1 Comment

Designing Network Security

Written by:  • Edited by: Bill Bunter
Updated May 7, 2010

Find out how to design a secure company network, including remote access and internal security.

Network Security Design Considerations

Slide 1 of 3

Designing network security for a SMB requires following the same basic principles as those governing large enterprise security.

  1. It’s all about the data. When securing your network, always consider the sensitivity of the information stored, processed, or passing through your network.
  2. Secure information accessed remotely. In today’s business environment, customers, employees, and business partners often require access from offices, hotel rooms, and homes.
  3. Segregate remotely and publicly accessed systems from the internal network.
  4. Safeguard wireless access. The most important thing to remember about wireless is that it is inherently insecure, unless you take steps to protect the data wireless devices exchange in public as well as private locations.
  5. If appropriate, segment your network. Network segmentation, dividing your network into two or more logically separated networks, helps prevent the spread of malware, hinders intruders into one system from getting to other systems, and helps enforce access control efforts.
  6. Encrypt when appropriate.

I believe that using pictures is a good way to explain technology. So we’ll base our examination of network security design using two diagrams representing examples of remote access and a typical SMB internal network.

Designing a Secure Internal Network

Slide 2 of 3

Please refer to Figure 1 as we walk through considerations for securing your network.

Figure 1
click to enlarge

This is a good conceptual representation of the network needed by most SMBs. Since most small and medium businesses use the Internet as their connection to the rest of the world, including customers and business partners, I don’t discuss point-to-point circuits or complex router configurations.

Let’s start with the perimeter device: the router.

Routers must be placed between the cable modem--or other communication medium--connecting your business to the Internet. In our example, the router is used to connect to the Internet and to segment the company network. (For detailed explanations of routers and switches, see Introduction to Local and Wide-area Networks, Part 4 and Part 5.)

In our example, we have two virtual local area networks (VLANs). VLAN 100 is used to access a public Web server. No systems with sensitive information reside on it. All internal devices containing critical applications and sensitive information reside on VLAN 200. A security control known as an access control list (ACL) determines who and what can travel over each.

For example, an ACL would typically prohibit remote devices from accessing the internal devices on VLAN 200 while allowing access to the Web server. If the internal switch supports it, you could create additional VLANs to segregate the application, database, email, and file/print servers.

Going Wireless

Wireless devices attach to wireless access points (WAPs). You should encrypt wireless access networks and consider establishing a separate VLAN for wireless devices. Information on encryption and other wireless security issues is available at Wireless Access Controls. For more information about wireless points and routers, see Wireless N Buyer's Guide to Choosing a Router.

Finally, the best approach to preventing network infection is to block bad stuff at the perimeter. Standard routers are not equipped to handle things like email filtering. Products like those from Astaro or hosted services like Postini can help keep email borne malware away from your servers and workstations.

Remote Access Solutions

Slide 3 of 3

It’s a given that someone, maybe you, will want to access the network from a remote location. There are several traditional ways to do this. However, in this article I focus on two: VPN and SSL.

VPN, or virtual private network technology, enables an encrypted connection over the Internet. In other words, it allows you to create a private network while using the public Internet as your external connectivity method, as shown in Figure 2.

Figure 2
click to enlarge

VPN comes in two forms: SSL VPN and IPSec VPN. IPSec VPN is the traditional approach to establishing a secure remote connection. However, it typically requires the installation of an application on the remote system. And when compared to SSL VPN, it provides far less flexibility when configuring access controls. Further, SSL VPN is typically less expensive to implement and manage.

Non-employees, or individuals needing only access to your public VLAN, can connect securely by using the underlying security technology of SSL VPN, secure sockets. The secure sockets layer, or SSL (known as TLS after SSL 3.0), is built into all popular browsers. All you have to do is purchase a certificate from a certificate authority, install it on your Web server, turn on SSL, and you have a secure, encrypted connection. In addition to providing encryption, SSL enables server-remote device authentication, if needed.

In the next section of this SMB security manual, we’ll move from infrastructure design to logical and physical access controls.

  
Next Article »
A Security Manual for Small/Medium Businesses
A how-to manual for implementing reasonable and appropriate security in small/medium business, using clear, non-technical explanations of how to integrate emerging standards (PCI DSS, HIPAA, etc.) into security spending decisions.

Comment

Showing all 1 comments
 
JayDee Dec 23, 2009 11:33 AM
Very Helpful
This was a very helpful tutorial. Thanks for sharing your knowledge with us :)!
 
blog comments powered by Disqus
Computer Security
FEATURED AUTHORS
Shanna James William Busse Zack Jones M.S. Smith
mathewf4rr3l Tim Cormany Aaron R. Tye Yorkshire
Most Popular Articles
Email to a friend