Building An Information Security Policy Part 3: Logical And Physical Design

Careful crafting of the logical and physical aspects of a network is essential for an effective security policy.

Natalie Timms

March 19, 2014

3 Min Read
Network Computing logo

In my previous blog, I discussed key points for the selection of appropriate hardware and software in order to build and maintain an effective security policy. In this post, I will cover security considerations when designing the physical and logical aspects of a network.

Although this seems like basic networking, it is surprising how many organizations do not have a detailed knowledge of the underlying network design, which is essential for troubleshooting. Network devices such as routers, switches, and servers must be secured physically as well as locked down from an authorization and management perspective.

Understanding the physical cabling plan that supports the logical segmentation of the network is critical. Documentation of the physical topology is vital to understanding data flows and troubleshooting connectivity issues. Sometimes what appears to be a configuration error or even a security breach turns out to be the result of incorrect cabling or a bad port on a network device.

In my previous post, I discussed the need to select hardware that provides required scalability and capacity. This is often achieved by distributing load across multiple devices. Physical placement and interconnect to create backup or clustering is just as important as forwarding data. If state sharing is required for high availability, how is this information propagated between devices -- using the same physical path as the data or via separate connections? When overlaying multiple logical data flows over physical media, always ensure there will be adequate capacity and no device restrictions on a port. Map port capabilities to design requirements, for example, trunk versus access ports and routed port versus switch port.

Logical design provides data segmentation, which is the first real step to a secure and resilient network design. Sub-interfaces, VLANs, virtual and tunnel interfaces separate traffic, and also allow various forwarding and security methods to be applied to individual flows.

[Read about a Cisco technology for enforcing identity-based network access in "Cisco Security Group Access: An Introduction."]

Devices such as firewalls and intrusion prevention appliances are physically connected to routers or switches, but logical design identifies firewall contexts and virtual sensors that handle segmented flows. A Web server may be connected to a switch used for externally sourced traffic, however the logical design ensures incoming flows are redirected through a firewall first. Guest data may be separated from employee data using logical separation via VLANs across a switch trunk port.

Virtual data center switch and server access also is a well-known use case based on segmented data flows using logical paths overlaid on physical infrastructure that can be secured individually.

Various logical methods may be applied to enhance network resiliency. A good example of this is grouping several physical interfaces with an EtherChannel. Logical redundancy and resiliency requires its own security methods. For example, redundant paths and layer 2 require Spanning Tree, which in turn can be secured using methods such as BPDU Guard and Root Guard.

Once the design is planned and physically deployed, the next step is to focus on addressing requirements. Addresses and identifiers are the basis for which actual security policy rules and requirements are implemented. In my next post, I will discuss applying identifiers to maintain network segmentation that meet the objectives of the security policy.

About the Author(s)

Natalie Timms

nullNatalie Timms is the former program manager with the CCIE certification team at Cisco, managing exam curriculums and content for the CCIE Security track, and was responsible for introducing Version 4.0 of the exam. Natalie has been involved with computer networking for more than 20 years, much of which was spent with Cisco in various roles: field sales specialist, product manager and software engineer. Natalie has contributed at the IETF standards level and has written many white technical papers and is also a Cisco Press author. Natalie is a US patent holder and has a CCIE Security Certification as well as a BSc in Computing Science and Statistics from Macquarie University in Sydney, Australia. Natalie moved to the US in 1995 and after meeting her husband in the local Cisco office, has called Seattle home.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights