The Ideal Network Security Perimeter Design: Part 2 of 3

In our first blog on ideal network security perimeter design, we looked at how to harden and configure your network as well as understanding what outsiders can see. In part 2 we’ll examine the numerous layers in a sound network security perimeter design and how to enable access for authorized personnel.

Keeping Guard

No matter how hard you try to stop an adversary, one is going to slip by your well-planned network. Within the perimeter there are tools that can help us proactively block these threats if they’re found (this doesn’t mean they’ll catch all of them, but that’s why we have layers). Let’s take a look at these tools and where they are layered in:

• A popular tool that’s making its way into the perimeter is cloud-based malware detection. These tools are used to scan data as it goes through the firewall or routers and filter for suspicious traffic entering your network. Unlike appliance-based solutions this sits outside your architecture and will have traffic analyzed before it hits your network
• The traditional first line of defense against attacks is the firewall, which is configured to allow/deny traffic by source/destination IP, port or protocol. It’s very binary -either traffic is allowed or it’s blocked by these variables.
• If an attack is leveraging one of these allowed firewall rules, then you better have the next layer on the perimeter, a well-tuned and monitored IPS. Having the IPS well-tuned and being viewed by security is a way to watch for those sneaky intruders that have slipped past the first castle wall and are now within the perimeter.
• In some organizations these layers are merging with the advent of the NGFW, which gives you the ability to integrate layer 2 and layer 3 technologies if needed and review more traffic at the application layer.

Together these systems will help limit the risk and likelihood of an attacker walking through the front gate, but we can’t let our guard down just because we have them. Having these tools in place is one thing, but having the staff and policy to manage them is another. An important component of a truly secure architecture is having the right staff with the right expertise in place to manage it, including personnel who configure the systems to those that monitor the systems’ output for security related events. It’s a test of your architecture and team to tune everything if/when something gets through.

Accessing it Securely

In the first blog, we used the analogy of network being like a medieval castle and just like our castle walls, we need an entrance to the network from the outside. There are times when we need to open the drawbridge and allow only approved people into our kingdom.

• In this example we’re talking about NGFW’s that have the ability to scan user traffic entering and exiting the firewall, all while looking for patterns of suspicious behavior in the requests.

• Another way to have secure access from the outside through the perimeter is to install a VPN, either an IPSEC or SSL, configured to allow encrypted communication directly into your network from the outside. There’s always a time to allow those from different networks into your enterprise, but it should be encrypted and authorized before it’s allowed through. Utilizing two-factor authentication with a VPN contributes towards the integrity of the users making the request. This is external-facing to your network and allows users to tunnel into your LAN from the outside once the appropriate measures are taken to secure access.

So just like men of old protecting their homelands from foreign attackers, as are we in information security protecting our company’s data from hackers across the globe. Lucky for us these topics have already been done once in the physical realm and it’s up to us to apply the same techniques to the cyber realm. Next up, we’ll examine how to set up a DMZ.