So the company that I work for is a retailer with a couple hundred locations. Our IT backend has slowly been improving, but as a department we are perpetually understaffed and underfunded. This kind of explains the state of the network equipment in our stores. It’s a little embarrassing, really, but we are finally working to make it better.
Our current setup in our stores is a Cisco 1841 router and a 2950 24-port switch. That’s it. WAN connectivity is a T1. The switch has a couple VLANs on it for regular network equipment and for the POS system. The router has some ACLs controlling access to/from the network segments. Honestly this was some pretty cool stuff in 2005. It was even acceptable when these pieces of equipment went end-of-sale in 2007. But here we are 8 years later.
This setup has allowed us to pass PCI for a couple years now, but with the new PCI 3.0 rules, a stateful firewall is required, and we won’t be able to coast another year. Combine this new requirement with some high-profile breaches from Target and Home Depot, and our management is finally scared enough to give us the money to modernize our store IT infrastructure. And since we finally get a chance to redesign the store network with a clean sheet, we are doing our best to make sure that the new design is as secure as we can make it, is scalable, has room for expansion and extension to things we haven’t thought of yet, and is thoroughly kick-ass. And most importantly, this whole project will require a store visit to every store to rip and replace, so we can actually change things, and not be beholden to decisions that were hastily made 10 years ago and have been a millstone around our necks ever since.
Can you tell I’m excited about this?
We started this project by planning out what we want the network to look like. It came down to several whiteboarding sessions, with careful consideration of what our stores look like now, what they SHOULD look like now, and what decisions we can make now to ensure that we (or our successors) won’t be cursing us 5 or 10 years down the line.
Once we got our design 95% finalized, we started to think about what equipment and systems we would need to make it all happen. Some of it was obvious or pre-ordained (like the wireless solution, which I will discuss in a future post), but there were three places where we knew that we need a piece of equipment, and need to decide what would fill that role. First, and most obviously, we need a firewall. Second, we need a new switch. A bit of luck happened on this front, which allowed us to bypass the beancounter (yes, singular) a bit and get something much better than we otherwise would have been allowed to get. Third, we need a router. In our new design the router is no longer the single point of security enforcement like it was before, but the fact is, every one of our stores has a T1 on MPLS, so we need a router to connect to it. Honestly, if there was such thing as an Ethernet-to-T1 media converter, we would have used it, but there isn’t, so a-router-shopping we will go.
As I’m writing this, most of the decisions on this project have been made already. I’m writing it all up, because maybe somebody else will be able to get something out of the work that we put into our evaluations of different equipment. I will write some future posts detailing the evaluation process for the equipment that we chose, the decisions we made, and how things have shaked out, but I think this will do for now.
To read more about this project, follow the tag New Store Architecture
Currently drinking: Cruzan rum and IBC root beer