IT security needs pose a slightly different challenge for a secure network infrastructure. Throwing boxes and more stuff at security issues is not sufficient and often leads to a false sense of protection in the organization. In this tip, we'll explore four ways to build a secure network infrastructure by retooling your existing network investments.
- Avoid adding complexity to network infrastructure
In a world where switches and firewalls talk to servers, and endpoints talk to switches, a holistic approach can save money while remaining a sustainable solution for years to come. Security solutions are thorny enough as it is. Don't over-complicate your project by building a house of cards doomed to collapse when the next big storm blows through. Focus on basic staples in the network including switches, centralized authentication, firewalls and UTM devices, patching and reporting, as well as policy management built into your directory services. Layering disparate management, reporting and authentication for access to the LAN, wireless and remote access will quickly result in a train wreck.
- Infrastructure must support security layers
Layering network security on top of an infrastructure not designed to support it is just
- as ill-advised as building a house on a wobbly foundation. Most organizations don't get the luxury of fresh start by redesigning the network every couple of years. Even if the hardware is upgraded, chances are slim that the underlying infrastructure design has changed significantly. When these networks were originally provisioned 10 years ago, we weren't planning for bulk wireless authentication or port-based security. Layering LAN-enforced security such as firewalls, IDS/IPS, zoning, NAC, 802.1X, application firewalls or wireless on top of a poorly designed (or out of date) network results in poor security policy enforcement and leaks that result from compromising security for the more immediate necessity to continue operations without interruptions.
- Properly use VLANs and network segmentation
VLANs and network segmentation are one of the most widely understood but globally misused tools in a network infrastructure. Vendors go out of their way to make plug-and-play solutions to save you the trouble of understanding these key concepts -- often to the demise of the overall goal. In a recent white paper, we identified four commonly used degrees of VLANs in the network. The use cases ranged from the improper (but common) use of untagged (access) VLAN assignments in a core, with each downlink to edge switches left in the default VLAN to full VLAN extrusion in multi-VLAN environments carried through from core to edge and beyond.
In many cases, what we would normally deem to be improper use of VLANs may simply be the misuse of VLANs for the desired outcome. For example, if we started with a flat network and wanted to layer in a VoIP network, we would need the ability to carry that VLAN tagging throughout the network. The same goes with wireless, and the most impact is often seen with RADIUS-assigned VLANs pushed during NAC, 802.1X or standard RADIUS authentication. If you can't globally push group-based VLAN assignments out to the edge without mucking up your current access rights, then you've landed yourself in quite a mess.
- Document network connections, review security policies for leaks
Don't lock the windows and leave the doors wide open. Big and small, there are a variety of mischievous holes often overlooked in network designs. Searching for holes raises questions. You enabled SSH, but did you lock down the Web access? You recently provisioned secure wireless, but do you still have other devices using legacy WEP keys? Did you know about those two dialup lines coming into the server room? Is your firewall implementing policies across every possible path out of your network? Can you really identify the weakest link in your network?
As network and security administrators, we worry about data leaks as well as management leaks. We don't want critical data, personal identifiable information or intellectual property seeping out of the network, nor do we want a malicious user to gain unauthorized access to our device management. Finding holes is a tedious undertaking and requires a close look at the network, an extremely granular documentation of connections and a review of security policies and posture of all devices.
There is no single tool set that can reproduce the discriminating human review of a secure network infrastructure; however, there are products and resources that provide a good start for documenting, reviewing and searching for holes.About the author
Jennifer Jabbusch is an infrastructure security consultant with Carolina Advanced Digital, Inc., a security integrator based in North Carolina. She specializes in areas of network security, NAC/NAP, 802.1X and wireless security, and consults for a variety of government agencies, educational institutions and Fortune 100 and 500 corporations. She serves as a contributing SME on access control, business continuity and telecommunications, and lead SME in the cryptography domains of the official (ISC)2 CISSP courseware and maintains SecurityUncorked.com blog.
Send comments on this technical tip to: firstname.lastname@example.org
This was first published in July 2009