Skip to main content

Best Practice Network Design



This is a template for a best practice network design. This is a deviation from the traditional dual skin firewall plus DMZ design. My opinion is that this one is more practical and secure (never understood or saw the benefit of dual skin?) This is my first doodle of it on Powerpoint, the initial one was a drawing on a napkin.
  • All unused ports must be disabled!!!
  • Routers should be used to bin generic classes of undesired traffic before it hits any firewall. Routers should be intelligently and securely configured. They are another security skin and should be leveraged!
  • The company uses Private IPs on the internal and DMZ networks. The external router bins Private IP addresses while the internal core bins any connections that have an Internet IP as the originating address. The external router also bins any unknown protocols not provisioned in the DMZs.
  • All three parties are handled with IPSEC to the remote location and terminated in a DMZ.
  • A choke VLAN exist which enforces an inspection point for IDS and IPS systems.
  • The servers in the data center are protected by a separate firewall. All business unit servers are in separate VLANs, i.e. HR servers cannot connect to Finance servers without an explicit rule in the data center firewall. This firewall has no NAT, only a rule base.
  • External connections are facilitated via reverse proxies hosted in a DMZ.
  • Email is relayed via a bridge head in a DMZ. Use is made of mail scrubbing services like Mimecast or Messagelabs.
  • DNS is forwarded to OpenDNS.
  • Workstations are separated into functional business unit based VLANs. The core bins any incoming SMB/CIFS shares to the workstation VLANs. This stops any worms and Trojans in its tracks and prevents information leakage.
  • On the inside networks all route distribution is authenticated, especially routes between the firewalls and the core.
  • A separate network management VLAN should exist, accessed off the core and protected by ACLs. This VLAN should not be accessed via a firewall to prevent non-access situation.
  • The management VLAN should contain jump servers which are the designated point to access all network device and firewall consoles.
  • Don't publish intranet on port 80 but rather use port 8080 to 8090. This will assist with controlling web traffic.
  • Use the url filtering abilities of the firewall backed up by OpenDNS categories. Don't use proxies.

    Here is a more complex systems design with multiple firewalls:


Comments

Popular posts from this blog

LDWin: Link Discovery for Windows

LDWin supports the following methods of link discovery: CDP - Cisco Discovery Protocol LLDP - Link Layer Discovery Protocol Download LDWin from here.

Battery Room Explosion

A hydrogen explosion occurred in an Uninterruptible Power Source (UPS) battery room. The explosion blew a 400 ft2 hole in the roof, collapsed numerous walls and ceilings throughout the building, and significantly damaged a large portion of the 50,000 ft2 building. Fortunately, the computer/data center was vacant at the time and there were no injuries. Read more about the explosion over at hydrogen tools here .

STG (SNMP Traffic Grapher)

This freeware utility allows monitoring of supporting SNMPv1 and SNMPv2c devices including Cisco. Intended as fast aid for network administrators who need prompt access to current information about state of network equipment. Access STG here (original site) or alternatively here .