Enterprise IT Infrastructure Planning and Network Security Architecture Proposal

Background A large group has expanded its business and facilities, prompting the IT department to plan and build an enterprise-wide information system and IT infrastructure. The plan is divided into two parts: building intelligence for the new offices (video surveillance, access control, cabling, etc.) and the core enterprise IT infrastructure.

Enterprise IT Architecture The focus of this document is the enterprise IT infrastructure, providing a reference architecture, equipment selection, and deployment guidelines. The business application layer is covered in separate documents.

Network System Planning Given limited investment and personnel, the network must be mature, stable, secure, highly reliable, and easy to maintain. Key requirements include secure LAN/WAN connectivity, VPN access (IPSec/SSL), browser‑based management, and upgrade‑friendly design. The typical enterprise network topology is shown below.

The planning emphasizes simple management, cost‑effective WAN links, extensive Wi‑Fi coverage, unified communications, bandwidth compression, investment protection, and low‑cost security solutions.

Secure Basic Network Planning – Basic and Advanced Versions Two solution tiers are offered:

1) Basic Plan For 200‑300 PCs, core switches H3C S5500‑28C‑SI or S5500‑20TP‑SI, access switches H3C S3100‑26TP‑SI or S3100‑52TP‑SI, Internet edge router H3C MSR20‑1X, and security gateway Secpath F1000‑C or UTM. The topology is illustrated below.

Features: high cost‑performance, simple installation, high performance (gigabit backbone, 100 Mbps access), and scalability.

2) Advanced Plan For 500‑800 PCs, three‑layer architecture with 10 Gbps backbone using H3C S7500 core switches, aggregation layer H3C S5500‑28C‑SI, and access layer H3C S3100 or S5100 series. The topology is shown below.

Features: high performance, high reliability, flexible expansion, efficient bandwidth utilization, comprehensive QoS, and robust security.

Secure Wireless Network Planning Deploys wireless APs (e.g., WA1208E+iMC+CAMS) with 802.1x authentication, centralized management, and support for multiple VLANs, providing wide coverage, high sensitivity, and load balancing. The deployment diagram is below.

WAN Inter‑Site VPN Planning To connect dispersed branches and partners, a fused VPN solution combines IPSec and SSL on a single device, reducing cost and complexity. H3C firewalls or routers can be used depending on security or multi‑service requirements. The VPN topology is illustrated below.

Additional options include ISP‑provided VPDN or MPLS VPN for low‑rate or multi‑point requirements.

Network Performance Requirements Performance metrics and diagrams are provided (images omitted for brevity).

Network Security Planning Security is addressed at multiple layers: boundary protection, intrusion detection, incident response, and segmentation into six security zones (core, security, basic, trusted, dangerous). Strategies include physical isolation of core databases, layered middleware protection, internal LAN antivirus and firewall, encrypted WAN links, and strict data‑center access controls.

Recommendations for WAN security include enterprise‑grade firewalls (Cisco, Check Point, Juniper, H3C, etc.) and VPN technologies (hardware, software, ISP services). Internal network security measures cover antivirus, web‑filtering, and endpoint protection solutions.

Overall, the plan aims to deliver a secure, reliable, and scalable network infrastructure that supports current operations and future growth while minimizing operational costs.