Can you offer some basic tips for improving our network security design? We're trying to revamp our overall security program, starting with the network, and we're looking for some help in the design aspect to coincide with a network equipment refresh. Are there any design elements that we should consider for the sake of security? Or steps we should follow while
Ask the Expert!
Have questions about network security? Send them via email today! (All questions are anonymous.)
This is a great question and one that requires some serious planning and review before you start your network equipment refresh. I highly recommend that you come up with a secure network design first, and then fill it with the technology you need. This being said, here are a few areas to consider for your network design and refresh:
Segmentation: The segmentation of systems based upon their function and the sensitivity of the data they store, process and transmit is an important step. One common example of segmentation is taking all of the systems that require access from the Internet and placing them into a demilitarized zone (DMZ) that isolates them from more sensitive systems. An intruder who exploits a vulnerability and gains access to one of these exposed systems will be unable to leverage that access to gain a foothold on more sensitive systems that are on the internal network. You may also use virtual LANs (VLANs) to segment systems on your internal network from each other, limiting their access and providing protection against eavesdropping.
Monitoring tools: Using network monitoring tools to defend your network is extremely important. Intrusion detection systems (IDS), data loss prevention systems (DLP) and database access monitoring (DAM) can help protect the network by preventing malicious traffic from entering choke points. These systems can also alert administrators in near real-time of issues occurring within the network. Additionally, you may want to consider a technology purchase in the increasingly popular area of advanced malware detection -- vendors in this market include FireEye, Damballa, Invincea or ThreatTrack.
Encryption: Encryption should be used whenever possible to protect data (at rest and in transit) and the network. The proper use of encryption technology ensures that an attacker who manages to gain access to your data will be unable to read it without also gaining access to the corresponding decryption key. For this reason, you should employ secure key management practices to ensure that an intruder who gains access to your system does not also gain access to the keys. For example, it would not be a wise practice to store a copy of the decryption key in plain text on the same server where the encrypted data is stored.
Log, log, log: Make sure that you're logging everything you possibly can. During an audit, investigation or breach it's always best to have more data than less. Verify that the proper level of auditing is turned on and that you're not just grabbing system logs. Use a security incident event management (SIEM) program to correlate the collected logs for attacks, issues and events. This is a huge part of any security architecture and needs to be done. Naturally there will be network storage implications too, so bear that in mind.
Networks are among the most critical technology assets of any organization. You should design your network in a manner that eliminates or minimizes single points of failure. For example, critical network routers should use high availability pairs configured such that one router can assume the entire network load if the other fails. Focus on these four areas first while designing a secure network. There are other technologies and design topics that can be spoken about, but these are the fundamentals and should be a priority.
Editor's note: SearchSecurity.com expert Mike Chapple contributed to this article.
This was first published in May 2013