đDesigning a Secure Network | Moving Beyond Obscurity & Default Firewallsđ
Discover a comprehensive template for modern network design that enhances security through segmentation and best practices.
When it comes to securing a network, one of the most common mistakes is believing that security by obscurityâthe idea that hiding the workings of your network is an effective defenseâis a sufficient strategy. Many firewalls are deployed using default settings, leaving networks wide open to attack. Instead, effective security is about design and oversight, not just setting rules and hoping for the best.
One of the most pervasive misconceptions is that locking down a network with complex rules, like installing seven locks on a door, is enough. However, without ongoing monitoring and vigilance, even the most locked-down networks are vulnerable. Surveillance is just as important as the locks themselves.
Hereâs a template for a best practice network design. This approach moves away from outdated legacy firewall and DMZ configurations toward a more practical and secure modelâa design I first sketched on a napkin. This design prioritizes security through intelligent segmentation, thorough oversight, and best practices for both internal and external networks.
Key Highlights of a Secure Network Design
Disable Unused Ports
- All unused ports must be disabled. Leaving unused ports open creates potential entry points for attackers, and closing these ports reduces your attack surface.
Use Routers as an Additional Security Layer
- Routers should be employed to filter out undesired traffic before it ever reaches a firewall. Many organizations split the management of routers and firewalls across different teams, leading to missed opportunities for unified threat management. However, routers canâand shouldâbe a crucial part of your security strategy, acting as the first line of defense against malicious traffic.
Segmentation with Private IPs
- Private IP addresses should be used within internal and DMZ networks. The external router should block traffic from private IP ranges, ensuring that internal traffic stays within the organization. Meanwhile, the internal core should drop any connections originating from public IPs. The external router should also block any unknown or unexpected protocols.
Secure VPNs for Remote Connections
- External connections must be made through secure virtual private networks (VPNs). All VPN traffic should terminate in a DMZ, ensuring that external users must pass through another layer of security before accessing internal resources.
Choke VLAN for Network Monitoring
- Introduce a choke VLAN to serve as an inspection point for monitoring traffic. Whether itâs for DDoS protection, NetFlow analysis, or troubleshooting, this VLAN provides a central place to monitor and react to network activity.
Separation of Business Unit Servers
- Segment your servers in the data center by business unit (e.g., HR, Finance). Use a separate firewall to control traffic between these units. This firewall doesnât use NAT, but instead focuses solely on enforcing access rules. HR servers cannot connect to Finance servers unless explicitly allowed by a rule.
Reverse Proxies in the DMZ
- External services should be handled by reverse proxies located in the DMZ. This setup protects your internal resources by ensuring that external requests are filtered and vetted before they can access internal networks.
Email Security and Scrubbing
- Use an email relay in the DMZ, and leverage third-party mail scrubbing services like Mimecast or MessageLabs to filter malicious attachments, spam, and phishing emails before they ever reach users.
DNS Forwarding to Secure Services
- Internal DNS queries should be forwarded to a secure service like OpenDNS. This adds another layer of protection by filtering out malicious domains and preventing DNS-based attacks.
VLAN Segmentation for Workstations
- Segment workstations into functional VLANs based on business units. For example, marketing workstations should be on a different VLAN from HR. Additionally, prevent the sharing of SMB/CIFS traffic across workstation VLANs to stop malware like worms and trojans from spreading between different departments.
Route Authentication
- Use authenticated route distribution for all internal routes, particularly between the core network and firewalls. This prevents routing hijacks and ensures that only trusted traffic can navigate your network.
Management VLAN for Network Devices
- Set up a separate management VLAN dedicated to network administration. This VLAN should be tightly controlled with access control lists (ACLs), ensuring that only authorized personnel can access network devices and consoles. This VLAN should not pass through firewalls to avoid creating unnecessary bottlenecks or failures in access.
Jump Servers for Administrative Access
- Implement jump servers within the management VLAN. All administrative access to network devices and firewalls must go through these jump servers, creating a secure gateway for administrators to perform their tasks. This allows for better logging, control, and oversight of administrative activity.
Avoid Publishing on Port 80
- Never publish internal services on port 80. Instead, use non-standard ports, such as 8080 or 8090. This makes it more difficult for external attackers to guess and access your services and also allows for better control over HTTP traffic.
URL Filtering
- Leverage the URL filtering capabilities of your firewall and back them up with external services like OpenDNS for category-based filtering. While proxies can be useful in certain environments, relying on the firewallâs native filtering tools provides a more integrated and seamless solution.
VLAN Design and Optimal Subnetting
- Use VLANs extensively to segment traffic based on function and business unit. The optimal subnet mask for campus VLANs is /23 (255.255.254.0), which provides 512 addresses and gives some breathing room for DHCP lease changes while keeping the network manageable.
Scaling & Metrics
As your network grows, scaling out this design becomes increasingly important. A properly segmented and secure network can become complex, but complexity should not equate to inefficiency. Using network metrics to measure performance, track security events, and monitor traffic is critical for ensuring the network remains efficient as it scales. Metrics provide visibility into network health and allow for proactive adjustments before issues arise.
Wrap
Designing a secure network requires planning, foresight, and vigilance. Itâs not enough to throw a firewall into place and hope for the best. Proper network design means segmentation, constant monitoring, and the intelligent use of all available security layers, from firewalls to routers to secure DNS services.
In essence, security is a holistic effort. While firewalls are important, they are only one piece of the puzzle. Routers, VPNs, VLANs, and monitoring systems all play crucial roles. And once youâve built a secure network, ongoing oversight is critical to maintain that security.
A network locked with seven locks still requires surveillance. Without vigilance and monitoring, even the best-designed network is at risk. Security is not just about setting up barriersâitâs about maintaining them, watching for breaches, and constantly evolving to meet new threats. This template provides a strong foundation for that effort.