June 2023
In October 2019, S5 Technology Group were awarded the contract for the design of MidCoast Council’s Enterprise Network, consisting of WAN, wired and wireless LAN and Network Edge Security.
MidCoast Council is a Local Government entity that was recently formed out of the merger of 3 regional municipal Councils and the region’s water authority. The Council encompasses 195 towns, villages and localities across the 10,000km2 Local Government Area. The four prior entities featured a combined 80 IT enabled sites with more than 1200 staff.
The project commenced in October 2019 with a detailed discovery of all Council owned assets, including corporate offices, communications towers, libraries, water and waste water treatment plants, waste and recycling facilities.
Design commenced in January 2020 and was completed in June of the same year. The result was a dual vendor solution providing a highly redundant WAN network consisting of the latest Cisco Catalyst Core networking, Cisco Catalyst Access switching, Cisco Catalyst wireless and Cisco ISR border routers. Cisco DNA Center was deployed for management and integrated with Cisco DNA Spaces, with a high availability Cisco Identity Services Engine specified to provide Identity and Access Management. Check Point Software’s Quantum Management and Gateways were selected to provide both internet edge security, internal security of corporate infrastructure and assets and security of SCADA infrastructure. A dual data centre deployment with a dark fibre build to accommodate the disaster recovery and redundancy requirements was also specified. S5 designed a multihomed internet solution and guided MidCoast through the application process to obtain a BGP AS and Class C subnet from APNIC, allowing the Council to go to market for a combination of internet services from different providers to achieve the maximum possible redundancy.
109 switches, 157 Access Points, 79 firewalls and 29 routers were specified.
Notably, the supply included the first Full Stack Security Enterprise License Agreement sold in Australia, Check Point’s Infinity Total Protection Agreement. This agreement provided Council with an ‘all you can eat’ consumption model that included all aspects of Check Point’s infinity solution stack, enabling MidCoast to consume the security products they required, as they required them and to pivot their requirements as needed without any additional budgetary or procurement processes.
WAN Diagram (Obfuscated for Publication)
Following on from the design of the their Enterprise Network, MidCoast Council invited S5 to respond to an RFQ for the design of their Compute, Storage, Virtualisation, Backup and Disaster Recovery environment to support the merger. The contract for the design was awarded to S5 in July 2020.
Leveraging the features and redundancies of the Enterprise Network design, S5 specified a vSphere Metro Cluster design across dual data centres, built on Cisco UCS Compute, UCS Fabric Interconnects, Nexus switches and Pure Storage X Series arrays utilising Pure’s ActiveCluster synchronous replication technology. The design spread workloads across datacentres and meant that should Council suffer a DR event, the impacted workloads would be instantly restarted in the surviving datacentre without data loss.
A Veeam Backup and Replication solution was architected to provide backup to Council’s new data centres and the server infrastructure spread throughout Council’s 80+ sites.
Over 600 pages of solution architecture documentation were compiled to this point of the project.
Compute & Storage Diagram (Obfuscated for Publication)
In September 2020, S5 were awarded the contract to supply and Implement MidCoast Council’s Data Centre (Active/Active vSphere Metro Cluster across Council’s 2 new datacentres located in Taree (Compute, Storage, Virtualisation, Backup and Disaster Recovery) and the Enterprise Network and Internet Edge Security for Council’s new Headquarters- in order for staff to commence working in the unified working space that had just been refurbished from the former Masters Home Improvement Centre.
Quote – Aaron Beard, Senior Network Administrator, MidCoast Council : “After MidCoast Council’s merge of 3 former councils and 1 water authority, we had a mix of network, server and security topologies used. These were meshed together as best as possible, however, we knew we had to engage an experienced vendor to supply a design that will not only support the move from five existing head offices into one central location, but to also future proof our entire datacentre, network and security infrastructure moving forward, as well as provide substantial speed and reliability improvements whilst realising cost savings for the organisation. S5 have been our trusted vendor in providing all the above and are continually supporting our journey in infrastructure technology, as we strive to also be a leader within the local government technology space.
Quote – Brett Elliot, Sales Manager, ANZ, Cisco Systems : “Guy and S5 Technology Group have been fantastic to partner with on the MidCoast Council project, they did everything and more that you expect from a Partner. Guy and his team were able to really understand the customer’s business, their challenges and outcomes. Guy and S5 aligned the council’s requirements both technically and financially to enable them to transform the legacy environment seamlessly. This is what makes them a great partner to work with! Thank you for your partnership.”
Quote – Aaron Beard, Senior Network Administrator, MidCoast Council : “Once we had decided that Check Point was the best fit for Council’s security requirements, we had to identify a procurement model that would meet our needs commercially and provide us with the flexibility to pivot our requirements as our needs changed and that would allow us to implement new security technologies as they were required or became available. The ITP ELA significantly reduced Council’s required investment when compared with a typical upfront procurement for the same bill of materials and allowed Council to spread the investment across multiple years under a subscription model.”
Quote: Kaan Uysen, Major Account Manager Australia, Check Point Software : “MidCoast Council needed a solution that was holistic and consistent. Check Point Software provided this in a single pane of glass management and logging platform. Infinity Total Protection provided flexibility in deployments for MidCoast Council. By adopting a consolidated security approach MidCoast Council have achieved increased operational efficiencies and saved on overall security costs.”
This initial phase of this build consisted of:
- 2 x Cisco Catalyst 9500 25/100Gbit Core Switches
- 14 x Cisco Catalyst 9300 UXM UPOE Multigigabit Switches
- 38 x Ultra-High-Density Cisco Catalyst 9130 WiFi 6 Access Points
- Cisco DNA Center Appliance
- High Availability Cisco Identity Services Cluster
- 6 x Cisco UCS C220 Ultra-High Density Rack Mount Servers
- 4 x Cisco Nexus 93180 25/100Gbit Fabric Switches
- 4 x Cisco UCS 6454 Fabric Interconnects
- 2 x Pure Storage X20 Storage Arrays
- vSphere Enterprise Plus with High Availability vCenters
- 2 x Cisco ISR 4331 Routers
- 2 x Check Point Quantum 6600 Plus High Availability Firewalls
- 2 x Check Point Quantum Security Management Servers
- 2 x Check Point Quantum Log Servers
- Check Point Smart Event SIEM and Compliance Server
The deployment was completed in December 2020 with the migration of workloads from Councils 5 legacy data centres taking place in early January 2021 – just in time for the Council to commence operating following the Christmas / New Year holidays.
Shortly after commencement of operations from the Council’s new headquarters, COVID 19 had become a serious concern in NSW and as a result, the focus shifted from the WAN rollout to enabling Council’s 1200 staff to work from home. Council was perfectly positioned to handle this – with high speed and redundant connectivity to Council’s infrastructure and the Check Point Infinity Total Protection ELA, S5 were able to implement machine certificate authenticated IPSEC VPN in a short time frame.
Domain joined PCs were able to access the corporate network from anywhere, automatically logging on to the Enterprise Network at boot, with users authenticated against Active Directory and receiving group policy and mapped drives as if they were working from the office. The Identity driven security policy deployed within the Check Point firewalls ensured that users only had access to approved resources.
More information on machine certificate VPN and how S5 enables work from home for on-premise domain environments can be found at https://www.s5.technology/hybrid-work-architecture-enabling-the-work-from-home-revolution-without-compromise/.
Quote – Aaron Beard, Senior Network Administrator, MidCoast Council : “The implementation of Council’s new environment commenced under COVID restrictions, however, this significantly ramped up in early 2021 with staff who were capable of doing so, having to work from home. S5 worked closely with our Infrastructure and Endpoint teams to deploy machine certificate authenticated VPN, allowing our corporate devices to be always connected to the corporate network whenever they had an internet connection. This solution worked incredibly well, with users able to work from home with the same experience they would have from within the office. It also significantly reduced support calls to our help desk compared to our previous VPN solutions that would be connected after the user was logged into their device.”
With Council’s hybrid workforce fully operational, focus shifted to building out Council’s WAN Backbone and providing security to Council’s critical infrastructure assets. This involved deploying Catalyst 9300 switch stacks and Check Point firewall clusters to Council’s 12 communications towers. Connectivity between the towers was achieved with Wave1 licensed microwave links with Cisco’s EIGRP routing protocol chosen to provide unequal cost load balancing and fast convergence across the WAN to ensure maximum link utilisation, redundancy and fast recovery from network outages.
During the WAN Backbone rollout, Northern NSW experienced a 1 in 100 year flood event which resulted in extensive property damage around Taree, extended power outages and internet outages. Throughout this natural disaster, Council was able to independently operate from each of its Data Centres without data loss or extended service outages. Multihomed internet connectivity ensured that Council’s services and critical infrastructure maintained 100% uptime.
With the WAN backbone for the Northern Region completed the rollout of remote corporate offices commenced. The corporate sites were deployed to a consistent template with each site featuring Check Point 3600 firewalls, Cisco Catalyst 9300 Switches and Catalyst 9100 series wireless access points.
Network segmentation was deployed to these sites, with IOT, Infrastructure Management, Public Wifi and other ancillary networks secured and routed by the Check Point firewalls. Trusted workstation networks were routed at the Catalyst switches.
Sites directly connected to the WAN backbone via microwave links obtained redundant connectivity to MidCoast infrastructure via route based VPN using a mixture of NBN and cellular internet services. This ensured that MidCoast’s offices remained connected to Council assets in the event of a Microwave or major network failure within the WAN backbone. Sites without access to the Microwave backbone obtained connectivity via IPSEC VPN using a mixture of NBN and cellular internet services.
Harmony Endpoint was deployed to MidCoast’s Endpoint environment to help Council reach compliance with ACSC’s Essential 8 and progress MidCoast’s towards a Zero Trust architecture whilst maintaining centralised and consolidated logging through a single pane of glass within Check Point’s Smart-1 Management Server.
Cisco Duo was selected for Council’s MFA requirements with initially rollout for VPN access by Council’s SCADA team, followed by deployment across Windows and vSphere server infrastructure. Following the success of initial deployments, Council made the decision to roll out Duo across their entire endpoint fleet. Duo was integrated with Microsoft 365 and third-party Cloud services using SAML authentication, providing a uniform MFA experience for users across all services.
In November 2022, MidCoast sought to upgrade their perimeter firewalls to Check Point’s newly released Quantum Light Speed firewalls, “the worlds fastest firewall”. Two Quantum Lightspeed Firewalls were chosen, each providing 250 Gbps of firewalled throughput, enabling Council to secure not just selected networks and the internet edge but the entire corporate LAN, providing security of east-west traffic within the data centre and corporate network. The Check Point Infinity Total Protection Agreement allowed MidCoast to return their existing Quantum 6600 Plus Firewalls and obtain the Quantum Light Speed Firewalls within the Enterprise Agreement at no additional cost.
Quote – Aaron Beard, Senior Network Administrator, MidCoast Council : “Being able to pivot our requirements through this deployment has been a significant advantage to us. Council operates hundreds of virtual servers as well as a VDI environment, and we wanted to improve the security of this infrastructure without compromising on performance. When Check Point released the new Quantum Light Speed firewalls which were capable of 250Mbps line-rate throughput, we were able to exchange our existing gateways with the new gateways under our ELA without any financial outlay, significantly improving our datacentre security.”
Quote: Rahul Agarwal, Security Engineer, Check Point Software: “Check Point Infinity Total Protection is a security model that provides enterprises with the complete threat prevention they need against multi-vector Gen V cyber-attacks. It does so in a simple, all-inclusive, per-user, per-year subscription offering.
Check Point Infinity Total Protection enables focus on security through multiple layers and select the best product.
Check Point Quantum Lightspeed Next Generation Firewalls are used in the MidCoast head office, with Check Point firewalls in branch offices.
To protect MidCoast Office 365 users, Guy deployed Check Point Harmony Email & Office, a cloud service that prevents attacks on SaaS applications.
Infinity Total Protection is the only subscription offering available today that includes both network security hardware and software, with fully integrated endpoint, cloud, and mobile protections and zero-day threat prevention, together with unified management and 24/7 premium support.”
To close out 2022, MidCoast became one of the early adopters of Check Point’s Security Operations Centre as a Service, Horizon MDR with prepaid Incident Response hours. Horizon MDR provided MidCoast with 24x7x365 monitoring and remediation of security events across all of their security infrastructure and provided coverage for the entire Check Point Infinity Architecture as MidCoast deploy it.
Whilst 2022 closed out the majority of the corporate rollout, the project is still ongoing. To the end of 2022 a total of 58 switches, 12 routers, 72 access points and 36 firewalls have been deployed throughout MidCoast’s WAN.
In 2023, MidCoast are migrating their on-premise Microsoft Exchange server to Microsoft 365, which will be protected by Check Point’s Harmony Email and Collaboration and are also aiming to have Harmony Mobile rolled out by year end to all IOS and Android devices, reaching their Zero Trust goal.
S5 Technology Group have meanwhile commenced the complex task of designing and implementing MidCoast’s Critical Infrastructure Security at MidCoast’s 32 SCADA plants and 300+ outstation sites which will see the remaining firewalls, switches and routers from the initial BOM deployed. This design is following the Purdue model and Check Point’s blueprint for ICS and SCADA security.
More information on S5’s approach to SCADA security can be found at https://www.s5.technology/scada-security-design-how-to-secure-ot-ics-network-environments/.
Quote: Leo Lynch, Head of Channels, ANZ, Check Point Software: “Our partner S5 has consistently demonstrated a remarkable level of expertise and knowledge in mapping business needs with the outcome. Their insights and contributions have played a pivotal role in the success of the project implementation of the MidCoast Council.
Moreover, S5’s strong work ethic and reliability have never wavered. They consistently meet deadlines and deliver outstanding results. Their attention to detail and meticulous approach ensures that every task is completed to the highest standard. It’s an absolute pleasure working with Guy and his team. We look forward to continuing our partnership for many years to come.”
Quote: Guy Coble, Principal Architect – Data Centre, Network & Security, S5 Technology Group: “The MidCoast Project was a massive undertaking for Council and our team. This was a multimillion-dollar project that saw numerous firsts in the Australian market.
Council’s devotion to providing its region with first-class government services through the use of industry-leading technology and a true Zero Trust Security Architecture is a testament to MidCoast Council and the forward-thinking of their IT team”
About S5 Technology Group S5 Technology Group is an Enterprise System Integrator, Managed Security and Managed Infrastructure Service Provider with offices based in Port Macquarie and Cowra NSW, with a new office in Brisbane opening soon. We support Government, Education and Small to Medium Enterprise customers throughout Australia. Our focus technologies include Enterprise Security, Enterprise Network and Enterprise Data Centre. Notable Partnerships and Awards :-
- Check Point Software: Regional Partner of the Year Australia 2023
- Check Point Software: 4 Star Partner (The first and only in regional Australia)
- Microsoft Specialisation (Formerly Gold) Partner
- Cisco Select Partner
