Altaware, Inc. | Enterprise Networking & Security Solutions

Article - Best Practices in Network and Security Design



Author: Werner Schmidt, CISSP
Date: January 2009

Simple is better
- Use appliances where applicable
- Don’t get fancy, sophistication causes outages

Build on a strong foundation
- Use chassis or virtual chassis switches
- Use enterprise class switches
- Use manageable switches

Address core services:
- DNS
- DHCP
- NTP
- tftp
- Console access
- These are weaker and more important than you think...

Containment
- Use network segmentation
- Think zones... (especially for PCI scoping)
- Separate servers from users

Topology
- Think things line zones (especially for PCI scoping)
- Users
- DMZ
- Internet
- VPN partners
- Servers
- Multiple server zones
- Wired and wireless
- Minimize devices in the DMZ
- Public facing web servers should be protect with IDS/IDP and web application firewalls
- All user authenticated entry in a DMZ should only come through a robust SSL VPN appliance
- One point of public entry, one point of user entry (without considering HA), one point can and probably should use VIP kind of approaches
- One to one NAT without a DMZ for public servers, are you nuts?
- If your network needs ICMP redirects to work, you did something wrong, fix your topology

Redundancy
- In terms of simple, avoid active/active, think active/passive
- Consider load implications during outages
- Use redundant ISP connections, don’t do this with just simple routing in a lot of cases
- Do it in proper sequence:
- Harden the local site with active/passive first (site failover is bad for applications in a lot of cases)
- Fail over the site as a last resort
- Use GSLB (Global Server Load Balancing) for proper automated site failover
- Test and validate failover works and stays working

Visibility and Management
- You must be able to see if you want to fix the problem
- Log it for historical purposes
- Centralize logging
- Centralize time and consistent time stamping
- Alert on it
- Correlate events
- Look for NBAD (Network Behavior Anomaly Detection)
- Look for probe, recon and attack phases
- Recreate history if you have the budget with full capture and playback approaches
- Think various levels of granularity:
* Interface rates
* Port stats on switches
* Network tcp/udp port utilization
* Application (different than port) utilization
- Document it all
* Physically
* Logically
* Different granularity levels

Assess via external validation (better read some other articles of mine)

Assume the worst
- You will lose it, now what?
- Don’t focus on time to backup, think time to recover and rebuild

Stop by often, this is incomplete and evolving.


Read the rest of the articles. Please contact us for more information!

Page copy protected against web site content infringement by Copyscape