Branch and remote offices are often overlooked for security because they fall prey to the out of sight, out of mind syndrome. Because many IT organizations maintain staff at the enterprise campus, the enterprise campus stays at the front of everyone s mind when discussions about network security arise.
The good news is that hardening the branch/remote offices is no different than what you are going to do on the enterprise campus; you just perform it on a smaller scale. Branch offices will generally connect to your enterprise campus in one of two ways. The first method is via the Internet using a site-to-site VPN connection through the VPN/Remote Access module on the enterprise perimeter. The second method is via a WAN connection through the WAN module on the enterprise perimeter. You should secure these connection methods as detailed in Chapter 11.
Regardless of which type of connection the remote office uses, the internal network of the remote office should be hardened in the same fashion as you would the campus enterprise, again just on a different scale. You should take advantage of VLANs, packet filtering, NIDS/NIPS, HIDS/HIPS, and content filtering and inspection. Finally, you should configure your enterprise such that remote branches only have access to the subnets in the campus that they require. For example, your remote branches almost certainly do not require access to the building distribution or building access modules in your network. Consequently, you should implement filtering, preferably at each end of the WAN connection, to keep unnecessary traffic off the WAN link and block all unnecessary traffic from being passed to the remote offices.