.
The project proved to be really demanding. A complex network structure, state-of-the-art solutions, attention to the highest security standards, and all this with continuous availability of systems. The result was an efficient process of migrating branches to the new network, high availability at the headquarters, simple configuration and full monitoring with transparent logging of events. Personally, in working with SNP on this project, I appreciate not only the expertise but also the very good documentation, workshops and support for our administrators.
We chose SNP Poland (now All for One Poland) because of our previous experience in such projects and a large team of specialists giving us considerable comfort in such a demanding project. The solutions proposed to us meet the highest standards, and currently our network infrastructure allows for further development.
Rafal Klysiewicz, IT Director, Rawlplug

WLAN

The use of WLAN is one of the most convenient and simplest methods of accessing network resources. The use of WiFi in a corporate network is quite common. Nevertheless, when configuring them, it is important to remember to use appropriate methods to secure access from unauthorized persons. For Rawlplug branches using FortiWiFi models, a corporate WiFi network configuration with Radius server-based authorization was prepared, while a separate SSID with a subnet separated from the rest of the infrastructure was launched for guests.

Management and Monitoring

One of the most serious challenges faced by those administering a large and complex network environment is its management and monitoring. However, this task is much easier when the environment is consistent and has a centralized administration panel. FortiManager and FortiAnalyzer are other Fortinet products deployed at Rawlplug. A single administration console, revision of changes, and centralized configuration management of a group of devices are just some of the FortiManager features implemented by SNP Poland. Complementing the centralization is FortiAnalyzer, which provides a central point for archiving logs and statistics, facilitating network analysis and diagnostics through a single administration panel.

Training and as-built documentation

The implementation carried out by SNP Poland (now All for One Poland) covered a very wide range of network issues, so training sessions were conducted during each stage to allow Rawlplug administrators to understand the principle of the mechanisms used, so that they could continue managing the network on their own. After each completed stage, verification tests of the implemented mechanisms were conducted, along with explanations of the principles of their operation. In addition, at the end of the project, SNP Poland organized workshops to systematize the knowledge to be acquired during the implementation and provided extensive post-implementation documentation.