Ever wondered how to design a secure network infrastructure? Who cares about technology if you don’t know what you want or need to protect!! There are questions one needs to ask themselves before they indulge in further consultations about setting up a network infrastructure;
- – > What are you trying to protect?
- – > What data is confidential?
- – > What resources are precious?
- – > What are you trying to protect against?
- – > Unauthorized access to confidential data?
- – > Malicious attacks on network resources?
- – > How do regulatory issues affect your policy?
Network infrastructure devices are certainly the components of a network that transport communications needed for data, applications, services, and multi-media.
These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks.
These devices are ideal targets for malicious cyber actors because most or all organizational and customer traffic must definitely pass through them;- –
– An attacker with presence on an organization’s gateway router can monitor, modify, and deny traffic to and from the organization.
– An attacker with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.
Organizations and individuals that use legacy, unencrypted protocols to manage hosts and services make successful credential harvesting easy for malicious cyber actors. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.
What security threats are associated with network infrastructure devices?
Network infrastructure devices are often easy targets for attackers. Once installed, many network devices are not maintained at the same security level as general-purpose desktops and servers. The following factors can also contribute to the vulnerability of network devices:
- – > Few network devices—especially small office/home office and residential-class routers—run antivirus, integrity-maintenance, and other security tools that help protect general-purpose hosts.
- – > Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.
- – > Owners and operators of network devices often do not change vendor default settings, harden them for operations, or perform regular patching.
- – > Internet service providers may not replace equipment on a customer’s property once the equipment is no longer supported by the manufacturer or vendor.
- – > Owners and operators often overlook network devices when they investigate, look for intruders, and restore general-purpose hosts after cyber intrusions
How can you improve the security of network infrastructure devices?
The Cyber security and Infrastructure Security Agency (CISA) encourages users and network administrators to implement the following recommendations to better secure their network infrastructure:
- – Segment and segregate networks and functions.
- – Limit unnecessary lateral communications.
- – Harden network devices.
- – Secure access to infrastructure devices.
- – Perform out-of-band (OoB) network management.
- – Validate integrity of hardware and software.
Segment and Segregate Networks and Functions
Security architects must consider the overall infrastructure layout, including segmentation and segregation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network.
On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Segregation separates network segments based on role and functionality.
A securely segregated network can contain malicious occurrences, reducing the impact from intruders in the event that they have gained a foothold somewhere inside the network.
Physical Separation of Sensitive Information
Traditional network devices, such as routers, can separate Local Area Network (LAN) segments. Organizations can place routers between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic.
Organizations can use these boundaries to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.
Determining Security Requirements of the Organization
To determine the security requirements of the organization, you have to include a number of business factors:
- – > The business model that the organization uses greatly influences the type of security an organization implements. An organization that has world-wide branches would have different security requirements to a business that has a single office.
- – > To successfully implement security, you have to know how business processes within the organization work. You have to ensure that security does not prevent business processes from being carried out.
- – > As the business grows so too must the security policies and processes be able to cater for this growth.
- – > Determine the risk tolerance of the organization. The level of risk tolerance would differ between organizations.
- – > Determine whether there are any laws and regulations that the organization has to adhere to. This is especially important when you draw up the security design.
- – > The management strategy being used should be included as well. Organizations can use either a centralized management strategy or a decentralized management strategy.
- – > The existing security policies and procedures should be included when you define the security requirements of the organization
- – > The financial stance of the organization would also influence which security design is implemented.
Assessing the existing security processes and security policies would typically involve determining what the current security processes and security policies are, and whether these can be improved to meet the security requirements of the organization.
There are a number of recommendations which you can use to match the business requirements to the security plan:
- – > The organization uses business processes,
- * You should determine how these business processes flow and how the data associated with these processes flow.
- * You should determine the users that need to access services used in the business processes.
- – > The organization uses a centralized management strategy,
- * You should minimize the number of domains
- * Include the management of administrative group membership.
- – >The organization uses a decentralized management strategy,
- * You should determine the rights that users require.
- * You should determine whether users need administrative abilities on the network, and if yes, determine who those users are.
- – >The risk tolerance level of the organization indicates an aversion to risks,
- * You should determine the risks that the organization is not prepared to tolerate.
- * Identify the actions which are necessary should the risk become a reality, and then include this in the security plan.
- – > The organization expects business growth in the next number of years,
- * You should try to estimate how many users and computers will be needed to provide for future business expansion.
- * Try to determine how the business will be geographically dispersed.
Recommendations
- – Implement principles of least privilege and need-to-know when designing network segments.
- – Separate sensitive information and security requirements into network segments.
- – Apply security recommendations and secure configurations to all network segments and network layers.
- – To make certain that the security plan is based on the security policy
Would you like our team of certified specialists to design a secured Network Infrastructure for your company? or are you seeking for a professional advise on how to improve your network infrastructure?
Be rest assured we can help you design a secure proof network Infrastructure. To learn more about how we can assist, contact us here for any inquiries you may have. We look forward to hearing from you!