Natalie Timms


Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

Building an Information Security Policy Part 1: Network Devices

In my previous blog I outlined some important business and high-level design considerations for building an effective security policy. Understanding your network topology is key to a good security policy. In a series of blogs, I will reinforce this point by reviewing several technology-focused methodologies for secure network design. In this post, I will cover defining the roles and capabilities of network devices.

A network is built using devices such as routers, switches, firewalls and servers. Optimal configuration and deployment requires a detailed understanding of the role each device will play in connecting users with applications and services securely and efficiently.

User and endpoint roles should be identified and mapped to authentication requirements and access methods. For example:

• Campus-based employees may access the network via wired company-owned devices and authorized for network access by MAC Authentication Bypass (MAB).

• Mobile employees require 802.1X authentication via wireless network access.

• Guest users with their own wireless devices use Web authentication and are authorized to access a restricted set of resources.

• Branch offices and other remote access users connect via an IPsec VPN with authentication via IKEv2 with RSA signatures or EAP.

• Network administrator groups that require access to subsets of devices authenticate per device and are authorized for specific commands.

After putting together a summary of data requirements similar to the list above, we can then ask some fundamental questions that guide selecting network devices and designing the topology. Some typical considerations are:

• Should wired and wireless connectivity be consolidated on one device?

• Should a user be granted the same level of access regardless of their point of access?

• Is physical and/or logical segmentation of user and group traffic required?

• Should all services be located inside the firewall perimeter or on a DMZ?

• What standalone devices such as firewalls or IPS sensors or integrated services devices are needed?

• Should WAN connectivity be provided across a private network or the Internet?

Understanding the services and functions that are important to network users and putting together a topology design defines security policy elements. Enforcement techniques such as access lists, firewall rules, application security attack mitigations, and role-based access controls identify the security feature capabilities needed on network devices. For example, knowing there are Active Directory and AAA servers protected by a firewall suggests that the firewall policy will have to permit RADIUS, TACACS+ and LDAP protocols.

[Read why organizations should focus on proper security design rather than spending a lot on security technology in "Security Needs To Focus On Architecture, Not Products."]

The role the network device will play can also limit some of its feature capabilities. For example, the need for logical partitioning of user group traffic may mandate a multi-context firewall design. This configuration restricts the types of services that can be supported. For instance, it won't provide multicast or dynamic routing support, which indicates the need for additional infrastructure to perform these functions.

Answering questions about scalability and redundancy ensure that the network will be available and performing predictably. Proper capacity planning allows a network performance baseline to be established. This is critical for recognizing anomalies that may be caused by network attacks.

Understanding data flows dictates device roles and capabilities. This leads to secure configuration and design that permits only what is necessary while at the same time providing optimal network performance and service availability.

In my next post, I will examine security policy considerations for evaluating hardware and selecting software for new and migrating deployments.


Related Reading


More Insights


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013



TechWeb Careers