The interior network is the most vulnerable part of our network infrastructure. While implementing a secure perimeter goes a long way to keeping the interior network secure, we must undertake a number of design steps on the interior network to secure it against internal threats.
The most important aspect to remember in designing your internal network is the need for trust model enforcement. You need to define what systems can talk to each other and build your network within that trust model. The most effective method of doing this is through a modular design process. Within the interior network, we have the following modules to consider:
Core module This module exists to facilitate fast communications among all of the other modules in the design. Security is not provided at this level, relying instead on security at the other modules to protect the network.
Server module This module exists to provide end user services and applications. Security is provided through the use of firewalls and ACLs to control the access to this module, and PVLANs to further segment the resources and prevent them from communicating with each other. Because the most valuable resources in the enterprise likely reside in this module, extensive use of IDS/IPS is employed to analyze and monitor the traffic.
Building distribution module This module exists to provide data services to the building access module and to connect the building access module with the rest of the network. This module effectively ties everything in the campus together, acting as the intermediary connection between the access devices and the rest of the network. Security is provided through the use of VLANs and PVLANs, as well as through extensive firewalling and filtering, to ensure that communications can only occur between authorized and permitted hosts .
Building access module This module exists to provide end user connectivity to the network. Security is provided through the use of layer 2 security features such as port authentication and MAC address filtering to ensure that only authorized systems are permitted to connect to the network.
Management module This module exists to facilitate the secure management of your network resources. This module is effectively a network within the network, connecting to all of our network devices for out-of-band management, while using firewalling and filtering methods to provide secure in- band management as required.
Lab module This module provides a safe and secure method for testing unsecured and new applications and services. Security is provided by ensuring that this module is not connected to the rest of the campus network, or if a connection is required, by implementing firewall and filter controls to explicitly permit the minimum-required network access while denying everything else.
Branch/remote module This module is a scaled-down version of the rest of the modules, suited for smaller remote and branch offices. For branches that have their own Internet connection, a firewall and IDS/IPS are required to provide perimeter protection on scale with the enterprise campus Internet module. For branches that use WAN connections, firewalls or IPsec can be implemented to provide perimeter protection as well as data protection across the WAN connection. Otherwise, the remote and branch office module is treated like the rest of the interior network modules, employing VLANs, PVLANs, IDS/IPS, firewalls, and filtering, as required.