Five Design Principles for the Network Architect - Security


(#4 of 7)

To continue the series, this post talks at a high level about principles you should consider when you're looking at the security aspects of your network design.  Be aware I am not a cyber security guy.  But I do know what security elements you should consider when you build a network design, so this is what I'm discussing herein.  If you want more on cyber security, you could find a lot worse starting point than fellow #CiscoChampion Zoë Rose's blog https://www.zoërose.com or follow her on Twitter @5683Monkey.

[Disclosure: Zoë proof read this post for me to help keep me honest - thank you!]

As every security course ever taught points out, there are three fundamental goals of any security design:

  • Confidentiality - ensuring that data is not accessible by parties from whom it should be hidden.  Most network security mechanisms are concerned with this in some way - including access control; network segmentation; policy definition and enforcement; and encryption where a common or shared transport is used.
  • Integrity - guaranteeing that when received that data is from a valid source and has not been altered in transit or while at rest.  For example,  the receiver might authenticate the sender and then run a hashing function over the received data and for it to return the same value as when the sender put the message together.
  • Availability - many attacks on networks are concerned with compromising access to data, either through crafted attacks on applications, or more directly flooding network devices with certain types of traffic which prevents legitimate traffic from passing.  Application firewalls and DDoS prevention help maintain availability.  Check my previous post on more general thoughts on designing for availability ...
Traditionally, threats were considered as originating "outside" the network, and so focus was on protecting the network's "perimeter" - usually its connection to the Internet.  With time, and as the workforce has become more mobile, that perimeter has grown to include wherever people connect to the access network - in particular wireless networks.  However the biggest increase in threat comes from the compromised machine within the network.  Most modern malware or virus threats rely on being able to take over an exposed machine (through email attachment, targeted adware or similar) and then launch a "lateral" attack on other machines in the same environment with the same level of security access.

In order to combat these modern attack vectors, the network designer needs to consider deploying security in depth across every element of the network: from the endpoints, across the access network, over the WAN to the Internet perimeter and beyond, and in the DC and public clouds.  The designer must work with their customer to determine
  • who and what should have access to which services; 
  • how you classify those users, devices and services; 
  • what segmentation is required across the elements of the network; and
  • ideally, how you can define a single centralised policy which can be applied and enforced end-to-end.

This centralised policy should contain elements including (but not exclusively):

  • Identification of users attempting to connect to the network using a centralised authentication method;
  • Profiling of devices used to connect to the network;
  • Grouping of users, devices and/or applications to enable segmentation of the network based on user/device context and not just IP address;
  • Definition of access policy based on the groupings above (examples might be: authenticated users are allowed email; only Finance users allowed access to Sage; unauthenticated users or devices are quarantined and only allowed guest Internet access);
  • Enforcement of that policy should occur across the access network to prevent having to introduce a security "choke point" - wired, wireless or remote access included;
  • Use of encryption using strong ciphers and hashing algorithms to protect confidentiality and integrity over shared transport environments such as the Internet, or point to point connections shared between groups of users; and
  • Administrative access to network equipment controlled through that central authentication.
All network vendors have developed products with some or all of these capabilities.  The real value comes when you are able to get visibility and analyse the data that comes from the network to go the step further to understand how the behaviour of users and/or devices on the network might be considered a threat.  There are a number of mechanisms that can be brought to bear to help with this:
  • Collection and correlation of flow data direct from devices in the network over an extended period of time. This data can be baselined to show what is normal expected behaviour, then compared to highlight what is abnormal.  Additional network data - such as successful and failed login attempts - can be correlated to provide additional insight;
  • Analysis of application requests to determine whether the patterns of request and response match known application fingerprints;
  • Filtering capability at the perimeter of the network which goes further than simply IP addresses and protocols, but looks into the content of the application requests and can deny access to blacklisted domains or URLs;
  • DNS proxies which can screen DNS requests for clients trying to access rogue services - these can either be denied or blackholed;
  • Sending data about all security events to a logging platform, where the events can be correlated across the entire network to quickly point out issues.  Some platforms also allow a feedback loop to be formed which will cause an automated action to quarantine bad actors on the network.
All of these services benefit from receiving data about potential risks from a threat intelligence service.  These services receive reputation data about bad actors - including DNS, IP and protocol data - and can present signatures for specific malware behaviour that can be used to inform all of the above capabilities.  They can also be used to block access to new domains, or identify general industry trends.

As you may have noticed, I am not detailing every type of security product and am not endorsing any specific product lines here.  Hopefully your main takeaway from this is that while there is clearly still a place for the traditional firewall in a network, security should run deeply through all elements of the network. Protection should take a number of overlapping forms, and focus on protecting not just outside in, but also throughout the internal network.

As usual, really interested to hear your thoughts on this!

Previous> Scalability
Next> Supportability

Comments

Post a Comment

Popular posts from this blog

The CCIE is Dead? Long Live the CCIE!! And CCNA! And CCNP!

Five Design Principles for the Network Architect - Intro