In my previous blog, I discussed key points for the selection of appropriate hardware and software in order to build and maintain an effective security policy. In this post, I will cover security considerations when designing the physical and logical aspects of a network.
Although this seems like basic networking, it is surprising how many organizations do not have a detailed knowledge of the underlying network design, which is essential for troubleshooting. Network devices such as routers, switches, and servers must be secured physically as well as locked down from an authorization and management perspective.
Understanding the physical cabling plan that supports the logical segmentation of the network is critical. Documentation of the physical topology is vital to understanding data flows and troubleshooting connectivity issues. Sometimes what appears to be a configuration error or even a security breach turns out to be the result of incorrect cabling or a bad port on a network device.
In my previous post, I discussed the need to select hardware that provides required scalability and capacity. This is often achieved by distributing load across multiple devices. Physical placement and interconnect to create backup or clustering is just as important as forwarding data. If state sharing is required for high availability, how is this information propagated between devices -- using the same physical path as the data or via separate connections? When overlaying multiple logical data flows over physical media, always ensure there will be adequate capacity and no device restrictions on a port. Map port capabilities to design requirements, for example, trunk versus access ports and routed port versus switch port.
Logical design provides data segmentation, which is the first real step to a secure and resilient network design. Sub-interfaces, VLANs, virtual and tunnel interfaces separate traffic, and also allow various forwarding and security methods to be applied to individual flows.
[Read about a Cisco technology for enforcing identity-based network access in "Cisco Security Group Access: An Introduction."]
Devices such as firewalls and intrusion prevention appliances are physically connected to routers or switches, but logical design identifies firewall contexts and virtual sensors that handle segmented flows. A Web server may be connected to a switch used for externally sourced traffic, however the logical design ensures incoming flows are redirected through a firewall first. Guest data may be separated from employee data using logical separation via VLANs across a switch trunk port.
Virtual data center switch and server access also is a well-known use case based on segmented data flows using logical paths overlaid on physical infrastructure that can be secured individually.
Various logical methods may be applied to enhance network resiliency. A good example of this is grouping several physical interfaces with an EtherChannel. Logical redundancy and resiliency requires its own security methods. For example, redundant paths and layer 2 require Spanning Tree, which in turn can be secured using methods such as BPDU Guard and Root Guard.
Once the design is planned and physically deployed, the next step is to focus on addressing requirements. Addresses and identifiers are the basis for which actual security policy rules and requirements are implemented. In my next post, I will discuss applying identifiers to maintain network segmentation that meet the objectives of the security policy.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
Maintaining existing network infrastructures often incurs huge technical debt before newer technologies are adopted over time.
Amid ongoing regional uncertainties, telecom infrastructure in the Middle East has expand to include terrestrial low-latency network infrastructure, which offers resilience and agility in navigating political complexities without relying solely on undersea networks.
