Skip to main content

Best Practice Network Design



This is a template for a best practice network design. This is a deviation from the traditional dual skin firewall plus DMZ design. My opinion is that this one is more practical and secure (never understood or saw the benefit of dual skin?) This is my first doodle of it on Powerpoint, the initial one was a drawing on a napkin.
  • All unused ports must be disabled!!!
  • Routers should be used to bin generic classes of undesired traffic before it hits any firewall. Routers should be intelligently and securely configured. They are another security skin and should be leveraged!
  • The company uses Private IPs on the internal and DMZ networks. The external router bins Private IP addresses while the internal core bins any connections that have an Internet IP as the originating address. The external router also bins any unknown protocols not provisioned in the DMZs.
  • All three parties are handled with IPSEC to the remote location and terminated in a DMZ.
  • A choke VLAN exist which enforces an inspection point for IDS and IPS systems.
  • The servers in the data center are protected by a separate firewall. All business unit servers are in separate VLANs, i.e. HR servers cannot connect to Finance servers without an explicit rule in the data center firewall. This firewall has no NAT, only a rule base.
  • External connections are facilitated via reverse proxies hosted in a DMZ.
  • Email is relayed via a bridge head in a DMZ. Use is made of mail scrubbing services like Mimecast or Messagelabs.
  • DNS is forwarded to OpenDNS.
  • Workstations are separated into functional business unit based VLANs. The core bins any incoming SMB/CIFS shares to the workstation VLANs. This stops any worms and Trojans in its tracks and prevents information leakage.
  • On the inside networks all route distribution is authenticated, especially routes between the firewalls and the core.
  • A separate network management VLAN should exist, accessed off the core and protected by ACLs. This VLAN should not be accessed via a firewall to prevent non-access situation.
  • The management VLAN should contain jump servers which are the designated point to access all network device and firewall consoles.
  • Don't publish intranet on port 80 but rather use port 8080 to 8090. This will assist with controlling web traffic.
  • Use the url filtering abilities of the firewall backed up by OpenDNS categories. Don't use proxies.

    Here is a more complex systems design with multiple firewalls:

https://www.linkedin.com/pulse/my-top-10-posts-pulse-ronald-bartels/
Labels:

Comments

Post a Comment

Popular posts from this blog

easywall - Web interface for easy use of the IPTables firewall on Linux systems written in Python3.

Firewalls are becoming increasingly important in today’s world. Hackers and automated scripts are constantly trying to invade your system and use it for Bitcoin mining, botnets or other things. To prevent these attacks, you can use a firewall on your system. IPTables is the strongest firewall in Linux because it can filter packets in the kernel before they reach the application. Using IPTables is not very easy for Linux beginners. We have created easywall - the simple IPTables web interface . The focus of the software is on easy installation and use. Access this neat software over on github: easywall
Post a Comment
Read more

No Scrubs: The Architecture That Made Unmetered Mitigation Possible

When building a DDoS mitigation service it’s incredibly tempting to think that the solution is scrubbing centers or scrubbing servers. I, too, thought that was a good idea in the beginning, but experience has shown that there are serious pitfalls to this approach. Read the post of at Cloudflare's blog: N o Scrubs: The Architecture That Made Unmetered Mitigation Possible
Post a Comment
Read more

Should You Buy A UniFi Dream Machine, USG, USG Pro, or Dream Machine Pro?

 
Post a Comment
Read more