[SOLVED] Dual wan network help

[iampolo]

Sup guys, im in need of some help here.
I work in a hospital, government provides us with a limited network, quite slow, and with a proxy that blocks most of the web. The head of the hospital is asking for better network, so i thought maybe hiring a decent speed ISP, and using both networks. The government one to access work related websites, and the other to access everything elese, maybe limiting the bandwith for youtube and the like.
So the question is, how should i do this? Dual wan router, installing both networks?
Suggestions, ideas? Thanks.
If u need specifications about how the government network is arranged pls do ask.

 

[Ralston18]

That is a broad undertaking.

More information about the current network and network environment is indeed necessary.

Are you in IT? Or one of those technical type employees with another job description yet also gets handed technical issues and problems?

What ideas do you have of your own? Knowing what you are thinking and planning is important because you are "boots on the ground" and have a far greater understanding of the overall hospital and government relationship.

Present your environment, your plan, and ask for comment.

 

[popatim]

The hospital has a whole IT infrastructure to handle this stuff so this is quite unusual IMO. You'll need more then just an ISP, your firewall & security teams will need to be brought on board as well so as not to compromise data which would result in huge fines.

To be blunt, I'm glad to see your willingness to learn but if you're asking this question then you aren't the man for this undertaking (yet) and should just learn as much as you can from those that will set this all up. This will involve your firewall, switches, servers... at minimum.

 

[iampolo]

First of all, thanks for taking your time just reading my post.

Ok so, things are like this.
First and foremost i am in it, but im a software developer, i know some networking but this is clearly beyond me, thats why im asking for some help.
There is no IT office, its just me, and a guy who didnt even study anything computer related, so yeah. The ministry in charge wont help i tried, trust me.

Now im gonna try to explain the environment and stuff. (Im not currently there so im gonna try to map it mentally, bare with me).

So government gives us internet via a ISP, this company installed a Cisco asr920 router, which as i understand its just for them to manage the network. This goes to a catalyst 2960 cg, which goes to the 1941 series where i think the proxy config is installed. So that network goes to a server which runs a software used in the hospital, and also to a switch that distributes the network to most of the hospital.
That is rack 1, which is connected to rack 2 via fiber, rack 2 has another switch that distributes the network even further.

Everything its kind of old (3rd world country), network is 5e, and it was deployed in... 2006 i think.

The main problem is, some services in the hospital need to use websites outside the ones the government proxy enables, also we are recieving 20mbs from them.

As a final note, im sorry if my english its not quite good.

 

[ex_bubblehead]

Are you prepared to handle the can of worms this will open up from a security standpoint? You will have 2 vectors for attackers to exploit, and exploit them they will.

 

[iampolo]

I mean... prepared? Probably not, but i do not really care much, bosses are asking me to give them a solution to the networking problems (with very low budget), so im trying to give them a decent one, then maybe check with someone higher up in the government and ask them if they can give me a hand with the security side of the matter.

 

[bill001g]

It depends on the country. In the USA almost nobody goes near medical stuff without extremely strong IT knowledge. The fines are huge and even IT guys will be threatened with jail terms. Claiming you didn't know about hippa laws tends to not be accepted excuse. Companies that are certified to do this type of work charge extra because of the risks involved with making a mistake.

Still I suspect you have no chance to even think to propose a solution. You would need to be able to get into the equipment and understand the configurations. This is commerical cisco equipment that takes a lot of training to be able to use and configure.

None of the equipment you list can really do proxy functions. A proxy is normally run on a computer type of box. Now the asr might have a firewall module in it, I forget what features that box can have.

Still your first step is to clearly document how things are being done today. You are going to have to make changes to the cisco equipment to make this function the way you want.

 

[iampolo]

I can ask them (ministry it stuff) to do the changes to the cisco equipment if i know what kind of changes i need. If i present them with a decent enough plan to do it, i think they might listen and help.

 

[bill001g]

Any person who has enough knowledge to configure the cisco gear will understand the concept of dual wan. It is a extremely basic concept. Most the effort is going to be in the device you think is running as a proxy. it is this device that needs to decide which connection to use. There are then many ways to actually get the traffic between that device and the internet. Can be done via vlans or physical connections or even simple packet tags in some cases.

It would be better to ask the guys responsible for a solution since they are doing all the work anyway. The general concept is very well known.

 

[failboat]

Two ways worth looking into are

Separate local ips by which wan they use. if no single device needs to use both wans this can work.

separate traffic by destination ip- could be useful if work related traffic only goes to a list of destinations that's easy to compile. then do everything else on the other wan.