Although it happens far less often now, I still occasionally sit down with a customer who says, "OK, the network design is done, now we need to think about security. We're certain we need a firewall and have also heard something about IDS."
Designing secure networks in this manner puts you on a fast track to a network design in which the security is tacked on, interferes with the performance of the network, and is viewed by the rest of the Information Technology (IT) staff as a necessary evil and a burden to the operation of the network. Although it is true that security generally isn't "free" from a network design perspective, if you design it from the beginning, it can achieve a balance with the rest of the network infrastructure. This improves not only the security of your network but also its reliability and scalability.
Let's consider a very basic example. Suppose you must provide connectivity between a data center, a group of users, and a remote company accessing your network over an extranet connection. Without thought to security, your network design might resemble the network shown in Figure 1-2.
Figure 1-2. No Security Example
Along comes the information security (INFOSEC) representative who says, "Whoa! What are you doing connecting this other company right into our data center? We need some security here." So, you wind up adding a software firewall to the router with a series of ACLs to control traffic flows between the remote company and the data center. With the router taking on the added burden of software firewalling, its CPU starts to increase in utilization. This causes performance degradation not only between the remote company and the data center, but between the users and the data center as well. Here you see network security not promoting good network design but rather impacting the network design. Even if you fast-forward into the future of wire-speed firewalls and crypto in every device, the operational complexity introduced by having disparate systems connected through the same system is not trivial.
If you back up and redo the design while thinking about the security risks, you might wind up with a network resembling the one in Figure 1-3.
Figure 1-3. Design with Security
The network shown in Figure 1-3 is a gross oversimplification, of course, but hopefully it gets the point across. In this example, a separate firewall is installed between the remote company and the data center that can provide better controls with less performance impact, simplified operations, and, best of all, it in no way affects the communication between the users and the data center.
When you get further into the book, you will see much more complex examples of secure network designs. As you increase the number of variables from a security and networking standpoint, this problem only amplifies. The easiest way to ensure consistent and predictable security throughout your organization is to think about it right when you are in the design phase of the network as a whole. Unfortunately, if you've inherited an existing network that requires security improvements, this isn't always easy.
When you have a preexisting network that has little or no network security, the most effective way to improve its security is to logically divide the network into functional modules. Then improve each module individually, focusing on the area of greatest weakness. Don't be afraid to take a more comprehensive redesign of these smaller areas. Tacking on bits of security here and there to avoid readdressing IP ranges or other burdensome tasks usually creates more work in the long run once you determine that the tacked-on security isn't getting the job done. These topics receive much attention throughout the book.
To sum up, thinking about network security after you've designed the network impacts the network design. Considering security from the beginning promotes good network design. Finally, if you have an existing insecure network design, logically divide it into smaller modules and then improve the security of each area one at a time, starting with your area of greatest weakness.