Network design
The design of your network is critical to minimize the attack surface, as well as the best overview about what is normal within the network.
The goal here is to meet these principles within the available resources.
Network limit exposure
Only the services out tones necessary.
This means that your public business website should be accessible to the public, but that your accounts are not supposed to be accessible to the world.
This ensures that there are fewer services that can be attacked.
Network segregation
Dividing the network should ensure that if a member is attacked and sometimes copied, Neit can attack the entire company.
Some components are accessible from the Internet, others are not so well patched, or other accessible to suppliers ... This is important to realize that not every asset has the highest or necessary basic cybersecurity hygiene instead.
Network design
Three levels to protect networks
- Only the perimeter: the border into and out of your business screen
- Low internal segmentation: some aspects of the business which are often static splitting the dynamic assets eg. HVAC, laptop or desktop camera versus
- High internal segmentation: segmentation of the aspects that are not functional or technical need to talk. And if need only permit connections that are necessary.
This type of classification improves:
- Identification: the smaller the better to identify segments which it belongs
- Protection: by disconnecting segments or at least reduce your attack vector
- Detection: Abnormal attempts or communications are better detectable. Difference between normal and abnormal is better to distinguish
- Response: Thanks cleaving segments there is an impact limitation of compromised systems
- Recover: it is easier to recover smaller segments in that the blast radius is smaller
Possible measures
Virtual Private Network
Usage Scope: network perimeter
A VPN is a secure tunnel aim to create an unsecured network.
Examples of this are:
- Remote support for computing devices or machines;
- Remote access for sales staff often on the job;
- Thuiwerk with connections to the company ...
golden rules
- Services must be accessible remotely for employees only accessible over a VPN
- If it includes high-risk compounds such management ICT_park, all traffic over the VPN control and not allow the connections go directly to the Internet.
- Interactive connections terminate after a certain time, eg. Up to one business day.
{mlang en}Proxy{mlang}
Usage Scope: network perimeter
A proxy aims to classify outbound traffic to the Internet-based or black- and whitelisting as some have control over the legitimacy of compounds.
Examples of this are:
- Blocking websites that are not allowed in the policy;
- The detection of connections to known bad Web site used by hacks, which are called Command & Control or C2 channels used by hackers to communicate with your network, or to make information out to pick ...
Firewall
Usage Scope: network perimeter and internal network
A (next-gen) firewall serves to traffic between hosts whether or not to admit.
The principle here should be that standard no connection may be possible, except when explicitly rule that allows the connection.
This is a very effective measure in terms of management of segregation of duties (segregation of duties). If a connection is not allowed, then this is not possible.
Governance or governance of these rules is essential. Therefore it is important that when a connection to a particular network segment or service is opened, that the liability of access asset above shows the perm.
Golden rules:
- Every rule has an owner
- Last line is blocking or dropping of all links
- Need-to-know principle: just open up what is strictly necessary
- Basic hygiene: if not requested to be encrypted protocols, see if there is no safe variant
Virtual LAN
Usage Scope: internal segregationVLAN is an industry standard measure supported that are supported by most switches
They are fairly static formats of the network belonging to form, as it were functional parts. The breakdown should be seen within the context of the organization.
Golden rules:
- Camera System give a private VLAN, preferably access for monitoring the NVR on a separate VLAN
- Machines in a different VLAN than the post office
- Workstations provide their own VLAN
- Printers, scanners give private VLAN
- Parts that get remote support from vendors as segmenting supplier
Network Access Control
Usage Scope: internal network
NAC or 802.1X is a way for devices to authenticate themselves to a switch before they can communicate over the network.
This prevents unauthenticated devices join the network.
This NAC can also be coupled to be stopped after auithenticatie and identification in a specific VLAN.
If a NAC appliance does not support or
- enable MAC filtering
- create a separate segment for the appliances with strict firewall rules
Honeypot
Usage Scope: network perimeter and internal network
A honeypot is a kind of tripwire booby trap or tripwire. It is an asset that is deliberately accessible, but not part of the standard operating assets.
It is an asset which should never be used, and certainly never touched (geconnecteerd in one way or another) to be.
For example, typical honeypots are sensitive to:
- HTTP or HTTPS webconnecties
- network scans
- pings
Any form of communication with these honeypots is considered a security breach and should therefore be followed.
It is one of the most cost opportune ways to network pivoting or network hike detecteertL When a host or computer has been hacked, and the hacker wants to penetrate the network, look around around on the network a much used technique This is a silent method are, but anyway if a connection is made with the honeypot how quiet way, this should trigger an alarm.
Golden rules:
- The minimum connection should trigger an alarm;
- In each segment the network, place a honeypot that is accessible from the entire segment;
- Work from the outside in. It is more likely that the internet-accessible devices are hacked.
- If you have crown jewels or services with a lot of value to your business, rather than as a honeypot.
Cloud protection
Cloud Access Security Broker
CASB is usually a cloud service that ensures that:
- You have control over who can connect to what
- This ensures shadow-IT can be better monitored
- gain insight about who is connecting to what
Content Delivery Network
CDN is a cloud service that ensures that:
- Dealing with heavy workload
- Services to be offered locally can be made available worldwide
- Security aspects for recording mainly websdiensten offered