01:11 PM
Natalie Timms
Natalie Timms
Connect Directly
Repost This

Building an Information Security Policy Part 1: Network Devices

An effective security policy requires careful planning to ensure the roles and capabilities of routers, switches and firewalls are properly configured.

In my previous blog I outlined some important business and high-level design considerations for building an effective security policy. Understanding your network topology is key to a good security policy. In a series of blogs, I will reinforce this point by reviewing several technology-focused methodologies for secure network design. In this post, I will cover defining the roles and capabilities of network devices.

A network is built using devices such as routers, switches, firewalls and servers. Optimal configuration and deployment requires a detailed understanding of the role each device will play in connecting users with applications and services securely and efficiently.

User and endpoint roles should be identified and mapped to authentication requirements and access methods. For example:

• Campus-based employees may access the network via wired company-owned devices and authorized for network access by MAC Authentication Bypass (MAB).

• Mobile employees require 802.1X authentication via wireless network access.

• Guest users with their own wireless devices use Web authentication and are authorized to access a restricted set of resources.

• Branch offices and other remote access users connect via an IPsec VPN with authentication via IKEv2 with RSA signatures or EAP.

• Network administrator groups that require access to subsets of devices authenticate per device and are authorized for specific commands.

After putting together a summary of data requirements similar to the list above, we can then ask some fundamental questions that guide selecting network devices and designing the topology. Some typical considerations are:

• Should wired and wireless connectivity be consolidated on one device?

• Should a user be granted the same level of access regardless of their point of access?

• Is physical and/or logical segmentation of user and group traffic required?

• Should all services be located inside the firewall perimeter or on a DMZ?

• What standalone devices such as firewalls or IPS sensors or integrated services devices are needed?

• Should WAN connectivity be provided across a private network or the Internet?

Understanding the services and functions that are important to network users and putting together a topology design defines security policy elements. Enforcement techniques such as access lists, firewall rules, application security attack mitigations, and role-based access controls identify the security feature capabilities needed on network devices. For example, knowing there are Active Directory and AAA servers protected by a firewall suggests that the firewall policy will have to permit RADIUS, TACACS+ and LDAP protocols.

[Read why organizations should focus on proper security design rather than spending a lot on security technology in "Security Needs To Focus On Architecture, Not Products."]

The role the network device will play can also limit some of its feature capabilities. For example, the need for logical partitioning of user group traffic may mandate a multi-context firewall design. This configuration restricts the types of services that can be supported. For instance, it won't provide multicast or dynamic routing support, which indicates the need for additional infrastructure to perform these functions.

Answering questions about scalability and redundancy ensure that the network will be available and performing predictably. Proper capacity planning allows a network performance baseline to be established. This is critical for recognizing anomalies that may be caused by network attacks.

Understanding data flows dictates device roles and capabilities. This leads to secure configuration and design that permits only what is necessary while at the same time providing optimal network performance and service availability.

In my next post, I will examine security policy considerations for evaluating hardware and selecting software for new and migrating deployments.

Comment  | 
Print  | 
More Insights
More Blogs from Commentary
Infrastructure Challenge: Build Your Community
Network Computing provides the platform; help us make it your community.
Edge Devices Are The Brains Of The Network
In any type of network, the edge is where all the action takes place. Think of the edge as the brains of the network, while the core is just the dumb muscle.
SDN: Waiting For The Trickle-Down Effect
Like server virtualization and 10 Gigabit Ethernet, SDN will eventually become a technology that small and midsized enterprises can use. But it's going to require some new packaging.
IT Certification Exam Success In 4 Steps
There are no shortcuts to obtaining passing scores, but focusing on key fundamentals of proper study and preparation will help you master the art of certification.
VMware's VSAN Benchmarks: Under The Hood
VMware touted flashy numbers in recently published performance benchmarks, but a closer examination of its VSAN testing shows why customers shouldn't expect the same results with their real-world applications.
Hot Topics
IT Certification Exam Success In 4 Steps
Amy Arnold, CCNP/DP/Voice,  4/22/2014
Edge Devices Are The Brains Of The Network
Orhan Ergun, Network Architect,  4/23/2014
Heartbleed Flaw Exploited In VPN Attack
Mathew J. Schwartz 4/21/2014
White Papers
Register for Network Computing Newsletters
Current Issue
Twitter Feed