AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

The Ideal Network Security Perimeter Design: Part 1 of 3

by

Network Perimeter Security Best Practices

Designing the network security architecture is a task that will never truly be completed because as with many things the network, threats and security tools and processes evolve.

In order to future-proof your design though, you must set a baseline for what you want to protect and then ensure that the design can scale over time. A common failure in designing the network architecture is trying to find the silver bullet that covers everything. The problem here is that the threats you face today may not be the ones you face tomorrow and your network today does not look the same as it will tomorrow.

Think of your network perimeter like a castle during medieval times. You allow people from the outside to see them and you want to make sure you have multiple layers of defense setup behind them in case something fails. Like a medieval castle you have multiple layers of defense to stop an attacker and don’t rely on just walls to prevent attacks. That’s why castles had archers, high walls, big gates, people that dumped flaming hot tar on intruders below and my personal favorite, a moat filled with rabid alligators (if we could only find the cyber equivalent of a rabid alligator we’d all be safe on the internet). Even going back hundreds of years ago people understood the benefits of having security in layers and it’s no different today in information security.  Over the course of this blog series, we’ll examine some tips for improving the design of your network architecture for a more secure perimeter.

Hardening and Configuration

In this part of the architecture, we need to concern ourselves with how we implement our network. It’s here that we start setting up our walls to prevent attackers from gaining access into our precious kingdom and pillaging our citizens (or users). One of the first areas we need to review is the front line – the systems that are actually in place to prevent unauthorized entry. These would be our routers, firewalls, load balancers, etc. Verify that these systems are running the latest and greatest updates and that the configuration on these devices is locked down to only the needed administrators. Since setting up a DMZ in your network is so important we’re going to dedicate an entire blog post just to that (so be patient).

Another thing that needs to be reviewed on these public-facing systems is if they’re resilient enough under attack. Do you have these core, public-facing systems clustered as to not allow an enemy to knock one down and leave you stranded? Just like our castle example, you never see a castle made of paper. They’re made of brick and stone to keep an enemy away and we need to think of this the same way when it comes to routers and firewalls.

One way to limit risk on your perimeter-facing systems is to have a “golden image” of the systems already in place before being sent out to the front line. If you’re using Apache as a web server there should be an image already created of this server that’s been vetted by your information security department. The same thing goes with networking equipment – does the router allow any to telnet to it from the outside (please say no). Also, before putting a system out on the internet make sure that it’s running all the needed security patches and add these to your “golden image”.  Simple things like these suggestions can stop you from being owned. Now that we’ve taken this step, it’s still possible we’ve missed something. Let’s see what others can make of our systems while they’re out on the perimeter trying to peer in.

What Others Can See: The Network Security Firewall Design

We also need to be aware of what others can see and do to our networks from the outside. It’s very important to know what attackers can garner from your organization before they actually use it against you. Like having a lookout on your castle’s towers, we need to be able to understand the threats that are coming and what they are.

  1. Know your weak spots – This is where you can use vulnerability scanning against the network to get a better picture of your security gaps. Knowing where you’re the weakest is a good place to start focusing on before an attacker does the same, and I can promise you an attacker won’t be as gentle.
  2. DDoS protection – This can be from properly configured devices with appropriate amounts of bandwidth, or it could be a cloud service meant to protect your perimeter like a shield.  Depending on how you want to mitigate these attacks, this can be an appliance on premise working with hardened systems to deflect attacks or a cloud-based solution that sits in front of your network.
  3. Educate your workers – Attackers oftentimes leverage public information that’s on the internet about a company to develop more focused attacks. For example, attackers have at their disposal Whois records, job postings with specific skills needed, social media channels where employees have discussed specific systems used in the network, etc. While this doesn’t have to deal with network security architecture, people are an important aspect of security and this is an oftentimes untouched area of security.

In part 2, we’ll examine from a network design perspective the layers needed to keep guard and how to access the network securely.

Subscribe to Blog

Receive notifications of new posts by email.