NORTHSTAR
INFRASTRUCTURE
MODERNIZATION

TEAM

Information Techs of the Round Table (Team 2)

Ian MacDougall, Jacky Gao, Renato Melo, Demita Obazee

CLIENT

NorthStar Insurance Group

ARCHITECTURE OVERVIEW

ZERO-TRUST SEGMENTATION

VLAN 3921: Core Servers
VLAN 3922: Centralized Logs
VLAN 3923: IT Management
VLAN 3924: Sensitive Users
VLAN 3925: General Users
VLAN 3926: Isolated Guest Wi-Fi

Core Stack: Cisco 3750, Proxmox HA, Docker Microservices.

Logical Architecture

Physical Infrastructure

KEY DESIGN DECISIONS

RESILIENCE & EFFICIENCY

CORE REDUNDANCY

L3 Switching + HSRP for seamless active/standby gateway failover.

POINT-TO-POINT

Transit VLANs with /30 links to eliminate Layer 2 loop potential.

CONTAINERIZATION

Docker-hosted Zammad, Reverse Proxy, and VPN gateways to minimize overhead.

SECURITY HARDENING

BUILT-IN PROTECTIONS

LINUX HARDENING

Key-based SSH ONLY
UFW Default-Deny

WINDOWS POLICY

AGDLP Identity Model
12-Char Password GPOs

Zero-Trust Access: Inbound NAT replaced with outbound Cloudflare Zero-Trust Tunnels.

VALIDATION & TESTING

100% BASELINE PASS RATE

HSRP FAILOVER

Simulated core uplink failure; standby took over in < 1s. Only 1 ping lost.

DHCP/DNS HA

Primary DC powered off; secondary handled all traffic seamlessly.

DHCP/DNS Propagation Verified
M365 SSO with MFA Enforcement
Inter-VLAN ACL Blocking Confirmed

OPERATIONAL READINESS

3-2-1 BACKUP STRATEGY

LOCAL RECOVERY

Nightly Proxmox snapshots for immediate state restoration.

IMMUTABLE CLOUD

Encrypted offsite sync to AWS S3/Backblaze via automated rclone scripts.

                    [Documentation Deliverables]: As-Built Diagrams, IP Scheme, Admin Runbooks.
                

LESSONS LEARNED

CHALLENGES & FUTURE

Offline Time Sync: Resolving Stratum mismatch between Windows/Linux.
SSO Proxy Headers: Injecting X-Forwarded-Proto for CSRF resolution.

FUTURE IMPROVEMENT

Migrate single Docker host to a High Availability Docker Swarm cluster to eliminate SPOF.

NORTHSTARINFRASTRUCTUREMODERNIZATION