Like humans, all networks grow and evolve. They adapt to the needs of their users, react to the development of new technologies and typically expand in many diverse directions. The vast carrier data network in use in this world began as thick, inefficient telegraph cables strewn across the country to send the earliest of electronic communications. Home networks have grown from the common 56k modem and a telephone line to high-speed cable and DSL connectivity. Fiber optic cabling in homes and blanket wireless coverage in large metropolitan areas may be extremely popular in the coming years.
As networks grow, the ability to provide better security becomes more and more important. A layered approach separates network hosts into groups and isolates servers into a logical segment that is more easily managed. While this method seems obvious, there is a large amount of networks that secure their perimeters but ignore internal traffic and host behavior. By adapting a layered approach to security, network engineers can properly utilize the vast array of tools available to them to gain visibility and control over their entire network. Open-source and commercial security solutions can be used in conjunction with dedicated appliances, providing customized analysis and perspective into behavior of clients and applications. The perfect blend of solutions can only be chosen by the engineer tasked to protect the vital parts of a network, and we can learn a lot by looking at examples of security in areas outside of IT.
The House & The Bank
Network designs with inadequate security in place are similar to most home security models. There is a deadbolt on each door, and window locks to keep intruders away. Anyone is welcome to ring the doorbell, but must be known and trusted to be allowed inside. Once inside, a guest typically has access to most areas. They could potentially sabotage basic levels of security. There is no real record of any activity in the house, and once vacated, intruders can dig through your personal items taking whatever they please. Firewalls identify and restrict Internet guests through DMZ rules. However, conference room and data center ports lie open to anyone with a laptop. Unchanged wireless keys give temporary users access to the network forever. While attacks aren’t a daily threat, the occasional security threat seeps into the network and affects hosts, servers and even the network. Basic security is present, but a major incident is completely possible.
Compare home security to the protection of a bank. While access into the parking lot is unrestricted, cameras monitor and record every part of the property. There is a 24-hour ATM that offers most services with two-factor identification. Anyone is allowed in the bank lobby during normal business hours, but experience a heightened level of security and bullet-proof restriction to the bank’s assets. It is difficult to loiter or explore without arising suspicion. Monetary assets are encased further in the most solidified and secured area in the entire building. Access to the vault requires a person to pass through several different areas, being monitored before authentication is ever requested. This is the shape of a well-secured network. An intrusion prevention system (IPS) implemented at several levels of the network acts like a security camera system, providing traffic monitoring needed to accurately deter, detect and record most attacks. Firewalls, like bank tellers, verify identity but also restrict access to only those services that the bank is willing to offer you. The teller also records your transactions when giving you physical or virtual access to the vault, in the same way that traffic flow statistics and security solutions can provide the same type of accounting. Any hint of malicious activity in the facility results in immediate reaction and notification of the proper authorities. As your network grows, consider the different areas of your network and how access is controlled and monitored between them.
The Castle & The Moat
Defining the clear network boundaries between your data center’s assets and network hosts is the first step in building a castle wall around your data center assets. Users should be on physically and logically separate networks, providing not only the ability to accurately record IP packet activity but to control access between each group of devices. WAN connections and VPN head-end devices should have connections to the network that allow for full traffic inspection and access control before entering the core of the network. By logically separating your data center in this fashion, you make your IT assets viewable in an isolated and secured manner. All of your isolated and secured assets can be defined easily through summarized IP ranges, group names and even physical location.
Each connection into the castle is a bridge across the moat, permitted and evaluated by your choice of security solution. In severe instances, any single drawbridge can be pulled shut, isolating the risk while continuing to provide as much access as possible. Monitoring traffic inside of the castle walls is just as important as monitoring the traffic coming to the perimeter. Since threats can originate from any device, you must be able to identify malicious traffic traveling between servers in your data center.
Back to the Basics
In summary, utilize the full gamut of security solutions at your disposal. Separate your network into logical sections and monitor the traffic passing between them. A combination of solutions from multiple vendors will always provide the most comprehensive security for networks that will never cease to grow.