- The essence of network infrastructure security and its purpose.
- General approaches and technologies for construction of secure network.
- Implementation of secure network for a small office.
- Examples of solutions of secure infrastructure for a medium office
- Network security in a large distributed network of enterprise
The essence of network infrastructure security and its purpose
Today, when information technologies are closely connected with business processes of most companies and the ways and methods of network attacks are constantly improved and developed, it is still supposed that it is enough to install usual firewall at a network border in order to protect the internal organizational assets. Unfortunately, it is not right and even far from being right.
As example of low efficiency of a firewall, a system user can individually follow the link received from a friend in a social network or via e-mail, download a file and run a virus which due to exploit using of an unupdated operational system or a software will get Administrator permission and perform abusive actions from the inside of an enterprise network. In addition the virus copies will be actively sent to the contact list of the affected system. On the Internet there are online systems for testing of suspicious files by various antivirus software programmes, though they are used by those intruders in order to write new “invisible” viruses. In this regard, today there is a number of botnet networks and it is enough to buy stolen credit-card numbers and computers hacking became a usual method of making money. That is why the security task requires complex approach at all stages of network infrastructure and computer resources.
General approaches and technologies for construction of secure network
The creation process of secure network infrastructure begins with planning. At this stage there should be enumerated services which will be used in the network, associated risks and there should be determined the required stages and procedures in order to reduce these risks. On the basis of information received during planning, the appropriate design of the network infrastructure is developed and a set of security policies is created. Then there follows an implementation stage. As far as security is not a final result but a process, nothing is ended by implementation and performing original setting of the security system. Security solutions require constant “attention”: security events tracking, their analysis and optimization of relevant policies.
Operation of the whole security complex depends upon creation of effective security policies and their strict conformance. The correct policies shall be documented and not have many exceptions. All equipment software shall be regularly updated. Simple user passwords, errors configuration, using of default settings, unsecured protocols and technologies constitute major threat to security.
In order to ensure complete security of the whole IT infrastructure it is necessary to implement security mechanisms at all network levels – from a border to access switches. At the system access level it is highly recommended to use managed switches with a support of the following protocols: ARP, DHCP and STP. Authenticate users when connecting with the help of 802.1x technology. Connect employees to various VLAN depending upon their responsibilities and set the rules of interaction and access to various resources at the distribution level.
When connecting to WAN network and Internet it is necessary in addition to the firewall to be able to scan the traffic at the application level and check for threats using IPS systems. The borderline equipment shall be resistant to DoS and DDoS threats. It is highly recommended to access to the Internet to use proxy servers with additional check for viruses, spam, scumware and spyware. Web and content filtering can be applied additionally to proxy servers. Also it is important to have security solution for checking e-mail for spam and viruses. All organizational assets which shall be accessed externally, for reasons of safety shall be stored in a separate demilitarized zone DMZ. VPN technology with transmitted data encryption shall be used for the remote access.
SSH, HTTPS, SNMPv3 secured protocols shall be used in order to control all network equipment. To analyze the logs the time on the equipment shall be synchronized. Syslog, RMON, sFlow, NetFlow are used in order to understand which traffic is going in the network, how the equipment is loaded and which events take place in it. It is important to keep a record of who, when and what changes are made in the equipment configuration.
Implementation of secure network for a small office
For a small offices with up to 25 employees it is recommended to use UTM solution which in one device combines complete functionality of security combining a firewall, antivirus, anti-spam, IPS, protection against DoS and DDoS attacks, web and content filtering, various ways of VPN creation. Such products are produced by Fortinet and SonicWall Companies – market leaders in this field. The devices have full web management interface which simplifies the configuration for an administrator who is often the only one in small companies. Presence of sufficient number of wired and wireless interfaces in the equipment, support of a remote access to organizational assets, integration with catalogues various services make these devices the ideal solution for a small office. In order to connect wired users to the solution it is recommended to add L2 managed switch with a configured protection against local network attacks.
Examples of solutions of secure infrastructure for a medium office
For medium offices it is recommended to use modular network infrastructure where each device is responsible for certain tasks. On such enterprises local network shall be built with mandatory separation of core and user access levels. When using a lot of servers, the aggregation switches of data center shall be installed separately. It is recommended to distinguish functions of an edge switch router and a firewall by dividing them into two different devices. The servers which are accessed externally shall be installed in a separate DMZ zone. Reservation of the Internet connection module can be achieved by duplicating all equipment and setting up the relevant fail-safe feature protocols on this equipment. If the enterprise has its branches, telecommuters and mobile employers, the connection to organizational assets shall be performed using VPN technology. Also one of the important components of security solution is network monitoring software, presence of which will greatly facilitate the work of network administrators and enable to respond to threats on time, thereby providing operational continuity of all network services.
In order to build such solutions it is recommended to use the equipment produced by Cisco, HP, Huawei, Fortinet, SonicWall, PaloAlto each of which has its own benefits and hallmarks, the combination of which enables to get secure and at the same time transparent control and monitoring of network.
Network security in a large distributed network of enterprise
The network of a large distributed enterprise on the basis of implementation is similar to the network of a medium enterprise and differs in large distribution of functions between devices, high fail-safe feature, and presence of dedicated WAN network for data transmission between branches. For reasons of safety, the connection module to WAN is implemented apart from the Internet connection module. The equipment used for the networks of medium enterprises is also used for building of networks of large distributed enterprises.