Building An Information Security Policy Part 3: Logical And Physical Design

In my previous blog, I discussed key points for the selection of appropriate hardware and software in order to build and maintain an effective security policy. In this post, I will cover security considerations when designing the physical and logical aspects of a network.

Although this seems like basic networking, it is surprising how many organizations do not have a detailed knowledge of the underlying network design, which is essential for troubleshooting. Network devices such as routers, switches, and servers must be secured physically as well as locked down from an authorization and management perspective.

Understanding the physical cabling plan that supports the logical segmentation of the network is critical. Documentation of the physical topology is vital to understanding data flows and troubleshooting connectivity issues. Sometimes what appears to be a configuration error or even a security breach turns out to be the result of incorrect cabling or a bad port on a network device.

In my previous post, I discussed the need to select hardware that provides required scalability and capacity. This is often achieved by distributing load across multiple devices. Physical placement and interconnect to create backup or clustering is just as important as forwarding data. If state sharing is required for high availability, how is this information propagated between devices -- using the same physical path as the data or via separate connections? When overlaying multiple logical data flows over physical media, always ensure there will be adequate capacity and no device restrictions on a port. Map port capabilities to design requirements, for example, trunk versus access ports and routed port versus switch port.

Logical design provides data segmentation, which is the first real step to a secure and resilient network design. Sub-interfaces, VLANs, virtual and tunnel interfaces separate traffic, and also allow various forwarding and security methods to be applied to individual flows.

[Read about a Cisco technology for enforcing identity-based network access in "Cisco Security Group Access: An Introduction."]

Devices such as firewalls and intrusion prevention appliances are physically connected to routers or switches, but logical design identifies firewall contexts and virtual sensors that handle segmented flows. A Web server may be connected to a switch used for externally sourced traffic, however the logical design ensures incoming flows are redirected through a firewall first. Guest data may be separated from employee data using logical separation via VLANs across a switch trunk port.

Virtual data center switch and server access also is a well-known use case based on segmented data flows using logical paths overlaid on physical infrastructure that can be secured individually.

Various logical methods may be applied to enhance network resiliency. A good example of this is grouping several physical interfaces with an EtherChannel. Logical redundancy and resiliency requires its own security methods. For example, redundant paths and layer 2 require Spanning Tree, which in turn can be secured using methods such as BPDU Guard and Root Guard.

Once the design is planned and physically deployed, the next step is to focus on addressing requirements. Addresses and identifiers are the basis for which actual security policy rules and requirements are implemented. In my next post, I will discuss applying identifiers to maintain network segmentation that meet the objectives of the security policy.