Guidelines for Implementing Secure Enterprise Network Architecture
Follow these guidelines when you implement designs for new or extended networks:
- Identify business workflows and the servers, clients, protocols, and data assets that support them. Design segmented network zones or blocks that support the security requirements, using VLANs, subnets, and firewall policies to implement the design.
- Deploy switching and routing appliances and protocols to support each block, accounting for port security or 802.1X network access control (NAC).
- Analyze the attack surface and select effective controls deployed to appropriate network locations:
- Deploy port security or 802.1X NAC to mitigate risks from rogue devices attached to physical network ports.
- Deploy routing firewalls to enforce access control and intrusion prevention at zone perimeters, utilizing layer 4 or layer 7 filtering as appropriate.
- Deploy transparent firewalls to protect hosts and segments without having to change the IP topology.
- Deploy sensors for intrusion detection behind firewalls or on a mirrored switch port to monitor traffic within a zone.
- Consider the use of proxy servers, NGFW, and WAF for advanced application and user-aware filtering.
- Consider the use of UTM to deploy additional security control capabilities alongside firewall/IPS functionality.
- Design load-balanced services to provision high availability and fault tolerance.
- Accommodate remote access client-to-site, site-to-site, and host-to-host secure communications requirements with TLS and IPsec VPN protocols.
- Implement secure communications for desktop/shell remote access with RDP and SSH. Consider the use of a jump server to consolidate the management of a group of servers in a protected zone.