Article - Best Practices in Network and Security Design
Simple is better
- Use appliances where applicable
- Don’t get fancy, sophistication causes outages
Build on a strong foundation
- Use chassis or virtual chassis switches
- Use enterprise class switches
- Use manageable switches
Address core services:
- DNS
- DHCP
- NTP
- tftp
- Console access
- These are weaker and more important than you think...
Containment
- Use network segmentation
- Think zones... (especially for PCI scoping)
- Separate servers from users
Topology
- Think things line zones (especially for PCI scoping)
- Users
- DMZ
- Internet
- VPN partners
- Servers
- Multiple server zones
- Wired and wireless
- Minimize devices in the DMZ
- Public facing web servers should be protect with IDS/IDP and web application firewalls
- All user authenticated entry in a DMZ should only come through a robust SSL VPN appliance
- One point of public entry, one point of user entry (without considering HA), one point can and probably should use VIP kind of approaches
- One to one NAT without a DMZ for public servers, are you nuts?
- If your network needs ICMP redirects to work, you did something wrong, fix your topology
Redundancy
- In terms of simple, avoid active/active, think active/passive
- Consider load implications during outages
- Use redundant ISP connections, don’t do this with just simple routing in a lot of cases
- Do it in proper sequence:
- Harden the local site with active/passive first (site failover is bad for applications in a lot of cases)
- Fail over the site as a last resort
- Use GSLB (Global Server Load Balancing) for proper automated site failover
- Test and validate failover works and stays working
Visibility and Management
- You must be able to see if you want to fix the problem
- Log it for historical purposes
- Centralize logging
- Centralize time and consistent time stamping
- Alert on it
- Correlate events
- Look for NBAD (Network Behavior Anomaly Detection)
- Look for probe, recon and attack phases
- Recreate history if you have the budget with full capture and playback approaches
- Think various levels of granularity:
* Interface rates
* Port stats on switches
* Network tcp/udp port utilization
* Application (different than port) utilization
- Document it all
* Physically
* Logically
* Different granularity levels
Assess via external validation (better read some other articles of mine)
Assume the worst
- You will lose it, now what?
- Don’t focus on time to backup, think time to recover and rebuild
Stop by often, this is incomplete and evolving.
Author: Werner Schmidt, CISSP
Date: January 2009
Read the rest of the articles. Please contact us for more information!
