Best Practices for LAN-to-WAN Domain Compliance
The LAN-to-WAN Domain provides the outside world with access to your data. In many ways, the domain filters authorized users from unauthorized ones. Because this domain connects your secure LAN with an untrusted WAN, you must ensure the controls protect your LAN resources. Protecting information in the LAN-to-WAN Domain focuses on maintaining the balance between easy access and solid security. Solid planning, along with aggressive management, can provide both.
The following best practices represent what many organizations have learned. Plan well and you can enjoy a functional LAN-to-WAN Domain that makes LAN information available for use to WAN users. Here are general best practices for securing your LAN-to-WAN Domain:
Map your proposed LAN-to-WAN architecture before installing any hardware. Use one of the several available network-mapping software products to make the process easier. Identify all of the components’ data paths through the domain. Use the map to identify any single points of failure. Update the network map any time you make physical changes to your network.
Establish a DMZ with at least two firewalls. You should locate one firewall between your WAN connection and the DMZ perimeter and configure it to filter incoming and outgoing traffic between the WAN and the DMZ. Locate the other firewall between your LAN and the DMZ. This internal firewall should filter all incoming and outgoing traffic between the LAN and the DMZ.
Implement at least two redundant WAN connections. Use load-balancing techniques to use the bandwidth of both connections.
Configure all DMZ servers and devices to resist attacks from WAN users.
Develop a backup and recovery plan for each component in the LAN-to-WAN Domain. Include recovery plans for damaged or destroyed connection media. Don’t forget to include configuration settings for network devices in your backup and recovery plans.
Implement frequent update procedures for all operating systems, applications, and network device software and firmware.
Define routing and filtering rules to restrict traffic passing through the LAN-to-WAN Domain. Most traffic should either terminate or originate in the LAN-to-WAN Domain.
Monitor LAN-to-WAN traffic for performance and packets for suspicious content.
Carefully control any configuration setting changes or physical changes to domain nodes. Update your network map after any changes.
Use automated tools whenever possible to map, configure, monitor, and manage the LAN-to-WAN Domain.
Deploy at least one IPS for each WAN connection to detect and respond to suspected intrusions.
Conduct complete penetration tests at least annually to evaluate security control effectiveness.
Use two-factor authentication for all remote VPN connections.
Use content blocking tools to reduce data loss.
Deploy intrusion detection in the DMZ and inside the network.
Implement data classification to enhance content filtering capability.
Hire specialized vendors to perform penetration testing.
Monitor cloud migration strategy and progress toward moving the company’s applications to a cloud service provider.
As with all best practices, these are only a starting point. Implement the points that are appropriate for your environment. Doing so will get you started toward establishing and maintaining a secure LAN-to-WAN Domain.