Defense in depth is a foundational concept of information security. Each tier of the enterprise network needs to be secured to mitigate attacks against assets at each tier. This chapter will introduce multiple technologies that can be implemented in the network to secure enterprise infrastructure, network services such as e-mail, DNS, file transfer, and web applications. Advancement in firewall technologies that provide more in-depth inspection and protection capabilities will be covered as a method to consolidate solutions and increase visibility into the network traffic.
We will also cover intrusion detection and prevention, and how this technology can protect against simple and the most advanced attacks across applications, systems, and network services. Last, this chapter will cover increasing security through network segmentation while reducing the scope for regulatory and compliance initiatives.
We will cover the following topics in this chapter:
- Introduction to network security solutions
- Securing network services
- Securing web applications
- Network segmentation
When developing an enterprise security strategy, a layered approach is the best method to ensure detection and mitigation of attacks at each tier of the network infrastructure. Although it is changing, the enterprise network perimeter to the outside world remains the same and the basic network security mechanisms still have their purpose. In general, the same types of security mechanisms need to persist, however, where they are implemented may change slightly depending upon the network architecture. Our approach to securing the network will not focus much on where the network perimeter is, but on what needs to be protected.
In Chapter 2, Security Architectures, we discussed how emerging technologies are playing a fundamental role in the paradigm reset of the network and security architecture, design, and implementation. Bring your own device (BYOD) initiatives and the increase in need to share business critical data require network and security architects to be agile and find unique ways to properly secure not only the data, but also the network infrastructure itself.
We have seen a significant increase in the attacks targeted at the network hardware and the low-level operating systems that make these devices function. In addition to this, continued vendor source code leaks equate to the need to implement proper perimeter security and relentless monitoring of the network infrastructure.
The next sections will provide a detailed description of the design and implementation considerations, leveraging our trust model paradigm to secure the network, network services, and web applications.