Network Installation · Washington DC Metro Area
Secure Broker Office
Network Installation
Washington DC, Virginia & Maryland
This network design is built specifically for stock broker and financial offices that must meet SEC and FINRA compliance standards across Washington DC, Northern Virginia, and Maryland. Broker offices handle sensitive client data, trade records, and remote access — all of which require strict VLAN network segmentation, encrypted VPN access, and audit-ready session logging.
DC Metro IT Help designs and installs this exact setup end to end for broker offices in Alexandria VA, Arlington VA, Fairfax VA, Bethesda MD, Rockville MD, and the entire DMV area — from structured cabling and managed switch configuration to firewall deployment and IP camera systems.
Washington DC
Alexandria VA
Arlington VA
Fairfax VA
McLean VA
Tysons VA
Bethesda MD
Rockville MD
Silver Spring MD
Compliance Coverage
SEC · FINRA · SOX Ready
Installation Time
1–2 Business Days
Service Area
DC · MD · VA
Free Consultation
(202) 810-7755
SECURE NETWORK DESIGN
Stock Broker Office Network
VLAN Segmentation · Firewall Policy · Secure Remote Access
VLAN 10 · CORP
VLAN 20 · WIFI/AP
VLAN 30 · CAMERAS
VPN · REMOTE
VLAN 10
Corporate Wired
10.10.10.0/24
VLAN 20
WiFi / AP Data
10.10.20.0/24
VLAN 30
Security Cameras
10.10.30.0/24
VPN
Remote Access
10.10.99.0/24
NETWORK TOPOLOGY
🌐
INTERNET
WAN / ISP
1.2.3.4 (PUBLIC)
🏠
REMOTE USER
Home / Mobile
VPN Tunnel
NGFW
🛡️
FIREWALL / UTM
VPN · IPS · SSL Inspect
10.10.0.1 (lan)
TRUNK (ALL VLANs)
🔌
L3 Managed Switch
802.1Q Trunk · PoE+
10.10.0.2
🖥️
Trading WS
Wired Gigabit
10.10.10.10
🖥️
Admin PC
Wired Gigabit
10.10.10.11
🗄️
File Server
Encrypted NAS
10.10.10.5
VLAN 10 · CORPORATE
📶
Access Point
Wi-Fi 6 · PoE
10.10.20.5
💼
Staff Laptop
Wireless Client
10.10.20.20
VLAN 20 · WIFI/AP
📼
NVR Server
Local Record
10.10.30.5
📷
IP Cameras
PoE · 4K
10.10.30.10+
VLAN 10 · CORPORATE
🌐 Internet / WAN
CORE INFRA
Wired Gigabit
Public (assigned by ISP)
Bandwidth
100Mbps+ recommended for broker
Failover
Consider LTE backup modem
Protocol
TCP/IP
ISP Type
Fiber preferred (redundancy ideal)
DNS
Use 8.8.8.8 + Cloudflare 1.1.1.1
📋 SETUP STEPS
01
Negotiate static IP with ISP — required for inbound VPN.
02
Purchase business-class SLA (uptime guarantee) — trading cannot afford downtime.
03
Consider dual-ISP failover through NGFW.
04
Document your public IP — used in VPN certificate.
[ ✕ CLOSE ]
🏠 Remote User (VPN)
VPN
VPN Type
SSL-VPN or IPSec IKEv2
MFA Required
YES — Microsoft Authenticator or Duo
Split Tunnel
DISABLED (all traffic through FW)
Client Software
FortiClient / Cisco AnyConnect
Tunnel IP Pool
10.10.99.0/24
Compliance
SEC/FINRA requires audit trail of remote access
📋 SETUP STEPS
01
Install VPN client on all broker laptops/home PCs.
02
Require MFA on every connection — never password-only.
03
Set split-tunnel to OFF so all traffic passes through firewall.
04
Enable session logging — required for broker compliance audits.
05
Configure auto-disconnect after 15 min idle.
06
Once connected, use RDP to access office trading desktop.
[ ✕ CLOSE ]
🛡️ Next-Gen Firewall (NGFW)
CORE INFRA
Function
Perimeter + inter-VLAN security
Inspection
SSL/TLS deep inspection
WAN IP
Public static (from ISP)
VPN
SSL-VPN + IPSec IKEv2 built-in
IPS
Intrusion Prevention System enabled
Lan IP
10.10.0.1 — trunk to L3 switch
📋 SETUP STEPS
01
Configure WAN with static public IP from ISP.
02
Set LAN as 802.1Q trunk port to L3 managed switch.
03
Create VLAN interfaces: VLAN 10, 20, 30, and VPN pool 99.
04
Enable SSL-VPN with MFA (Duo / Microsoft Authenticator).
05
Apply inter-VLAN firewall policies per table above.
06
Enable IPS profile and web filter on all outbound traffic.
07
Schedule automated config backups weekly.
[ ✕ CLOSE ]
🔌 L3 Managed Switch
CORE INFRA
model
Cisco SG350-28P / Ubiquiti USW-Pro
uplink
Trunk port → Firewall (all VLANs tagged)
port security
MAC address locking per port
vlans
802.1Q — VLAN 10, 20, 30 configured
poe budget
370W+ for APs and cameras
management ip
10.10.0.2 (admin access VLAN 10 only)
📋 SETUP STEPS
01
Connect uplink port to firewall LAN — configure as 802.1Q trunk (allow VLAN 10,20,30).
02
Create VLANs 10, 20, 30 on switch.
03
Assign trading desktop ports to VLAN 10 (untagged/access mode).
04
Assign AP uplink ports to VLAN 20 (or tagged trunk if AP does VLAN tagging).
05
Assign camera/NVR ports to VLAN 30 (access mode).
06
Enable port security: lock each port to its expected MAC address.
07
Disable all unused ports.
[ ✕ CLOSE ]
🖥️ Trading Workstation
VLAN 10 CORP
VLAN
VLAN 10 — Corporate
connection
Gigabit Ethernet — Cat6 cable
firewall
Windows Defender + endpoint AV
ip
802.1Q — VLAN 10, 20, 30 configured
os
Windows 10/11 Pro — fully patched
remote access
Accessible via VPN + RDP only
📋 SETUP STEPS
01
Assign static IP 10.10.10.10 on workstation (or DHCP reservation in firewall).
02
Join to Windows domain or workgroup.
03
Enable Windows Remote Desktop — but ONLY accessible via VPN tunnel.
04
Install endpoint protection (Malwarebytes, CrowdStrike, or Defender ATP).
05
Enable BitLocker full disk encryption.
06
Configure automatic Windows updates.
07
Install Bloomberg Terminal / trading app only after above steps.
[ ✕ CLOSE ]
🖥️ Admin / Back Office PC
VLAN 10 CORP
VLAN
VLAN 10 — Corporate
USE
Back office, compliance, accounting
printer
Network printer also on VLAN 10
ip
10.10.10.11 (static)
File access
Maps to NAS at 10.10.10.5
security
Same policy as trading workstation
📋 SETUP STEPS
01
Same hardening steps as trading workstation.
02
Map network drive to NAS: \\10.10.10.5\share.
03
Apply least-privilege: only install apps needed for role.
04
Enable audit logging — FINRA requires trade-related record keeping.
[ ✕ CLOSE ]
🗄️ File Server / NAS
VLAN 10 CORP
VLAN
VLAN 10 — Corporate
Storage
RAID-5 or RAID-6 for redundancy
access
SMB shares — user-level permissions
ip
10.10.10.5 (static)
File access
AES-256 at-rest encryption
Backup
Daily offsite backup (cloud encrypted)
📋 SETUP STEPS
01
Mount on VLAN 10 — no access from VLAN 20 or 30.
02
Configure SMB shares with user-based permissions (not open share).
03
Enable AES-256 encryption on all volumes.
04
Schedule daily backup to offsite encrypted cloud storage.
05
Enable audit logging of file access — required for compliance.
[ ✕ CLOSE ]
WiFi 6 Access Point
VLAN 20 WIFI
VLAN
VLAN 20 — WiFi/AP Data
Standard
802.11ax (Wi-Fi 6)
Power
PoE+ from managed switch
ip
10.10.20.5 (DHCP from FW)
SSID
Corp-WiFi (WPA3) + Guest-WiFi (isolated)
management
Cloud controller or local controller
📋 SETUP STEPS
01
Connect AP uplink to switch PoE+ port — no separate power adapter needed.
02
Configure SSID "Corp-WiFi" tagged to VLAN 20, security WPA3-Enterprise or WPA3-SAE.
03
Configure separate "Guest" SSID with AP client isolation enabled.
04
Do NOT bridge wireless VLAN 20 to wired VLAN 10 — firewall handles routing.
05
Enable minimum RSSI to prevent sticky clients.
06
Assign static management IP, restrict admin panel to VLAN 10 only.
[ ✕ CLOSE ]
💼 Staff Wireless Laptop
VLAN 20 WIFI
VLAN
VLAN 20 — WiFi
ssid
Corp-WiFi (WPA3)
Corp Access
DENIED — must use VPN to reach VLAN 10
ip
10.10.20.20 (DHCP)
SSID
Corp-WiFi (WPA3) + Guest-WiFi (isolated)
Device Policy
MDM enrollment recommended
📋 SETUP STEPS
01
Connect to "Corp-WiFi" SSID — WPA3 password.
02
Firewall blocks access to VLAN 10 (trading desktops) from Wi-Fi.
03
If staff need to access trading desktop from Wi-Fi: enable VPN client, connect VPN, then use RDP.
04
Enroll in MDM (Intune or Jamf) to enforce encryption and remote wipe.
[ ✕ CLOSE ]
📼 NVR (Network Video Recorder)
VLAN 30 CAM
VLAN
VLAN 30 — Cameras
Storage
4TB+ HDD — 30-day retention
Remote View
Via VPN only (RTSP stream)
ip
10.10.20.20 (DHCP)
Internet
BLOCKED by firewall policy
Compliance
MDM enrollment recommended
📋 SETUP STEPS
01
Place NVR on VLAN 30 only — never on corp VLAN.
02
Block all internet access from VLAN 30 at firewall.
03
Configure camera discovery on VLAN 30 subnet.
04
Enable motion recording + continuous for entry points.
05
Access via VPN when remote (RTSP on port 554 allowed to VPN users).
06
Consider off-site backup of critical footage clips.
[ ✕ CLOSE ]
📷 IP Security Cameras
VLAN 30 CAM
VLAN
VLAN 30 — Cameras only
power
PoE from managed switch
Protocol
RTSP stream to NVR
ip
10.10.30.10–.30 (DHCP/static)
Resolution
4K or 1080P minimum
Internet
BLOCKED — no cloud access
📋 SETUP STEPS
01
Connect each camera to a PoE+ switch port assigned to VLAN 30.
02
Set camera to DHCP or assign static IPs in 10.10.30.0/24 range.
03
Default NEVER connect cameras to internet — firmware updates done manually.
04
Change all default passwords immediately (cameras are the #1 hacked device).
05
Point all cameras to NVR via RTSP for recording.
06
Cover: entry/exit doors, trading floor, server closet.
[ ✕ CLOSE ]
INTER-VLAN FIREWALL POLICY
SOURCES
DESTINATION
SERVICE
ACTION
REASON
VLAN 10 Corp
Internet
HTTPS, DNS
INSPECT
SSL inspection + DPI for trading traffic
VLAN 10 Corp
VLAN 10 Wifi
All
DENY
Wired corp isolated from wireless clients
VLAN 10 Corp
VLAN 30 Cam
RTSP, HTTP
ALLOW
IT admin can view cameras from corp PC
VLAN 20 Wifi
Internet
HTTPS, DNS
INSPECT
Web filter + content control on Wi-Fi
VLAN 20 Wifi
VLAN 10 Corp
All
DENY
No wireless access to trading desktops
VLAN 30 Cam
Internet
All
DENY
Cameras cannot reach internet (prevents data exfil)
VLAN 30 Cam
VLAN 10 Corp
All
DENY
Camera network cannot touch trading systems
VPN REMOTE
VLAN 10 Corp
RDP 3389
ALLOW
Remote access to specific desktop only
VPN REMOTE
VLAN 20 Wifi
All
DENY
VPN users cannot reach wireless VLAN
VPN REMOTE
VLAN 30 Cam
RTSP
ALLOW
Remote camera monitoring allowed via VPN
RECOMMENDED EQUIPMENT
Next-Gen Firewall (NGFW)
SECURITY PERIMETER
Handles VPN, inter-VLAN routing, IPS, SSL inspection, and web filtering for compliance.
Fortinet FortiGate 60F
Cisco Meraki MX68
pfSense+ (budget)
L3 Managed Switch
VLAN SWITCHING · PoE+
802.1Q VLAN tagging, PoE+ to power APs and cameras, port security and MAC filtering.
Cisco SG350-28P
Ubiquiti USW-Pro-24-PoE
Netgear GS748T
WiFi Access Points
VLAN 20 · WIRELESS
Supports multiple SSIDs mapped to VLANs. WPA3 encryption. Cloud-managed for audit trail.
Ubiquiti UAP-U6-Pro
Cisco Meraki MR46
Aruba AP-615
IP Cameras + NVR
VLAN 30 · SURVEILLANCE
PoE IP cameras on isolated VLAN. NVR stores footage locally — no cloud, no data leakage.
Hikvision DS-2CD
Reolink RLK8-800B4
Ubiquiti UniFi Protect
VPN Solution
REMOTE ACCESS
SSL/IPSec VPN built into NGFW with MFA (Microsoft Authenticator / Duo). Required for broker compliance.
FortiClient VPN
Cisco AnyConnect
WireGuard (pfSense)
Remote Desktop
RDP / VNC ACCESS
Access office desktops via VPN tunnel only. Never expose RDP directly to internet — critical security rule.
Windows RDP
Parsec (low latency)
TeamViewer (backup)
DC Metro IT Help
Expert Network Installation & IT Solutions for
Washington DC, Northern Virginia & Maiyland
6399 Little River Turnpike
Alexandria, VA 22312
United States
Mon - Fri: 8:00am - 5:00pm
© All Rights reserved 2026 l Property of DC Metro IT Help l Alexandria, VA 22312