In my previous blog I outlined some important business and high-level design considerations for building an effective security policy. Understanding your network topology is key to a good security policy. In a series of blogs, I will reinforce this point by reviewing several technology-focused methodologies for secure network design. In this post, I will cover defining the roles and capabilities of network devices.
A network is built using devices such as routers, switches, firewalls and servers. Optimal configuration and deployment requires a detailed understanding of the role each device will play in connecting users with applications and services securely and efficiently.
User and endpoint roles should be identified and mapped to authentication requirements and access methods. For example:
• Campus-based employees may access the network via wired company-owned devices and authorized for network access by MAC Authentication Bypass (MAB).
• Mobile employees require 802.1X authentication via wireless network access.
• Guest users with their own wireless devices use Web authentication and are authorized to access a restricted set of resources.
• Branch offices and other remote access users connect via an IPsec VPN with authentication via IKEv2 with RSA signatures or EAP.
• Network administrator groups that require access to subsets of devices authenticate per device and are authorized for specific commands.
After putting together a summary of data requirements similar to the list above, we can then ask some fundamental questions that guide selecting network devices and designing the topology. Some typical considerations are:
• Should wired and wireless connectivity be consolidated on one device?
• Should a user be granted the same level of access regardless of their point of access?
• Is physical and/or logical segmentation of user and group traffic required?
• Should all services be located inside the firewall perimeter or on a DMZ?
• What standalone devices such as firewalls or IPS sensors or integrated services devices are needed?
• Should WAN connectivity be provided across a private network or the Internet?
Understanding the services and functions that are important to network users and putting together a topology design defines security policy elements. Enforcement techniques such as access lists, firewall rules, application security attack mitigations, and role-based access controls identify the security feature capabilities needed on network devices. For example, knowing there are Active Directory and AAA servers protected by a firewall suggests that the firewall policy will have to permit RADIUS, TACACS+ and LDAP protocols.
[Read why organizations should focus on proper security design rather than spending a lot on security technology in "Security Needs To Focus On Architecture, Not Products."]
The role the network device will play can also limit some of its feature capabilities. For example, the need for logical partitioning of user group traffic may mandate a multi-context firewall design. This configuration restricts the types of services that can be supported. For instance, it won't provide multicast or dynamic routing support, which indicates the need for additional infrastructure to perform these functions.
Answering questions about scalability and redundancy ensure that the network will be available and performing predictably. Proper capacity planning allows a network performance baseline to be established. This is critical for recognizing anomalies that may be caused by network attacks.
Understanding data flows dictates device roles and capabilities. This leads to secure configuration and design that permits only what is necessary while at the same time providing optimal network performance and service availability.
In my next post, I will examine security policy considerations for evaluating hardware and selecting software for new and migrating deployments.
Natalie Timms is the former program manager with the CCIE certification team at Cisco, managing exam curriculums and content for the CCIE Security track, and was responsible for introducing Version 4.0 of the exam. Natalie has been involved with computer networking for more ... View Full Bio