How to rework your network infrastructure for security

IT security needs pose a slightly different challenge for a secure network infrastructure. Throwing boxes and more stuff at security issues is not sufficient and often leads to a false sense of protection in the organization. In this tip, we'll explore four ways to build a secure network infrastructure by retooling your existing network investments.

1. Avoid adding complexity to network infrastructure
   In a world where switches and firewalls talk to servers, and endpoints talk to switches, a holistic approach can save money while remaining a sustainable solution for years to come. Security solutions are thorny enough as it is. Don't over-complicate your project by building a house of cards doomed to collapse when the next big storm blows through. Focus on basic staples in the network including switches, centralized authentication, firewalls and UTM devices, patching and reporting, as well as policy management built into your directory services. Layering disparate management, reporting and authentication for access to the LAN, wireless and remote access will quickly result in a train wreck.

2. Infrastructure must support security layers
   Layering network security on top of an infrastructure not designed to support it is just as ill-advised as building a house on a wobbly foundation. Most organizations don't get the luxury of fresh start by redesigning the network every couple of years. Even if the hardware is upgraded, chances are slim that the underlying infrastructure design has changed significantly. When these networks were originally provisioned 10 years ago, we weren't planning for bulk wireless authentication or port-based security. Layering LAN-enforced security such as firewalls, IDS/IPS, zoning, NAC, 802.1X, application firewalls or wireless on top of a poorly designed (or out of date) network results in poor security policy enforcement and leaks that result from compromising security for the more immediate necessity to continue operations without interruptions.

3. Properly use VLANs and network segmentation
   VLANs and network segmentation are one of the most widely understood but globally misused tools in a network infrastructure. Vendors go out of their way to make plug-and-play solutions to save you the trouble of understanding these key concepts -- often to the demise of the overall goal. In a recent white paper, we identified four commonly used degrees of VLANs in the network. The use cases ranged from the improper (but common) use of untagged (access) VLAN assignments in a core, with each downlink to edge switches left in the default VLAN to full VLAN extrusion in multi-VLAN environments carried through from core to edge and beyond.

   In many cases, what we would normally deem to be improper use of VLANs may simply be the misuse of VLANs for the desired outcome. For example, if we started with a flat network and wanted to layer in a VoIP network, we would need the ability to carry that VLAN tagging throughout the network. The same goes with wireless, and the most impact is often seen with RADIUS-assigned VLANs pushed during NAC, 802.1X or standard RADIUS authentication. If you can't globally push group-based VLAN assignments out to the edge without mucking up your current access rights, then you've landed yourself in quite a mess.

4. Document network connections, review security policies for leaks
   Don't lock the windows and leave the doors wide open. Big and small, there are a variety of mischievous holes often overlooked in network designs. Searching for holes raises questions. You enabled SSH, but did you lock down the Web access? You recently provisioned secure wireless, but do you still have other devices using legacy WEP keys? Did you know about those two dialup lines coming into the server room? Is your firewall implementing policies across every possible path out of your network? Can you really identify the weakest link in your network?

   As network and security administrators, we worry about data leaks as well as management leaks. We don't want critical data, personal identifiable information or intellectual property seeping out of the network, nor do we want a malicious user to gain unauthorized access to our device management. Finding holes is a tedious undertaking and requires a close look at the network, an extremely granular documentation of connections and a review of security policies and posture of all devices.

There is no single tool set that can reproduce the discriminating human review of a secure network infrastructure; however, there are products and resources that provide a good start for documenting, reviewing and searching for holes.

Send comments on this technical tip to: editor@searchmidmarketsecurity.com

Rate this Tip To rate tips, you must be a member of SearchMidmarketSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    << PREVIOUS | NEXT >>: Five network security issues to avoid VIEW ALL IN THIS CATEGORY RELATED CONTENT Integrating security into networks Four things to remember about server virtualization security concerns Five network security issues to avoid Streamlining your network security infrastructure Network-based integrity monitoring keeps website hacks in check How to make data loss prevention tools affordable and manageable for midmarket PCI DSS requirement: Building and maintaining a secure network Network security begins with device discovery and assessment NAC Basics: Laying the groundwork Understand the differences in network access control solutions Three steps to achieve security for smartphones within a budget Security Operations and Strategies Five things to do before your first PCI DSS compliance audit How to detect malicious insiders by monitoring antivirus log files Take four steps toward Macbook security How to maintain network control plane security Four things to remember about server virtualization security concerns How to choose online data backup services for data protection Validate your perimeter network security devices are working How to choose an external compliance auditor PCI DSS: Writing an information security policy How to choose full disk encryption for laptop security, compliance Network infrastructure security on a budget Five network security issues to avoid Streamlining your network security infrastructure RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.