-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcase-study-network.html
More file actions
297 lines (276 loc) · 20.7 KB
/
case-study-network.html
File metadata and controls
297 lines (276 loc) · 20.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Multi-Site Network Hardening + MFA - Lafontaine Security</title>
<link rel="preconnect" href="https://fonts.googleapis.com" />
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
<link href="https://fonts.googleapis.com/css2?family=Syne:wght@400;600;700;800&family=IBM+Plex+Mono:wght@300;400;500&family=Inter:wght@300;400;500&display=swap" rel="stylesheet" />
<style>
*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
:root {
--bg: #080C10; --surface: #0D1117; --border: #1C2330;
--accent: #00D4FF; --green: #00FF94; --muted: #4A5568;
--text: #E2E8F0; --dim: #8892A4;
--fh: 'Syne', 'Arial Black', sans-serif;
--fm: 'IBM Plex Mono', 'Courier New', monospace;
--fb: 'Inter', 'Helvetica Neue', sans-serif;
}
html { scroll-behavior: smooth; }
body { background: var(--bg); color: var(--text); font-family: var(--fb); font-size: 16px; line-height: 1.6; overflow-x: hidden; }
body::after { content: ''; position: fixed; inset: 0; background-image: linear-gradient(rgba(0,212,255,0.025) 1px, transparent 1px), linear-gradient(90deg, rgba(0,212,255,0.025) 1px, transparent 1px); background-size: 64px 64px; pointer-events: none; z-index: 0; }
nav { position: fixed; top: 0; left: 0; right: 0; z-index: 200; display: flex; align-items: center; justify-content: space-between; padding: 1.25rem 4rem; background: rgba(8,12,16,0.9); backdrop-filter: blur(14px); border-bottom: 1px solid var(--border); }
.logo { font-family: var(--fh); font-weight: 800; font-size: 1.1rem; letter-spacing: -0.02em; color: var(--text); text-decoration: none; }
.logo span { color: var(--accent); }
.nav-links { display: flex; gap: 2.5rem; list-style: none; }
.nav-links a { font-family: var(--fm); font-size: 0.75rem; color: var(--dim); text-decoration: none; letter-spacing: 0.06em; text-transform: uppercase; transition: color .2s; }
.nav-links a:hover, .nav-links a.active { color: var(--accent); }
.nav-btn { font-family: var(--fm); font-size: 0.75rem; letter-spacing: 0.08em; text-transform: uppercase; color: var(--accent); border: 1px solid var(--accent); padding: 0.5rem 1.25rem; text-decoration: none; transition: background .2s, color .2s; }
.nav-btn:hover { background: var(--accent); color: var(--bg); }
main { position: relative; z-index: 1; padding: 9rem 4rem 6rem; max-width: 1100px; margin: 0 auto; }
.breadcrumb { font-family: var(--fm); font-size: 0.72rem; color: var(--dim); margin-bottom: 2rem; display: flex; align-items: center; gap: 0.5rem; }
.breadcrumb a { color: var(--dim); text-decoration: none; transition: color .2s; }
.breadcrumb a:hover { color: var(--accent); }
.breadcrumb span { color: var(--muted); }
.tag-line { font-family: var(--fm); font-size: 0.72rem; color: var(--green); letter-spacing: 0.15em; text-transform: uppercase; display: flex; align-items: center; gap: 0.75rem; margin-bottom: 1rem; }
.tag-line::before { content: ''; width: 1.5rem; height: 1px; background: var(--green); }
h1 { font-family: var(--fh); font-weight: 800; font-size: clamp(2rem, 4vw, 3rem); letter-spacing: -0.03em; line-height: 1.1; margin-bottom: 1.5rem; }
.case-meta-bar { display: grid; grid-template-columns: repeat(4, 1fr); border: 1px solid var(--border); margin-bottom: 3.5rem; }
.meta-cell { padding: 1.25rem 1.5rem; border-right: 1px solid var(--border); }
.meta-cell:last-child { border-right: none; }
.meta-label { font-family: var(--fm); font-size: 0.66rem; color: var(--dim); text-transform: uppercase; letter-spacing: 0.12em; margin-bottom: 0.4rem; }
.meta-val { font-family: var(--fh); font-size: 1rem; font-weight: 700; }
.meta-val.green { color: var(--green); }
.meta-val.accent { color: var(--accent); }
.layout { display: grid; grid-template-columns: 1fr 300px; gap: 3rem; align-items: start; }
.content h2 { font-family: var(--fh); font-size: 1.4rem; font-weight: 700; margin: 2.5rem 0 1rem; padding-bottom: 0.5rem; border-bottom: 1px solid var(--border); }
.content h2:first-child { margin-top: 0; }
.content p { color: var(--dim); line-height: 1.8; margin-bottom: 1rem; font-size: 0.97rem; }
.content ul { list-style: none; display: flex; flex-direction: column; gap: 0.5rem; margin-bottom: 1.5rem; }
.content ul li { font-size: 0.92rem; color: var(--dim); display: flex; align-items: flex-start; gap: 0.6rem; line-height: 1.6; }
.content ul li::before { content: '->'; color: var(--accent); flex-shrink: 0; font-family: var(--fm); font-size: 0.8rem; margin-top: 0.1rem; }
.callout { background: var(--surface); border: 1px solid var(--border); border-left: 3px solid var(--accent); padding: 1.25rem 1.5rem; margin: 1.5rem 0; font-size: 0.92rem; color: var(--dim); line-height: 1.7; }
.callout strong { color: var(--text); font-weight: 600; }
.terminal { background: #070b0f; border: 1px solid var(--border); padding: 1.5rem; font-family: var(--fm); font-size: 0.78rem; line-height: 1.85; margin: 1.5rem 0; }
.tbar { display: flex; gap: 0.45rem; margin-bottom: 1.25rem; }
.dot { width: 10px; height: 10px; border-radius: 50%; }
.dr { background: #FF5F57; } .dy { background: #FEBC2E; } .dg { background: #28C840; }
.tc { color: var(--dim); } .tk { color: var(--accent); } .to { color: var(--green); } .tw { color: #FEBC2E; }
.policy-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1px; background: var(--border); border: 1px solid var(--border); margin: 1.5rem 0; }
.policy-cell { background: var(--surface); padding: 1rem 1.25rem; }
.policy-label { font-family: var(--fm); font-size: 0.66rem; color: var(--accent); letter-spacing: 0.1em; text-transform: uppercase; margin-bottom: 0.6rem; }
.policy-items { display: flex; flex-direction: column; gap: 0.3rem; }
.policy-item { font-family: var(--fm); font-size: 0.73rem; color: var(--dim); display: flex; gap: 0.4rem; }
.policy-item::before { content: '[+]'; color: var(--green); flex-shrink: 0; }
.sidebar { position: sticky; top: 7rem; display: flex; flex-direction: column; gap: 1.5rem; }
.sidebar-card { border: 1px solid var(--border); background: var(--surface); padding: 1.5rem; }
.sidebar-title { font-family: var(--fm); font-size: 0.68rem; color: var(--accent); letter-spacing: 0.12em; text-transform: uppercase; margin-bottom: 1rem; }
.sidebar-title::before { content: '// '; }
.stat-row { display: flex; align-items: baseline; justify-content: space-between; padding: 0.5rem 0; border-bottom: 1px solid var(--border); }
.stat-row:last-child { border-bottom: none; }
.stat-key { font-family: var(--fm); font-size: 0.74rem; color: var(--dim); }
.stat-val { font-family: var(--fh); font-size: 1rem; font-weight: 700; color: var(--green); }
.tech-tags { display: flex; flex-wrap: wrap; gap: 0.4rem; }
.ttag { font-family: var(--fm); font-size: 0.68rem; color: var(--dim); border: 1px solid var(--border); padding: 0.2rem 0.6rem; }
.cta-block { background: var(--surface); border: 1px solid var(--border); border-top: 3px solid var(--accent); padding: 2rem; margin-top: 3rem; display: flex; align-items: center; justify-content: space-between; gap: 2rem; flex-wrap: wrap; }
.cta-text h3 { font-family: var(--fh); font-size: 1.15rem; font-weight: 700; margin-bottom: 0.4rem; }
.cta-text p { font-size: 0.9rem; color: var(--dim); }
.btn-fill { font-family: var(--fm); font-size: 0.82rem; letter-spacing: 0.08em; text-transform: uppercase; background: var(--accent); color: var(--bg); padding: 0.9rem 2rem; text-decoration: none; font-weight: 500; transition: opacity .2s; display: inline-block; white-space: nowrap; }
.btn-fill:hover { opacity: .85; }
footer { position: relative; z-index: 1; border-top: 1px solid var(--border); padding: 2.25rem 4rem; display: flex; align-items: center; justify-content: space-between; gap: 1rem; flex-wrap: wrap; }
.foot-logo { font-family: var(--fh); font-weight: 800; font-size: 1rem; color: var(--text); }
.foot-logo span { color: var(--accent); }
.foot-copy { font-family: var(--fm); font-size: 0.7rem; color: var(--muted); }
.foot-links { display: flex; gap: 1.5rem; }
.foot-links a { font-family: var(--fm); font-size: 0.72rem; color: var(--muted); text-decoration: none; transition: color .2s; }
.foot-links a:hover { color: var(--accent); }
.reveal { opacity: 0; transform: translateY(18px); transition: opacity .55s ease, transform .55s ease; }
.reveal.show { opacity: 1; transform: none; }
@media (max-width: 960px) {
nav { padding: 1rem 1.5rem; } .nav-links { display: none; }
main { padding: 6rem 1.5rem 4rem; }
.layout { grid-template-columns: 1fr; }
.sidebar { position: static; }
.case-meta-bar { grid-template-columns: 1fr 1fr; }
.policy-grid { grid-template-columns: 1fr; }
footer { flex-direction: column; align-items: flex-start; }
}
</style>
</head>
<body>
<nav>
<a href="index.html" class="logo">Lafontaine<span>Sec</span></a>
<ul class="nav-links">
<li><a href="index.html#services">Services</a></li>
<li><a href="about.html">About</a></li>
<li><a href="case-studies.html" class="active">Work</a></li>
<li><a href="index.html#contact">Contact</a></li>
</ul>
<a href="index.html#contact" class="nav-btn">Get a Quote</a>
</nav>
<main>
<div class="breadcrumb reveal">
<a href="index.html">Home</a><span>/</span>
<a href="case-studies.html">Case Studies</a><span>/</span>
Multi-Site Network Hardening + MFA
</div>
<div class="reveal">
<div class="tag-line">Infrastructure - Network Security</div>
<h1>Multi-Site Network Hardening<br/>+ Duo RADIUS MFA Deployment</h1>
</div>
<div class="case-meta-bar reveal">
<div class="meta-cell"><div class="meta-label">Industry</div><div class="meta-val">Healthcare - Radiology</div></div>
<div class="meta-cell"><div class="meta-label">Sites</div><div class="meta-val accent">8 Sites</div></div>
<div class="meta-cell"><div class="meta-label">MFA Coverage</div><div class="meta-val green">100%</div></div>
<div class="meta-cell"><div class="meta-label">Platform</div><div class="meta-val">Cisco Meraki MX75</div></div>
</div>
<div class="layout">
<div class="content">
<div class="reveal">
<h2>Situation</h2>
<p>A multi-site healthcare organization operated 8 locations with no standardized firewall policy, no MFA enforcement on remote access, and Meraki MX75 appliances deployed in default or minimally configured states. VPN authentication relied on native Meraki Auth with no second factor, and no outbound traffic controls were enforced at any site.</p>
<p>From a HIPAA perspective, the lack of network-level access controls and absence of MFA on remote access represented direct violations of the Technical Safeguards requirements under §164.312. The engagement had two parallel workstreams: standardize and harden the Meraki fleet, and deploy phishing-resistant MFA for VPN access covering users on legacy systems that could not participate in Entra ID Conditional Access.</p>
</div>
<div class="reveal">
<h2>Meraki MX75 Hardening</h2>
<p>A hardening template was built and validated on the primary site before replication. This template-first approach ensured that every subsequent site deployment was consistent and documented, reducing configuration drift risk across the fleet.</p>
<div class="policy-grid">
<div class="policy-cell">
<div class="policy-label">L3 Outbound Deny Rules (9 rules)</div>
<div class="policy-items">
<div class="policy-item">Port 23 — Telnet blocked</div>
<div class="policy-item">Port 25 — SMTP outbound blocked</div>
<div class="policy-item">Port 135 — RPC blocked</div>
<div class="policy-item">Ports 137-139 — NetBIOS blocked</div>
<div class="policy-item">Port 445 — SMB blocked</div>
<div class="policy-item">Port 1080 — SOCKS proxy blocked</div>
<div class="policy-item">Port 3389 — RDP outbound blocked</div>
<div class="policy-item">Port 4444 — Reverse shell blocked</div>
</div>
</div>
<div class="policy-cell">
<div class="policy-label">Security Controls</div>
<div class="policy-items">
<div class="policy-item">IDS in Prevention/Security mode (AMP enabled)</div>
<div class="policy-item">Content Filtering — Safe Search enforced</div>
<div class="policy-item">YouTube Strict mode enabled</div>
<div class="policy-item">L7 blocking: Gaming, Sports, Video/Music</div>
<div class="policy-item">L7 blocking: Blogging, Advertising categories</div>
<div class="policy-item">IP spoofing protection enabled</div>
<div class="policy-item">UPnP disabled at all sites</div>
<div class="policy-item">ISP gateway radio disablement documented</div>
</div>
</div>
</div>
<div class="terminal">
<div class="tbar"><div class="dot dr"></div><div class="dot dy"></div><div class="dot dg"></div></div>
<div class="tc"># Hardening validation — primary site</div>
<div> </div>
<div class="to">[OK] L3 outbound deny ruleset — 9 rules active</div>
<div class="to">[OK] IDS mode — Prevention/Security</div>
<div class="to">[OK] AMP — enabled</div>
<div class="to">[OK] Content filtering — Safe Search + YouTube Strict</div>
<div class="to">[OK] L7 policy — 5 categories blocked</div>
<div class="to">[OK] IP spoofing — blocked</div>
<div class="to">[OK] Port forwarding — none configured</div>
<div class="tw">[>>] Replication pending — 6 remaining sites</div>
<div> </div>
<div class="tc"># Template documented and staged for rollout</div>
</div>
<div class="callout"><strong>Template-first approach:</strong> The primary site was fully hardened and validated before replication. This created a tested baseline that could be applied consistently across all remaining sites without per-site guesswork.</div>
</div>
<div class="reveal">
<h2>Hub-and-Spoke AutoVPN Topology</h2>
<p>The organization's multi-site connectivity was restructured around a hub-and-spoke AutoVPN model with centralized DHCP and NAT governance. This simplified routing while improving visibility and control over inter-site traffic.</p>
<ul>
<li>Hub site designated as the centralized VPN concentrator for all spoke locations</li>
<li>DHCP reservations managed via Meraki dashboard for all domain-joined desktops — preferred over OS-level static IPs to reduce configuration drift and simplify auditing</li>
<li>NAT governance documented at each site</li>
<li>ISP-provided gateways with wireless radios disabled at all sites to eliminate unauthorized wireless entry points</li>
</ul>
</div>
<div class="reveal">
<h2>Cisco Duo RADIUS MFA Deployment</h2>
<p>The organization's VPN used Meraki Client VPN with native Meraki Auth — no second factor. Legacy clinical systems including PACS workstations could not enroll in Entra ID Conditional Access, meaning standard MFA enforcement left a gap on VPN access from these systems.</p>
<p>The solution was to deploy Cisco Duo RADIUS MFA as an Auth Proxy on a production Ubuntu server, then migrate the Meraki MX75 VPN authentication source from Meraki Auth to RADIUS, routing all authentication through Duo before granting VPN access.</p>
<ul>
<li>Duo Auth Proxy 6.6.0 deployed on Ubuntu 24.04 LTS production server</li>
<li>Duo Mobile activated for all VPN users</li>
<li>Meraki MX75 VPN authentication source migrated from Meraki Auth to RADIUS</li>
<li>All VPN authentication now routes through Duo second-factor verification</li>
<li>100% MFA coverage achieved organization-wide including legacy systems</li>
<li>Compensating control CC-VPN-001 formally closed — satisfied Beazley cyber insurance Q5 requirement</li>
</ul>
<div class="callout"><strong>Why Duo instead of Entra Conditional Access?</strong> Legacy clinical workstations (PACS, MRI modality systems) cannot be enrolled in Intune or participate in Entra ID Conditional Access due to OS version or domain join constraints. Duo RADIUS bridges this gap — any system that can authenticate via RADIUS gets MFA, regardless of OS or enrollment status.</div>
</div>
<div class="reveal">
<h2>Outcomes</h2>
<ul>
<li>100% MFA coverage on VPN access — including all legacy clinical systems outside Entra CA scope</li>
<li>Primary site fully hardened — 9-rule L3 deny ruleset, IDS Prevention, AMP, Content Filtering, L7 blocking</li>
<li>Hardening template documented and validated for consistent rollout across remaining 7 sites</li>
<li>Hub-and-spoke AutoVPN topology established with centralized DHCP/NAT governance</li>
<li>Beazley cyber insurance Q5 (VPN MFA) satisfied — compensating control formally closed</li>
<li>HIPAA §164.312 Technical Safeguards — network access control and authentication requirements addressed</li>
</ul>
</div>
<div class="cta-block reveal">
<div class="cta-text">
<h3>Need network hardening or MFA deployment?</h3>
<p>This work maps to the Tier 2 Security Hardening engagement. Multi-site Meraki deployments and legacy system MFA are a core specialty.</p>
</div>
<a href="index.html#contact" class="btn-fill">Start a Conversation</a>
</div>
</div>
<div class="sidebar reveal">
<div class="sidebar-card">
<div class="sidebar-title">Engagement Stats</div>
<div class="stat-row"><span class="stat-key">Sites in scope</span><span class="stat-val">8</span></div>
<div class="stat-row"><span class="stat-key">Sites hardened</span><span class="stat-val">2</span></div>
<div class="stat-row"><span class="stat-key">L3 deny rules</span><span class="stat-val">9</span></div>
<div class="stat-row"><span class="stat-key">MFA coverage</span><span class="stat-val">100%</span></div>
<div class="stat-row"><span class="stat-key">Controls closed</span><span class="stat-val">CC-VPN-001</span></div>
</div>
<div class="sidebar-card">
<div class="sidebar-title">Tech Stack</div>
<div class="tech-tags">
<span class="ttag">Cisco Meraki MX75</span>
<span class="ttag">Cisco Duo</span>
<span class="ttag">Ubuntu 24.04 LTS</span>
<span class="ttag">RADIUS</span>
<span class="ttag">AutoVPN</span>
<span class="ttag">Meraki Dashboard</span>
</div>
</div>
<div class="sidebar-card">
<div class="sidebar-title">HIPAA Alignment</div>
<div class="tech-tags">
<span class="ttag">§164.312 Technical Safeguards</span>
<span class="ttag">§164.310 Physical Safeguards</span>
<span class="ttag">§164.308(a)(5) Access Control</span>
</div>
</div>
<div class="sidebar-card">
<div class="sidebar-title">Related Service</div>
<p style="font-size:0.85rem; color:var(--dim); margin-bottom:1rem; line-height:1.6;">This work maps to the Tier 2 Security Hardening engagement.</p>
<a href="index.html#services" style="font-family:var(--fm); font-size:0.75rem; color:var(--accent); text-decoration:none; letter-spacing:0.08em; text-transform:uppercase;">View Services -></a>
</div>
</div>
</div>
</main>
<footer>
<div class="foot-logo">Lafontaine<span>Sec</span></div>
<div class="foot-copy" id="foot-copy"></div>
<div class="foot-links" id="foot-links"></div>
</footer>
<script>
document.getElementById('foot-copy').textContent = '\u00A9 2026 Lafontaine Security LLC \u00B7 Puerto Rico \u00B7 EIN registered';
var links = [{ text: 'contact@lafontainesec.dev', href: 'mailto:contact@lafontainesec.dev' }, { text: 'LinkedIn', href: 'https://www.linkedin.com/in/yeraylafontaine/', target: '_blank' }, { text: '(787) 988-0646', href: 'tel:+17879880646' }];
var fc = document.getElementById('foot-links');
links.forEach(function(l) { var a = document.createElement('a'); a.textContent = l.text; a.href = l.href; if (l.target) a.target = l.target; fc.appendChild(a); });
var obs = new IntersectionObserver(function(e) { e.forEach(function(x) { if (x.isIntersecting) x.target.classList.add('show'); }); }, { threshold: 0.06 });
document.querySelectorAll('.reveal').forEach(function(el) { obs.observe(el); });
</script>
</body>
</html>