Skip to content

What should you consider as part of a network design?

Blog
  • At the heart of today’s communications is a network. Ranging from simplistic to complex, each of these frameworks plays a pivotal role in joining disparate nodes together. But what happens when a design or security flaw impacts the speed, functionality, and overall security of your network ?

    What factors create a network ?

    A network is a collection of components that, when joined together, provide the necessary transit to carry information from one system to another. The fundamental purpose of a network is to establish inter-connectivity between disparate locations, leverage a mutually understood communication language, and allow traffic to pass over a physical or logical link. The endless possibilities provided by a modern network allows businesses and individuals to communicate seamlessly, allowing for collaboration, communication, and integration whilst providing a centralized model for overall management.

    The network has its origins set back as far as the 1960’s, and over the years, various implementations of connectivity standards and the associated fabric dawned and waned. The consolidation of these proposals (known as RFC) created three new standards – Ethernet, UDP, and TCP/IP. These accepted standards now form the underlying foundations of the network we utilize today – both from the enterprise perspective in the workplace and the individual using the internet. Ethernet is the physical medium (a network card, for example), whilst TCP and UDP are the transport protocols, or the common language mutually understood by thousands of vendors.

    Adopted standards

    These early standards became the groundwork that the internet we know today was built on. Formerly known as ARPANET, and originally developed as a university network, it’s popularity and usage grew exponentially to form the world’s largest collection of interconnected devices, and led to it being nicknamed The Information Superhighway. The birth of the internet became the seed that established the genesis of communication we all now take for granted on a daily basis.

    Today’s industry standards dictate how network equipment should be connected together, and with even the most basic knowledge, anyone can connect themselves to the internet in a matter of minutes. This ease of configuration and deployment means businesses and individuals can be online within a short time frame – albeit using an “out of the box” design, and with little (if any) consideration for security or risk.

    Security implication

    The security implications of any network are a constantly moving target. New vulnerabilities are discovered in vendor equipment on a daily basis, and with some of these vulnerabilities being resident since day one (but either undiscovered or undisclosed) , planning for every possible scenario isn’t feasible – particularly if you have limited resources. When designing a network, it’s important to implement a means of limiting the attack vector. Whilst this sounds very complex, to a seasoned network architect, it isn’t. Essentially, what you should be doing is creating a jail based environment for each network segment.

    Think outside of the box at this point – the general application of inside, outside, DMZ etc no longer provide sufficient scope if an attacker has made it onto your internal network. For example, take two departments, such as accounting and operations. How likely is it that these two entities need to share information or communicate directly at a PC level ? With this in mind, an accepted standard is for each department to reside in it’s own VLAN. Using industry defined ACLS, each department cannot communicate directly with another. They do, however, have access to the server VLAN - although this should also follow a similar security regime of only permitting access to essential services - in other words, adopt the least privilege model.

    Whilst this sounds obvious, most network designs do not factor in this basic requirement. By “segmenting” each department, you establish a boundary between each of them. This means that if malware were to be installed on a PC in accounting, it would not be able to infect a machine in operations, or HR. Containerized network designs are secure, but not perfect. In the event of a PC being infected with malware, the VLAN it resides in still has access to the servers and other associated infrastructure that the client needs in order to perform it’s desired function. In this case, you would also need to only permit access to critical or essential services. The upside of such an approach is that the implemented network security means that a malware or ransomware attack is limited to infecting a small number of machines rather than the whole network. The downside is that there is an initial overhead in terms of discovery, implementation, and testing. In my view, however, the dividends outweigh the effort.

    Balancing security against functionality

    Securing the server VLAN can be problematic. Establishing a balance between over gratuitous and insufficient connectivity is the ultimate headache. At this point, you need to consider what resides in this network segment. In essence, it’s the business equivalent of the crown jewels - the critical components of your entire estate. This “no fly zone” contains a wealth of information that is of interest and value to a cyber criminal. Assets such as intellectual property, financial data, and personally identifiable information are all a potential target in the event of a data breach.

    If you consider the role that servers have, you’ll probably find that most of them really should not have (or even need) raw access to the internet. There are always some exceptions to this rule, but one of the first target areas to consider is the level of access to the outside world granted to a server. Even a server using NAT to communicate with an external host is at risk of compromise. From the network perspective, establishing a remote connection is just the start of a series of conversations and negotiations between the two endpoints. The main differences between TCP and UDP is that one waits for a response to a connection, whereas the other does not. UDP is a fire and forget protocol, making it ideal for DNS, SNMP, SYSLOG, and a wealth of other applications. TCP on the other hand will wait for a response from the remote host before continuing with the session. A lack of access in or out of a VLAN is not an attractive prospect for even a determined hacker.

    Using various techniques, a cyber criminal can intercept the TCP headers to inject malicious content or payload, or masquerade as the remote host by means of a TCP redirect. This means that the network you are connected to may not be what you expected or desired. Packet sniffing is very easy once you have an understanding of how products such as WireShark function (an exploit known as eavesdropping). In order to significantly reduce the possibility of attack, only servers that have an essential requirement for an Internet connection in order to fulfill their designated function should be permitted access – even then, it should be only to the ports and IP addresses required, and nothing else. It goes without saying that industry standards should be adopted and adhered to – requests should be via a firewall with IDS and IPS capabilities. These devices have the ability to look at a network steam and determine if it has been tampered with. If the hashes do not match, or there are signs of modification not requested by either party, the session is destroyed (if using IPS) and an alert raised. This functionality can be dramatically altered by misconfiguration, so check thoroughly.

    Vulnerabilities generated by older firmware

    Devices running inferior versions of firmware are subject to compromise and potential exploit – particularly if they are edge based routers that are accessible from the outside world. Older versions of firmware on exposed routers can pose a significant risk to your perimeter and internal networks if vulnerabilities are not located and resolved quickly. A vulnerable router on a network can easily become an infiltration and extraction point, and you could find yourself the unwilling target of a data breach.

    On the whole, adequate network design not only takes redundancy, scalability, and availability into account, but also security and stability. A classic example of failure to address the latter is the difference between your network standing up to a DDoS attack, or still being functional with only one VLAN or segment impacted. The days where we only made provisions for disaster recovery and business continuity are over. Security needs sound investment and knowledge in order to understand principles and apply standards correctly.

    Takeaway

    I’m not into preaching to others about how they should be doing things from the networking perspective, but my basic advice would be

    • Carefully plan any new network implementation in advance. Visio and whiteboard sessions are important when thrashing out ideas, as an overall picture of the landscape is generally easier to digest than just text.
    • Involve peer groups and key individuals from the outset. Everyone has their own unique insight as to how things should be structured, and just because it works for security, or the model you are developing, it may not necessarily work for the business as a whole
    • Be prepared to make changes to the design, and by definition, listen to business advice. Nobody creates the holy grail of network concepts and implementation on their first attempt
    • Unless you are blessed with a green field site, make a point of understanding the existing infrastructure and architecture, and design a mechanism for coexistence between the two environments.
    • Be mindful of the potential for conflicting standards when dealing with different vendor equipment, and also consider that security could be negated in the existing environment whilst the integration process is underway.

    These are just a few of the points – there are many others. Want to know more, or have questions ? Just ask 🙂


Related Topics
  • Why Forums Are Still Relevant in 2024

    Blog
    3
    2 Votes
    3 Posts
    113 Views

    @JAC wow. Thanks for the great comments. They are truly appreciated.

    I tend to agree with the social media comments you’ve made. This is made all the more prominent in relation to recent events in Southport for example, and toxicity is a huge issue. Just look at some of the comments from trolls - they are truly disgusting, and the perpetrators seem to take great delight in the anonymity the Internet affords them.

    forums in general are much more subject focused, easier to moderate and users are less likely to be banned because they are there for a specific interest or reason, not to cause trouble.

    Agreed, although discussions can still get out of hand and quite often, these are left to run riot and quickly spiral out of control. A great example of that is here

    https://sudonix.org/topic/141/how-to-destroy-a-community-before-it-s-even-built

    there’s something much more calming about coming to a specific page at your fancy, posting and taking part in healthy debates over the real mishmash of social media.

    Yes, I personally prefer the atmosphere of a forum against the backdrop of unwanted noise via social media.

  • 3 Votes
    4 Posts
    230 Views

    @phenomlab yeah you have a good point there. Information over lives just doesn’t seem to be worth it. And being the one to release that info and be the one who first put it out there, you may be on the right track about the notoriety.

  • Recall to take screenshots every 2 seconds

    Blog
    13
    9 Votes
    13 Posts
    438 Views

    @phenomlab said in Recall to take screenshots every 2 seconds:

    Not that it matters to me - my laptop runs KDE Neon

    That is a really nice distro.

  • Apple, what were you thinking?

    Blog
    15
    14 Votes
    15 Posts
    719 Views

    My daughter needed a new tablet, which was an older Samsung. My wife wanted to get her an Ipad. Fortunately, I was able to talk her out of that and show her how much better an android tablet would be. Preferably the Samsung S9 Ultra tablet. By the way, that thing is outstanding! Great purchase!

  • Goodbye OnePlus, hello Samsung

    Blog
    44
    29 Votes
    44 Posts
    1k Views

    @Madchatthew definitely. Also good for the environment as it reduces landfill.

  • Linux vs Windows - who wins ?

    Blog
    8
    4 Votes
    8 Posts
    362 Views

    @phenomlab LOL ah yes, I remember all of that. The good ole days!

  • Discourse Design Change

    Customisation
    25
    7 Votes
    25 Posts
    2k Views

    @phenomlab okay

  • NodeBB Design help

    Solved Customisation
    8
    2 Votes
    8 Posts
    963 Views

    @riekmedia I’ve applied some new CSS to your site. Can you reload the page and try again ?

    For the record, this is what I added

    #footer { background: #2d343e; border-top: 4px solid #2d343e; font-size: 0.9em; margin-top: 70px; padding: 80px 0 0; position: relative; clear: both; bottom: 0; left: 0; right: 0; z-index: 1000; margin-left: -15px; margin-right: -338px; }

    The /categories page seems a bit messed up, so looking at that currently

    EDIT - issued some override CSS in the CATEGORIES widget

    <!--- CSS fix for overspill on /categories page - DO NOT DELETE --> <style> #footer { margin-right: -45px; } </style>

    That should resolve the /categories issue.