The threat landscape is evolving fast. Retooling existing network infrastructure for next-generation security requires less effort than we might think. Minimizing complexity, for example, and focusing on more deeply understanding the basics, such as Layer 2 and 3 switching, centralized identity access management, Unified Threat Management devices and network segmentation, lead us to exponentially more secure environments that we understand better and can both monitor and continue to evolve with greater competency.
Security compliance needs pose the same challenge for secure network infrastructures. The addition of hardware and software targeted at security isn't nearly as effective as it once may have been. While doing so still offers the same false sense of security, it only adds a steeper learning curve, more features that may or may not offer any deeper insight and more points of entry (or attack vectors) for hackers to exploit in order to gain access to an organization's already vulnerable architecture (or attack surface).
In this post, I'll illustrate some highly effective approaches, that require little or no capital investment, to designing secure network infrastructure by augmenting and reconfiguring what likely already exists on your network. Without adding more hardware or software and instead better leveraging what's already there offers organizations a greater understanding of what we call "current state". Even if we were planning to upgrade or replace any piece of it, we'd need to know at least as much as what "current state" looks like, so it's a valuable exercise for most any organization from multiple perspectives.
Avoid adding complexity
I say this more than anything. In today's world, where few understand all the jargon and complexities of technology, it's easy to want to spend money on this or that solution that talks to the firewall or the server or the endpoints and switches in order to help accomplish this or that goal. Truth is, doing security well is about reducing complexity. Focusing on the foundations, including switches, centralized authentication, firewalls and UTM devices, patching and reporting and policy management, offer a far better reduction in overall vulnerability of a network infrastructure.
Infrastructure that supports security
Spending time and resources to layer network security services and tools astride a dated or aging infrastructure not designed to support it is akin to building a house on sand. While we don't always get the luxury of redesigning the network from the ground up. For example, we can replace or upgrade hardware but the underlying infrastructure design has still not changed. While most networks were typically provisioned 10 years or more ago, there is no way anyone could have known how things were going to evolve.
VLANs and network segmentation
VLANs and network segmentation are one of the most widely understood but globally misused tools in a network infrastructure. Vendors, while trying to develop and deliver tools that are more user-friendly, make plug-and-play solutions to the demise of the overall goal, as users are not empowered to understand the principles behind these solutions. Misconfiguration of these otherwise useful tools can leave an organization more vulnerable than before these solutions were introduced.
Documentation, documentation, documentation
Don't lock the windows and leave the doors wide open. Big and small, there are a variety of mischievous holes often overlooked in network designs. Searching for holes raises questions. We enabled SSH? Did we change the default port it is listening on? Did we lock down Web access? We recently provisioned secure wireless, but do we still have older devices using legacy keys? Do we understand those two copper lines coming into the server room? Is our firewall implementing policies across every possible path out of the network? Can we really identify the weakest link in our network? How well do we understand our own environment? In the event of a breach, what do we do, besides shutting everything down?
We worry about data leaks as well as management leaks. We don't want critical data, personally identifiable information (or PII) or valuable intellectual property to be exfiltrated out of the network, or malicious users gaining unauthorized access to our devices, networks and their management. Understanding each and every nook and cranny is real work. Finding vulnerabilities is a tedious undertaking and requires a taking close look at the network and building extremely granular documentation of its characteristics.
There is no silver bullet or single tool that can replace a discriminating human review of a network infrastructure. Fortunately, there are some great tools for documenting, reviewing and sleuthing out a better understanding of what is there, how it works and how to build it better.