A.22. Securing the Infrastructure
Defense in depth should always be the guiding principle when designing the security of an entire LAN. Start with the location of your most important, valuable, and essential assets. From that location, design multiple overlapping layers of security. Each layer should provide some aspect of deterrence, denial, detection, and delay as appropriate for the value of the assets being protected.
Here are some good ideas for developing and deploying a solid and secure network infrastructure:
Every inbound or outbound communication stream should be monitored and filtered by a firewall.
Firewalls should be deployed between different departments, security levels, and geographically distant subnets.
Firewalls should be configured with a basic deny by default and allow by explicit necessary exception.
When possible, deploy firewalls with packet filtering, application filtering, session filtering, and stateful inspection filtering capabilities.
Firewalls should be deployed as stand-alone network appliances.
Software firewalls should be deployed on all internal systems, clients, and servers.
All internal user interaction with the Internet should be controlled through a proxy server.
All internal clients should be assigned an RFC 1918 IP address and their access to the Internet supported through a NAT system.
The proxy server should automatically block known malicious sites.
The proxy server should cache often-accessed sites to improve performance.
Routers should be configured to prevent unauthorized modifications to routing tables.
All network devices should be stored/located in locked rooms or cabinets to prevent nonauthorized physical interaction.
Hubs should be replaced with switches.
Switches should be configured to watch for ARP and MAC flooding attacks.
Switches should be used to block sniffing attacks.
Switch configuration should be protected.
Wireless networks should be avoided.
Infrared and Bluetooth should be avoided; wires are always more secure and more reliable, and they have greater throughput.
Modem-based remote access should be avoided.
Remote access should be properly secured (see the discussion in the section "Communications Security" earlier in this chapter).
Standard telephone systems should be replaced with a securable PBX or Voice over IP (VoIP) system.
Audit phone usage.
VPN usage should be limited.
VPNs should always have the strongest authentication and data encryption available.
Network IDSs should be deployed throughout the environment.
Host-based IDSs should be deployed on mission-critical systems or identified common attack targets.
Regularly monitor the health and performance of the network.
Watch for traffic direction, load, and performance trends.
Build in sufficient growth capacity in every important area of IT productivity. Monitor the consumption of this extra capacity.
Realize that the compromise of a workstation can result in the compromise of the entire LAN.
Provide clients with reasonable security that supports the security of servers.
Avoid the use of mobile devices that interact with the LAN.
Restrict the type of data that can be stored on mobile devices.
Treat mobile devices as an attack and malware entry point.
Always run cables in shielding conduits.
If multiple copper cables are run through the same conduit, use cables with significantly different twists per inch and use STP instead of UTP.
Don't run communication cables and power cables in the same conduit.
Avoid running any type of cable near an EMI or RFI source.
Use higher-grade cables than what is currently needed for your networking performance levels.
Use fiber-optic cables if possible.
Regularly inspect every cable run for tampering or damage.
Replace any cable that shows wear or damage.
Use the shortest cable runs possible.
Use power conditioners for every network device.
Proper infrastructure planning is essential to long-term success of company security policy. Security should be designed from the beginning rather than being imposed after the fact. However, most of us don't get to make the choice of when security is considered, so we must do the best we can with what we are given. Even if it's late in the game to impose security, take the time to plan out the security strategy before starting the implementation.