When we talk about network security we need to distinguish different parts, there is the network perimeter, there is the physical network and there is the wireless network.
The days that traditional perimeter solutions, which typically consisted of a firewall, a forward proxy, a reverse proxy and a mail relay, are over. It is very difficult to determine today what the actual perimeter is for a company, as we are moving to a more mobile world where everybody needs to have access from everywhere, from every device and where applications are running both on-premise and in the cloud.
According to us we need to distinguish two things, incoming security in order to protect access to resources and outgoing security whereby users and applications are protected from e.g. downloading malware.
A next generation security gateway will be a combination of several solutions depending on the actual environment of a customer. What should be taken into consideration is:
- Protection against zero-day attacks, Advanced Persistent Threats (APT’s) and malware
- Next generation hardware: higher throughput
- Integrated Threat Prevention (IPS, URL, Anti-virus, Anti-malware, Content Scanning)
- User recognition
- Signatureless detection
- Virtual formfactor to secure a virtualized server environment
- Reporting and Management
- Multi-level DDoS protection
- Application identification
- Identity and access management for a hybrid application landscape (also see Cloud Security)
- Seperate requirements for outbound and inbound security
- Integration between different solutions (eg NAC and Security Gateway)
- Threat Intelligence (threat feeds) for a completely integrated solution
To be connected, always and everywhere, it is highly recommended to have a sufficient amount wired and wireless connections in a campus infrastructure. Within the area of secure infrastructure, those requirements are met by a diversity of appropriate solutions such as LAN switches, data center fabrics, wireless access points and controllers. The premise is that the need for connectivity with a secure by design basis. The right components and features are selected from an enterprise security architecture principle.
The need for infrastructure to provide connectivity between the client and the application servers is not new and has existed for decades. The continuous developments to deliver smarter, more efficient solutions with increased flexibility, functionality and manageability offer new opportunities for enterprise organizations.
Developments and needs such as Power over Ethernet (POE+), “new style” high availability (no Spanning Tree), stacking of bandwidth (Aggregated Links), identity aware access (802.1x), programmable systems (SDN), scalability, simplification of operational management etc. require a regular renewal of the LAN and data center infrastructure. Especially the need of network virtualization arises to serve the Defined Data Center (SDDC) architecture.
As security is increasingly integrated in the LAN and often on Layer 2, it is important to look at the connectivity AND the functionality to ensure safety and availability (DHCP spoofing, dynamic ARP inspection, Private VLANs, IP source guard, Rate Limiting, Storm Control, etc.).
- Lower power consumption
- More bandwidth / capacity
- Single Operating System
- Phasing Spanning Tree
- Non- overbooked design
- High availability in an Active Setup
- Integrated Security
- Network Virtualization
- Programmability (puppet , open flow)
- Integration of voice / data on single interfaces and optionally both “tagged “
- Lower TCO
Wireless is now available within most enterprise architectures. How and for whom is less evident however. In the recent years, there have been quite a lot of developments, some still ongoing, in the area of access points; multiple radios, new technologies such as 802.11ac, smart functions for roaming and radio management, control and traffic management (including security) via a central controller, or via a controller-less design, to name some.
The creation of a wireless infrastructure seems simple, but practice has taught us that in addition to choosing the right vendor, a lot of experience and expertise is needed to realize a good wireless architecture.
An ingenious coverage plan, a degree of high availability, the right capacity (in bandwidth and number of users) and functionality are a few conditions for offering a secure wireless in an enterprise environment. That obviously needs to be combined with user authentication for both guests and employees on BYOD, and corporate devices before allowing controlled access to internet or business applications.
At SecureLink, we work with a wireless vendor that develops all products from a security persepective.
- More bandwidth per user
- Authenticated access
- Central controllers or controller-less
- Increased wireless coverage
- Application of new wireless standards
- Scalable and highly available concept
- Integrated Security
- Location based services
- Classification for users and device context
- Integration of voice / data
Secure Workspace refers to safe access to applications. Those applications must be accessible everywhere. Usually, a VPN is constructed in order to have access to protected resources. A limitation of client-server applications is that you need a specific client to access the application. That creates an additional security risk because, at that time, the data will be on the remote client.
There is a solution that eliminates those restrictions: published applications or full virtual desktop infrastructure. Through a very limited client which you can install on almost any device, you can have access as if you were working locally.
Since only screen and keyboard strokes will be sent over the network, all data can reside in the central data center. Thus, you will experience the same speed and security. The authentication of the user is of extreme importance nowadays. A strong authentication method in combination with VDI is highly recommended.
Virtualization is emerging at different levels. Until recently, it was only common at server level, today it is very often used at endpoint level and in the data center. At those endpoints, there are more and more virtual desktop initiatives. At the datacenter, there is the adaption of Software Defined Networking (SDN) and Software Defined Data Centers (SDDC). The reason for those trends is the flexibility and agility of the environment. The goal is to have a complete infrastructure stack that can be deployed by a single person. It is no longer necessary to wait for the various departments to deploy the individual components. Clear examples of such environments which emerged from the concept of SDDC are Amazon and Azure. The same concepts are also becoming more and more common in larger enterprises.
Something that is very important to us, is the option for extra security. Due to the concept of service chaining and micro segmentation, it is possible to redirect specific traffic streams through dedicated security appliances, even if the traffic is between two devices on the same layer 2 subnet.
The need for storage continues to increase. A flexible and scalable solution, scalable both in terms of capacity as well as performance, is a must. Performance is typically expressed in number of IOPS (Inputs/Outputs per Second). Redundancy is also very important. Enterprises cannot afford to lose data. In order to provide the necessary redundancy there are multiple options, ranging from redundant disks to completely redundant systems that are spread over multiple locations. It is up to the SecureLink consultants to design the best architecture for customers based on their individual needs.
Backup is closely related to storage as well. Backups are more and more located off-site: on your own infrastructure or even in the cloud. The challenge is to have a flexible solution that provides a fast restore in case you need it. Typical backups are part of a total disaster recovery scenario and must be looked at with due attention.