Data and System Security


Chapter 13

Secure Network Design

Copyright © 2014 by McGraw-Hill Education.


In this chapter, we review some high-level security concepts that should be kept in mind during network design.

This chapter introduces the basic concepts of network architecture and the best practices for security that should be considered when designing a network.

Copyright © 2014 by McGraw-Hill Education.

Electronic Security Perimeter (ESP)

The boundary between an organization’s network and the Internet or a peered network is known as an electronic security perimeter (ESP).

The network perimeter lies wholly within the ESP and is often confined to a particular physical location or set of locations, while the ESP has other elements such as corporate smartphones and smartphones, tablets, and other mobile devices. These devices may be outside of the network(s) physically, but they are still within the ESP.

Within this perimeter you will find all owned computing assets and potential storage locations for organization data, sometimes including third-party systems.

Copyright © 2014 by McGraw-Hill Education.

Acceptable Risk

Management’s risk tolerance is expressed through the policies, procedures, and guidelines issued to the staff.

A complete set of policies outlining management’s preferences and its tolerance of information security risks enables employees to make appropriate infrastructure decisions when designing and securing new systems and networks.

Thus, the design and configuration of the infrastructure becomes the enforcement of those documents.

Copyright © 2014 by McGraw-Hill Education.

Designing Security into a Network

Separating assets of differing trust and security requirements should be an integral goal during the design phase of any new project.

Aggregating assets that have similar security requirements in dedicated zones allows an organization to use small numbers of network security devices, such as firewalls and intrusion-detection systems, to secure and monitor multiple application systems.

Copyright © 2014 by McGraw-Hill Education.

Network Design Models

The three-tier Cisco Hierarchical Internetworking model is derived from the Public Switched Telephone Network (PSTN) model, which is in use for much of the world’s telephone infrastructure.

Copyright © 2014 by McGraw-Hill Education.

The Three-Tier Cisco Hierarchical Internetworking Model

Copyright © 2014 by McGraw-Hill Education.

Newer Models

Although the Cisco three-tier model is perhaps the most commonly known and referenced model for designing LAN environments, it has its limitations and is rapidly being supplanted by newer models aimed at addressing the specific needs of highly virtualized data centers, different industry verticals, and cloud computing and multitenancy environments.

Many modern data center architectures and “cloud” designs favor a clustered switching, class fabric, or collapsed two-tier approach that offers higher performance and lower cost but also brings special security considerations into play.

A few of the more well-known and published models are Cisco’s FlexPod model (data center in a box), Arista’s two-tier CloudVision model, Brocade’s Brocade One model, and Juniper’s Stratus model.

Copyright © 2014 by McGraw-Hill Education.

Two-Tier vs. Three-Tier Models

Core: The core of the two-tier network is a highly available, horizontally scalable element used for transit and moving data between different areas or zones in the network, much like the core in the three-tier model.

Distribution: The distribution layer in some collapsed networks either is eliminated completely or is combined with the access layer as part of the fabric.

Access: The access layer is collapsed into the distribution layer, so although physically separate devices may provide the aggregation and access function, both can be part of the same layer two domain employing trill or 802.1aq for bridging. These combined layers offer active/active connectivity across multiple switches via clustering for high availability and performance. This “fabric” introduces a new dimension for security, as server-to-server, server-to-storage, and virtual host communication can now be fused together in ways not previously possible.

Copyright © 2014 by McGraw-Hill Education.

Security Components

Security components (firewalls, filtering devices, etc.) “plug in” to the fabric in a fashion that maintains the integrity of data communications between intended hosts but does not compromise the performance of the data center platform.

Techniques such as VM fencing, virtual appliance firewalls, hypervisor protection, and segregation of security zones by service type are common approaches to ensuring adequate controls are in place to enforce the security plan.

Copyright © 2014 by McGraw-Hill Education.


Avoid single points of failure within the architecture.

This can require redundant and/or failover capabilities at the hardware, network, and application functions.

Copyright © 2014 by McGraw-Hill Education.

A Full High-Availability Network Design

A true high-availability design will incorporate redundant hardware components at the switch, network, firewall, and application levels.

Copyright © 2014 by McGraw-Hill Education.

Layered Network Security

Flaws, such as a buffer overflows, can allow an attacker to turn a vulnerable server into a conduit through the firewall.

Once through the firewall, the attacker can mount attacks against infrastructure behind the protection of the firewall.

If the server is on the internal network, the entire network could be attacked without the protection provided by the firewall.

If the server is on a separate firewalled segment instead of the internal network, only the hosts on the same subnet could be directly attacked.

Each connection to another network, whether to the Internet or to any external third party (business partner, data provider, and so on), creates an entry point in the perimeter that must be secured.

Copyright © 2014 by McGraw-Hill Education.

Wireless Impact on the Perimeter

Organizations that deploy wireless solutions must recognize and mitigate risks associated with an unauthorized individual gaining connectivity to the corporate LAN via wireless signal leakage outside of the corporate-controlled premises.

Copyright © 2014 by McGraw-Hill Education.

Wireless Deployment Through a VPN Server

Copyright © 2014 by McGraw-Hill Education.

Remote Access Considerations

When VPN peers consist of remote users accessing the corporate network over the Internet, the overall security of the corporate network becomes dependent on the security of that employee’s remote PC.

Should a hacker gain access to an unprotected PC, the VPN may be used to tunnel traffic past the corporate firewalls and the protection they provide.

To protect the corporate network when VPNs are used for remote user access, security administrators should ensure that adequate protection is implemented over the endpoints.

Copyright © 2014 by McGraw-Hill Education.

Internal Security Practices

Internal controls, such as firewalls and early detection systems (IDS, IPS, and SIEM), should be located at strategic points within the internal network to provide additional security for particularly sensitive resources such as research networks, repositories containing intellectual property, and human resource and payroll databases.

Copyright © 2014 by McGraw-Hill Education.

Internal Firewalls

Copyright © 2014 by McGraw-Hill Education.


The main purpose of an intranet is to provide internal users with access to applications and information.

To achieve a higher level of security, intranet systems are aggregated into one or more dedicated subnets and are firewalled.

Copyright © 2014 by McGraw-Hill Education.


Extranets are application networks that are controlled by an organization and made available to trusted external parties, such as suppliers, vendors, partners, and customers.

Copyright © 2014 by McGraw-Hill Education.

Extranet Design

Copyright © 2014 by McGraw-Hill Education.

DMZ Networks and Screened Subnets

Deploy public Internet access to systems on a dedicated subnet, commonly referred to as a demilitarized zone (DMZ) or screened subnet, separate from internal systems.

A successful attack against these systems still leaves a firewall between the successful attacker and more sensitive internal resources.

The term DMZ was originally a military term used to describe a buffer area between a trusted zone and an untrusted zone, in which no military hardware was permitted.

Copyright © 2014 by McGraw-Hill Education.

Sample DMZ Configuration

Copyright © 2014 by McGraw-Hill Education.


Although the terms DMZ and screened subnet have been used interchangeably, there is a small difference between the two terms:

A DMZ is technically the small subnet between your Internet router and the external interface of your firewall.

A screened subnet is really an isolated network available only through a firewall interface and is not directly connected to the internal network.

Copyright © 2014 by McGraw-Hill Education.

Multiple DMZs

Multiple DMZs limit the breadth of a single security breach.

Application systems can consist of three separate tiers, referred to as the presentation, application, and database tiers.

The presentation layer consists of a web server that interacts with end users, accepting input, sending that input to the application layer for processing, and returning the output back to the end user.

The application layer contains the logic necessary for processing those queries and extracting data from the database.

The data that is stored in a database housed on a separate database server on its own DMZ.

Other services that aren’t directly supporting the application but provide other functions can be further segregated into a fourth DMZ subnet.

Copyright © 2014 by McGraw-Hill Education.

Example of a Multitier Application Infrastructure

Copyright © 2014 by McGraw-Hill Education.

Outbound Filtering

Failure to restrict outbound access creates a number of significant risks to the corporation and its infrastructure, such as users accessing services that do not comply with corporate security policies or that do not have legitimate business purposes.

Additionally, failure to filter traffic leaving the corporate network may allow an attacker to use the network to launch attacks on other networks.

Copyright © 2014 by McGraw-Hill Education.

Web Access Considerations

Proxy servers can be configured to block connections to URLs that are considered likely to be malicious or unnecessary for normal operation, such as those containing certain scripts or other executable files.

Proxy services are hardened processes that can run internally on a firewall or be provided separately by a dedicated server.

Web filtering today can be handled via a variety of specialized products and appliances, including some cloud-based offerings.

Copyright © 2014 by McGraw-Hill Education.


The ultimate goal of network security is to enable authorized communications while mitigating information risk to acceptable levels.

Design elements such as segregating and isolating high risk or other sensitive assets as well as defining and maintaining a strong network perimeter go a long way toward achieving those goals.

As networks become ever more interconnected, a thorough and strongly typed network architecture/design will be required to achieve and maintain a well-secured network.

Copyright © 2014 by McGraw-Hill Education.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *