Safety in Community Design: Key Concerns from a Community Architect’s Perspective

This visitor put up was authored by Cisco Designated VIP Daniel Dib, CCIE #37149, CCDE #20160011.

Lately I used to be describing on Twitter the wonderful colleagues I’m attending to work with on a undertaking, with CCIE certifications in Enterprise Infrastructure, Information Middle, Wi-fi, and a CCDE certification. Somebody responded to me, “Who’s accountable for safety?” My response was, “All of us are.”

Whereas we nonetheless undoubtedly want individuals who specialise in safety (there is no such thing as a doubt about that), it’s now the job of everybody to think about safety of their community designs. You need to take into account safety inside all community architectures. It’s now not sufficient to place a firewall on the perimeter and name it a day.

Key issues for safety in community design

No matter whether or not it’s a LAN, information middle, or WAN, what are among the key issues for safety in community design? Let’s take a look on the CCDE v3.0 Written examination blueprint.

Underneath network safety design and integration, now we have: 

• Segmentation 
• Community entry management
• Visibility 
• Coverage enforcement 
• CIA triad 
• Regulatory compliance 

Earlier than we begin diving into these CCDE examination subjects, let me describe the method of designing a community—and the way safety can by no means be an afterthought. So, what differentiates a very good community design from a foul one? Is it how redundant it’s? Is it the variety of firewalls? Is it the variety of segments? Is it how briskly it converges?

No. The one factor that differentiates a very good community design from a foul one is whether or not it meets the necessities. A community design should at all times meet the necessities. Not assembly the community’s necessities is clearly unhealthy. However overdelivering will also be unhealthy, and is usually known as “gold plating.”

So, how have you learnt what the community necessities are? Usually, step one in a community design (and maybe an important one!) is gathering the necessities. As soon as the necessities are gathered, I usually doc them in what is named a Buyer Necessities Doc (CRD). The doc contains solutions to a myriad of questions protecting enterprise necessities, practical necessities, technical necessities, and operational necessities.

When creating this doc, it is very important perceive what sort of group I’m coping with. What’s a typical consumer? What sort of site visitors flows have they got? How do they use the web? What sort of VPNs have they got? Already, at this part, I want to know what the shopper and community seem like to outline what the safety necessities are. Now let’s return to the CCDE blueprint and dive into every space of community safety design and integration, in addition to how they have an effect on a community’s design. 

Community Segmentation 

Community segmentation is sweet, or so that you’ve heard. However what is segmentation? Is it sufficient to have completely different VLANs? Whereas utilizing completely different VLANs can present advantages comparable to smaller flooding and failure domains, segmentation often is used to explain two networks that don’t have direct entry to one another.  There are two types of segmentation; macro segmentation and micro segmentation.

Macro-Segmentation

Macro-segmentation is used to explain networks which are walled off from one another. For instance, (1) a visitor community that’s separate from the enterprise customers’ community, (2) a administration community that’s separate from the enterprise customers, and (3) an IoT community that’s remoted from every little thing else. Macro-segmentation is commonly carried out utilizing Digital Routing and Forwarding (VRFs) and/or firewalls.  

Micro-Segmentation

There’s additionally micro-segmentation, which describes how one can filter inside a macro phase. For instance, perhaps customers shouldn’t be capable to talk with one another. Ought to a printer be capable to talk with one other printer? Ought to one air flow system be capable to talk with one other? Usually they will, since they belong to the identical phase, however it’s possible you’ll need to prohibit it, which might require micro segmentation. This is able to usually be carried out utilizing some type of Software program Outlined Networking (SDN) expertise or by putting in a consumer on computer systems and servers, and so forth. 

There are additionally after all many different varieties of segments, comparable to a Demilitarized Zone (DMZ), the place you host public companies which are reachable from the web. 

Why do we’d like segmentation, although? Properly, do you? What did the necessities say? Why we create segmentation comes from the necessities. For instance, a community requirement may state, “Visitor customers might solely use the web and should not have entry to any inside networks.” With a requirement like that, you would want to create segments as a result of visitor customers needs to be separated from enterprise customers. If there’s one other requirement, comparable to, “Enterprise customers should not have entry to one another,” then most probably you want some type of micro segmentation. The aim of segmentation is to have the ability to management what site visitors is allowed between segments.  

From a safety perspective, additionally it is vital to limit lateral motion. If somebody hacks one in every of our internet servers, we don’t need them to have entry to, for instance, our area controller. That’s the reason we don’t enable any site visitors from the DMZ to our larger safety zones, comparable to the place we preserve the area controller. 

Community Entry Management 

Let’s say you plug in your laptop to a swap port. With no authentication, you have got full entry to different customers, your administration community, and the web. Is that this good safety? We may argue that it’s unhealthy, however what did the necessities say? When implementing community entry management, we should after all take into account the safety necessities, but additionally the convenience of use. If the community turns into too sophisticated and sophisticated to make use of, and error-prone, then our design has failed, even when we met the necessities. What’s community entry management? 

Many types of community entry management come to thoughts. The obvious one maybe is to implement 802.1X in your LAN. This can be a mechanism that authenticates customers, and optionally their laptop, earlier than permitting them entry to the LAN. This may be within the type of offering credentials, and/or utilizing certificates. Relying on the consumer, they could get completely different ranges of entry to the community. This will for instance leverage Dynamic ACLs (DACL). 

There are after all many different strategies, comparable to utilizing firewalls to implement guidelines for what site visitors can circulation between segments. The community might use a proxy, comparable to Umbrella Safe Web Gateway (SIG), to implement what’s allowed to be used on the web. This may be enforced within the community or on the consumer itself.  

There may be issues which are so apparent that you simply didn’t even take into account them. What about placing community tools in a locked room to forestall folks from accessing them or shutting down switchports so that folks can’t connect with random ports? Community entry management could be something from bodily safety, to coverage, and way more. 

Visibility 

What does visibility need to do with safety? Rising up within the ’80s and being named Daniel, The Karate Child was one in every of my favourite motion pictures. In The Karate Child Half III, there’s this quote from Terry Silver, the primary antagonist in that film. He says, “A person can’t see, he can’t combat.” In case your group is blind to what’s going on within the community, how are you going to stop any threats? You possibly can’t! You want visibility to know site visitors flows and what’s entering into your community. 

How do you get visibility? That’s one huge and sophisticated subject! Do you know that the majority site visitors, a minimum of to the web, is encrypted? Which means that it’s getting increasingly more tough to see what site visitors now we have in our networks and therefore, how one can shield towards potential threats. What can we do? We are able to attempt to glean data from the packets by DNS requests (if not encrypted), IP addresses (the place the packets are going), what ports the packet is utilizing, patterns within the packet, comparable to measurement and frequency, and different issues. There are well-known prefixes, comparable to when utilizing Microsoft 365 for instance, the place we are able to make a certified guess about what the site visitors is that if we acknowledge the prefix. To get visibility, we frequently want some type of third-party product that may take data from the community, for instance, within the type of Deep Packet Inspection (DPI), NetFlow, packet faucets, packet mirroring, and so forth. 

To get full visibility, most probably, you’ll have to set up one thing on the consumer. The consumer is the one place the place you’ll be able to see unencrypted packets — until you’re decrypting the customers’ packets utilizing Transport Layer Safety (TLS) inspection, after all. 

There are numerous different methods of getting visibility, comparable to utilizing proxies, firewalls, community entry management, and Syslog. Probably the most tough half, contemplating the wealth of knowledge, is knowing what is definitely occurring and how one can stop assaults such because the exfiltration of your information. If somebody logs in from a location the place you haven’t any workplace they usually switch numerous information, wouldn’t you need to find out about it? Ideally, visibility ought to get you insights into incidents comparable to these. 

Coverage Enforcement 

How will we implement our insurance policies, just like the requirement that customers can’t discuss to one another? How is coverage enforcement completely different from community entry management? Community entry management pertains extra to giving entry to the community itself whereas coverage enforcement is about stopping entry when you have already got entry.

There’s fairly some overlap right here, although. Let’s break the phrase down into its parts. Coverage is the intent of our community; the interpretation of our necessities right into a algorithm. Enforcement is to make sure that our coverage will get adhered to. To have the ability to implement one thing, packets should go by a tool that may determine if the packet adheres to the coverage or not.

What we’d like are choke factors. Whenever you journey to a different nation, they’ve a border. In addition they management your passport earlier than admitting you. That is coverage enforcement at a choke level. This is identical factor that we do in our networks. Historically, all our site visitors went to some form of headquarters or information middle and handed by an enormous fats firewall. Most organizations moved away from this design, because it created a less-than-optimal consumer expertise. However what are among the chokepoints or potential coverage enforcement nodes that now we have at the moment? There are numerous, so let me checklist a number of of them. 

• Firewalls 
• Proxies 
• IDS/IPS (usually built-in with the FW) 
• Switches 
• Routers 
• Wi-fi LAN controllers 
• Purposes on purchasers and servers 

There are numerous locations we are able to implement insurance policies. The primary problem is most frequently on getting visibility, although. You possibly can’t implement a coverage if you happen to don’t know what’s within the packet.

The opposite problem is commonly round implementation. You probably have a firewall in each department, and you’ve got 1000 branches, how straightforward is it to handle this? It could come right down to how standardized your design is. For this reason many organizations at the moment are utilizing cloud proxies to have fewer choke factors and make it extra manageable. The opposite factor I usually see in community design is organizations don’t know what their coverage is, what apps and methods they’ve, or what ports they use and the site visitors circulation. You possibly can’t write a coverage if you happen to don’t have sufficient data to categorise what’s allowed or not. 

CIA Triad 

The CIA triad seems like some bizarre mixture of the US Central Intelligence Company and a Japanese mafia. The excellent news is that this isn’t in any respect what it’s.

CIA in a community design is: 

• C – Confidentiality 
• I – Integrity 
• A – Availability

Confidentiality is about protecting the group’s information non-public or secret. All information needs to be non-public, proper? What did the necessities say? A visitor community at Starbucks may have completely different necessities than the Division of Protection (DoD) extremely labeled networks. This is smart, proper? 

Integrity is about guaranteeing the integrity of the info. How have you learnt the knowledge I despatched you actually got here from me? What if my packet was altered earlier than it reached you? 

My information could also be safe and personal, and we ensured the packets couldn’t be tampered with, but when my packet doesn’t attain you, what good does it do? A safe system should even be accessible. 

Let’s take a better take a look at the parts of the CIA triad. Then I’ll allow you to in on how this all ties collectively. 

Confidentiality is about protecting information non-public or secret. There are numerous potential threats right here, comparable to accessing information in transit if it’s not encrypted, utilizing weak algorithms, key loggers, attackers shifting laterally after taking up an IoT machine, and so forth. The primary instruments for protecting the info secret are having correct entry controls, comparable to utilizing robust passwords, implementing Multi-Issue Authentication (MFA), utilizing least privilege entry, and encrypting the info — at relaxation and in transit. There are additionally different measures, comparable to avoiding shoulder browsing, locking the pc, and stopping USB-device entry to the pc. 

Integrity is about guaranteeing that the info has not been tampered with. This might occur to information that’s in transit or at relaxation. Having unauthorized entry to information is unhealthy sufficient, however what in the event that they had been additionally in a position to alter the info? Think about somebody will get entry to the system that manages your payments and redirects a cost to themselves. The primary safety mechanisms, past entry management, are digital signatures comparable to certificates, checksums, and message digests (additionally known as hashes). Certificates are used to confirm the id of the sender. Checksums and message digests are used to confirm, utilizing cryptography, that the info has not been altered. 

Availability is commonly missed from a safety perspective. Having the info unavailable is a safety risk as nicely, although. Making certain availability comes right down to having a correct design in place that meets the supply necessities. This entails having redundant methods and paths, however along with redundancy, you even have to think about resiliency. What when you have redundant switches, routers, and firewalls, however all of them use the identical energy supply? What occurs when you have got an influence outage? I’ve labored with environments the place they used each AC and DC energy in addition to UPS and diesel turbines to forestall eventualities the place redundant parts go down with the opposite parts. You even have to think about this from a transport perspective. Having a single transport, such because the web, places you at larger danger of constructing your methods unavailable.  

From an assault perspective, the primary risk to availability is that if your methods get attacked and the attacker crashes the methods. Extra generally although, you’ll see one thing like a DDoS assault, the place your methods are flooded with site visitors. Somebody may additionally attempt to ship large quantities of information into an utility, comparable to a database, to have the system crash. Having your information encrypted by a crypto locker would even be a risk to your availability. 

Defending your self contains having a very good design, the place you have got thought of the supply necessities and what transports to make use of, in addition to carried out safety methods that may filter out threats. Take IDS/IPS, for instance. Some threats, comparable to DDoS, are tough to deal with by yourself. Chances are you’ll must depend on your ISP for cover in such eventualities.  

Regulatory Compliance 

What was it Huey Lewis and the Information stated? It’s HIPAA to be sq.? Resistance is futile; you can be assimilated. I don’t recall whether or not this was from Star Trek or my PCI auditor. Joking apart, regulatory compliance is essential, after all. Regulatory compliance is there to make sure that organizations dwell as much as the requirements which are required to maintain our information secure. The 2 most well-known ones are in all probability Well being Insurance coverage Portability and Accountability Act (HIPAA) and the Cost Card Trade Information Safety Customary (PCI DSS). HIPAA is used to assist preserve our medical data secure, for instance. PCI DSS is used to create secure funds, so our bank card numbers don’t get leaked. 

In relation to regulatory compliance, there are a number of necessities that include them. You need to fulfill the necessities, and there could also be auditing concerned to make sure that you’re doing so. The necessities might embody issues like segmentation, encryption, entry management, and extra. Whereas working with regulatory compliance could be tedious, time-consuming, and typically really feel like you’re designing for issues that needs to be apparent, they’re there to make sure that organizations meet the minimal requirements when working with delicate issues comparable to medical data and cost data. 

This weblog put up ended up just a little longer than I anticipated, however I wished to offer you perception into simply how a lot there’s to think about in community design, or any design in relation to safety. Even if you happen to don’t specialise in safety, it ought to nonetheless be prime of thoughts in every little thing you do. Have in mind although, any design strives to satisfy the necessities, nothing extra, nothing much less. 
&nbsp
For those who get pleasure from speaking about community design or are learning for the CCDE certification, be part of me within the CCDE Certification Group on the Cisco Studying Community. Take a look at this CCDE: Ask about something dialogue, the place you will get your CCDE cert questions answered straight by Cisco. Thanks for sticking round and see you subsequent time!

Ask questions, share concepts, and join with the CCDE Group.

About Daniel Dib

Daniel Dib, CCIE #37149, CCDE #20160011, is a senior community architect at Conscia Netsafe. He works with creating scalable, modular, and extremely accessible community designs that meet enterprise wants. Daniel began out in implementation and operations and bought his CCIE in 2012. In Could 2016, he grew to become the second particular person in Sweden to get CCDE licensed.

He usually acts as a subject skilled for his clients with deep experience in routing, switching, multicast, and quick convergence. He’s an lively particular person within the networking group and believes in serving to folks attain their full potential. He writes technical articles, and blogs and holds member-led examine periods for the members of the Cisco Studying Community.

Observe Cisco Studying & Certifications

Twitter | Fb | LinkedIn | Instagram

Share: