A successful network security implementation will consider the following key pillars. Each organization and standard that talks about network security architecture may have a different block, but the foundational principles are always the same:
Let's quickly run through what these stages are about before analyzing them in detail in the upcoming subsections:
- Planning and analysis: The planning and analysis stage is responsible for developing a conceptual network security architecture design.
- Designing: This stage is responsible for developing a detailed network security architecture design.
- Building: In the building phase, we focus on developing the network components that were identified in the first phase of planning and analysis, as well as the second phase, where we created the outline design of how we envision the network to be formed.
- Testing: The testing phase focuses on validating the implementations that were done in the previous phase. This also accounts for how effective and efficient they are regarding their intended operational capability.
- Deployment: The major focus of the deployment phase is to ensure that the deployment and go-live plans are in place and that the operation teams are equipped to take over the operations for the network.
In the upcoming subsections, we'll understand what activities are carried out in these stages and how they achieve their goal.
- Simplex, half-duplex, and full-duplex communication
- Baseband and broadband
- Circuit-switched and packet-switched networks
- Basic concepts such as ARP and RARP and unicast, multicast, and broadcast traffic
- Distributed Network Protocol (DNP3 – used in SCADA and smart grid applications), storage protocols (FCoE, iSCSI), and Virtual SAN (vSAN)
- Software-defined networks
- Authentication protocols such as Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP)
Planning and analysis
The Planning and analysis stage is responsible for developing the conceptual network security architecture design, which covers the following:
- Network zoning and edge security
- Network access control
- Communication protocol security
- Network configuration management
- Network security monitoring and response
The objectives of this phase focus on the following activities:
- Defining the security domains and the security zones, their security boundaries, and inter-zone data flows
- Defining the communication security requirements for intra-zone and inter-zone data flows
- Defining network integration with AAA, management and monitoring systems, and operators
- Defining network access controls (physical and logical) for each security domain
- Evaluating and selecting a network security service and component vendors
There can also be additional activities, such as the following:
- Performing network discovery scans and comparing them to the existing network architecture documentation
- Identifying regulatory and policy security requirements
- Identifying the classifications, ownerships, and trust levels of different types of endpoints (users, systems, data), environments, and transit networks and performing threat modeling/threat assessment
- Identifying the classification of data flows
The following are the inputs and outputs of this phase:
|
Inputs |
Outputs |
|
|
The planning and analysis phase sets the stage for having a foundational understanding of the network requirements and constructs the basis for the next phase, which is designing the network architecture and its associated components.
Designing
The designing stage is responsible for developing a detailed network security architecture that covers the following aspects:
- A logical network security architecture
- A physical network security architecture
- An integration architecture for network management, monitoring, and Authentication, Authorization, and Accounting) (AAA)
- Network access control
- Communications security
The objectives of this phase focus on the following activities:
- Designing logical and physical security domains/zones separation (Air-gap, VLAN, VRF, MPLS, VPN)
- Designing logical and physical perimeters (Firewalls, NAT, Proxies, VPN Concentrators, IDS/IPS, App FW)
- Designing management and control (in-band, out-of-band, NCM, Backup and Restore, Fail-open/Fail-close)
- Designing AAA (Ops Model, Roles, Groups, Multi-Factor Authentication, Access Control, IAM Integration)
- Designing monitoring and response (Logging, IDS/IPS, SIEM Integration, Audit, Ops Model)
- Designing comms security (SSL Offload, VPN Concentrators, IPsec, MACsec, WPA2, Key Management)
- Designing Network access control (802.1x, TNC, Quarantine, Guests/Contractors, Remote VPN, Wi-Fi)
There can also be additional activities, such as the following:
- Building a Proof-of-Concept (POC)/model/lab environment
- Refining activity estimates (cost/time), getting management/stakeholder sign-off and obtaining funding
- Procurement
The following are the inputs and outputs of this phase:
|
Inputs |
Outputs |
|
|
Once the designing phase has been completed and an outline of the network architecture is formed, we can move on to the next phase, which is the building phase.
Building
In the building phase, we focus on developing the network components that were identified in the first phase of planning and analysis, as well as the second phase, where we created an outline design of how we envision the network to be formed. This covers the following broad aspects:
- Building a core network and integration architecture
- Developing an asset inventory with equipment configuration (CMDB)
- Developing firewall rules
- Documenting a test plan
- Executing the component test
- Developing a deployment execution plan
- Developing standard operating procedures
The objectives of this phase focus on the following activities:
- Deploying, configuring, hardening, and testing equipment
- Developing and optimizing firewall rules and network security policies (IPv4, IPv6, 6in4 tunnels, and so on)
- Developing installation/configuration guides and operational procedures
- Performing a network security component test
- Developing a deployment execution plan (including a go-live support plan)
There can also be additional activities, such as the following:
- Completing asset and cable labeling and tracking registers
- Creating, installing, securing, and tracking cryptographic keys/certificates
- Changing/replacing default usernames, passwords, and cryptographic keys/certificates
The following are the inputs and outputs of this phase:
|
Inputs |
Outputs |
|
|
Once the building phase has been completed and the major components of the network architecture have been put in place, we can move on to the next phase, which is the testing phase.
Testing
The testing phase focuses on validating the implementations that have been done in the previous phase. It also accounts for how effective and efficient they are in their intended operational capability. This includes the following:
- Auditing equipment labels and their location against the asset register
- Auditing cable labels against the cable register
- Auditing network configuration and labels
- Auditing cryptographic keys against the key register
- Performing a network scan for discovery and mapping
- Performing vulnerability analysis and penetration testing scans
- Auditing logging functionality
- Performing integration and acceptance tests
The objectives of this phase focus on the following activities:
- Auditing all networked equipment and cabling labels against asset and cable registers
- Auditing equipment configuration against a documented baseline
- Auditing default/system account passwords and cryptographic keys/certificates
- Performing discovery network scans and firewall scans
- Performing vulnerability scans for management purposes, as well as the control planes and systems (in-band and out-of-band)
- Verifying that password audits and network scans have been captured by the appropriate audit logs
- Testing integration with the management, AAA, and monitoring systems
- Performing performance and scalability testing
- Performing user acceptance testing against requirements
There can also be additional activities, such as the following:
- Validating scan results against the documented design, configuration, and registers
- Validating the naming conventions for network devices that don't reveal the device's type, version, or model
The following are the inputs and outputs of this phase:
|
Inputs |
Outputs |
|
|
After completing the testing phase, where we document our findings from the various tests and audits we've performed, we can move on to the next phase, which is the deployment phase.
Deployment
The major focus of the deployment phase is to ensure that the deployment and go-live plans are in place and that the operation teams are equipped to take over the operations for the network. This includes the following:
- Conducting training with operations staff
- Confirming and communicating deployment readiness
- Rolling out new capabilities
- Monitoring deployment and operations
- Operational handover and acceptance
- Closure and signoff
The objectives of this phase focus on the following activities:
- Conducting training sessions with operations staff
- Confirming a participant's and environment's readiness and communicating rollout dates and details
- Coordinating a rollout for a new capability to the deployment groups
- Monitoring deployment delivery and operations
- Handing over and signing off operational responsibility to the network/security operations teams
- Creating a summary report and acceptance checklist
There can also be additional activities, such as the following:
- Performing a pilot deployment on a less-critical subset of participants/environments
- Supporting security operations and network operations teams
- Updating network security/compliance and gap analysis
The following are the inputs and outputs of this phase:
|
Inputs |
Outputs |
|
|
Once the deployment phase has been completed, along with the required signoffs from the operation teams and the executive leadership, we can move on to the last phase, which is the post-deployment phase.
Post-deployment
The post-deployment phase focuses on the activities that will be used to monitor the performance of the network, as anticipated, and inculcate strategies and methods to uplift the network's performance. This includes the following:
- Reporting: Establish regular KPI and KRI reporting (for example, for compliance)
- Continuous improvement: Perform regular vulnerability assessments
- Regular audits: Perform regular audits against known configuration and registers
This concludes our discussion on the network security architecture approach. This gave you a detailed deep dive into the mindset and procedures that you should take into account when planning for a network security exercise for an organization. However, most organizations might already have a network in place.
The approach we use might take a slight diversion in this case, such as starting with a security audit, which investigates their network security policies and verifies the network assets for potential deficiencies. This will give you a clear picture of what needs to be addressed and the prioritization. Findings may result in restrict user access privileges and implementing the least privileges across the environment in an iterative process. You may also need to review your security controls and platforms in use for detection, prevention, response, and so on based on their effectiveness and how they are used (the way they are used and the team's ability to use them appropriately).
Now that we've completed the basic groundwork, we will look at the various best practices of network security and how they help us build a more resilient environment.