Lesson 3: Common Mistakes and Best Practices for Designing Network Security Zones

Prof Wool: Network Segmentation | Lesson 3: Common Mistakes and Best Practices for Designing Network Security Zones Subscribe

Network Segmentation: Lesson 3

In this lesson, Professor Wool examines common missteps when organizations create security zones and best practices to consider for an improved defense.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

you hello and welcome to this week's security management course I'm professor world today we're going to be talking about best practices in designing network security zones so let's review a very simple example suppose you have a network connection where you have your internet you have an internal network and you have a web application that has a a web front and application zone and a data zone and you put in a firewall the simplest way to design such a network is to have a single firewall that's connected the way I show here well this is a very basic design has two serious problems the first is that these three zones the web's own applications on the day zone are not segregated from each other traffic between them is completely unfiltered it doesn't go through the firewall so that's not good and also this firewall is from a security point of view a single point of failure so if you miss configure that firewall in any way your network potentially becomes wide open and research does show that 95 percent of firewall breaches are really caused by Mis configuration of a firewall so getting that right is is crucial so what can you do to improve the next step up is to eliminate this simple network structure and connect each one of these zones directly to the firewall to a separate interface on the firewall once you do that traffic traveling between these separate zones has to go through the firewall and now you can write policy on the firewall that controls and filters the traffic between these two three zones and also between these zones and other parts of your network from the outside to the inside etc so this is more secure the challenge here now becomes a physical challenge each one of these connections takes up a physical port on the firewall and there is a limited number of physical ports that you can have on the firewall depending on the model so this is a limiting factor and the next step up is that technology lets us avoid these physical connections using virtualization of the network using VLANs instead of having a physical connection and use a physical interface in each of these connections from the zone to the firewall you can virtualize all of them and have three separate VLANs and the VLANs are all connected to virtual interfaces on the firewall running over a single high-speed physical port and you can have a very large number of VLANs you have much more flexibility and still maintain the same filtering capability and the same granularity of access control policies that you can instrument on the firewall because crossing between VLANs does require a firewall policy rule to allow the traffic through okay so that good the challenge now becomes that it's it's become quite easy to define VLANs and sometimes people over virtualize their network and you end up with thousands of VLANs and if you do that potentially you end up with a firewall that schematically would look like this it would look like a spider it might have hundreds or even thousands of VLANs hanging off of that one firewall and if you do that managing that firewall becomes quite difficult because remember if you have n different interfaces virtual interfaces on the firewall then you have N squared paths going through the firewalls going from one interface to another so you have N squared of these paths and you have to manage the policies of all those N squared paths and then the policy on this firewall becomes really complex and difficult to understand and to manage so what could you do to improve even further well now you can introduced individual pers own firewalls like so and by doing this now you have dedicated firewalls in front of each of your security zones and that makes management a lot simpler because each of these firewalls is very focused this firewall in the middle is just protecting an application zone so the rules on it only have to deal with that application zone on the one side and the policy on that firewall becomes much more compact and much more focused and easy to understand except that now you look at this picture and you realize that I've introduced a lot more devices and now I have to worry about physical boxes and I have to worry about power supply and cooling and in rack space and set etcetera and this is also something that we wish to avoid so the final piece of the puzzle is that we can use another type of virtualization which is firewall virtualization most or all major firewall vendors let you purchase one large box and have multiple separate instances of virtual firewalls running inside that box each of those individual firewalls has its own policy it's connected to its own VLANs and it does exactly what I described before it's protecting just the zone behind it nevertheless they all reside inside the single physical box so you get the best of all worlds you have all the granularity in filtering capabilities and you minimize the number of Hardware boxes that you need to worry about thank you for your attention Oh

Videos

Prof Wool: Network Segmentation | Lesson 3: Common Mistakes and Best Practices for Designing Network Security Zones Subscribe

Related videos

Lesson 5: The Challenges of East West Traffic Discovery...

Lesson 4: Data Center Segmentation Best Practices

Lesson 6: How to Build Firewall Policies for East West...

Lesson 1: How to Structure Your Security Policy in a...