Layered Security Systems: A Not-So-New Approach to Data Center Security and Integrity

Network designs with inadequate security in place are similar to most home security models. There is a deadbolt on each door, and window locks to keep intruders away. Anyone is welcome to ring the doorbell, but must be known and trusted to be allowed inside. Once inside, a guest typically has access to most areas. They could potentially sabotage basic levels of security. There is no real record of any activity in the house, and once vacated, intruders can dig through your personal items taking whatever they please. Firewalls identify and restrict Internet guests through DMZ rules. However, conference room and data center ports lie open to anyone with a laptop. Unchanged wireless keys give temporary users access to the network forever. While attacks aren't a daily threat, the occasional security threat seeps into the network and affects hosts, servers and even the network. Basic security is present, but a major incident is completely possible.

Compare home security to the protection of a bank. While access into the parking lot is unrestricted, cameras monitor and record every part of the property. There is a 24-hour ATM that offers most services with two-factor identification. Anyone is allowed in the bank lobby during normal business hours, but experience a heightened level of security and bullet-proof restriction to the bank's assets. It is difficult to loiter or explore without arising suspicion. Monetary assets are encased further in the most solidified and secured area in the entire building. Access to the vault requires a person to pass through several different areas, being monitored before authentication is ever requested. This is the shape of a well-secured network. An intrusion prevention system (IPS) implemented at several levels of the network acts like a security camera system, providing traffic monitoring needed to accurately deter, detect and record most attacks. Firewalls, like bank tellers, verify identity but also restrict access to only those services that the bank is willing to offer you. The teller also records your transactions when giving you physical or virtual access to the vault, in the same way that traffic flow statistics and security solutions can provide the same type of accounting. Any hint of malicious activity in the facility results in immediate reaction and notification of the proper authorities. As your network grows, consider the different areas of your network and how access is controlled and monitored between them.

Defining the clear network boundaries between your data center's assets and network hosts is the first step in building a castle wall around your data center assets. Users should be on physically and logically separate networks, providing not only the ability to accurately record IP packet activity but to control access between each group of devices. WAN connections and VPN head-end devices should have connections to the network that allow for full traffic inspection and access control before entering the core of the network. By logically separating your data center in this fashion, you make your IT assets viewable in an isolated and secured manner. All of your isolated and secured assets can be defined easily through summarized IP ranges, group names and even physical location.

Each connection into the castle is a bridge across the moat, permitted and evaluated by your choice of security solution. In severe instances, any single drawbridge can be pulled shut, isolating the risk while continuing to provide as much access as possible. Monitoring traffic inside of the castle walls is just as important as monitoring the traffic coming to the perimeter. Since threats can originate from any device, you must be able to identify malicious traffic traveling between servers in your data center.

In summary, utilize the full gamut of security solutions at your disposal. Separate your network into logical sections and monitor the traffic passing between them. A combination of solutions from multiple vendors will always provide the most comprehensive security for networks that will never cease to grow.