Modern Network Architecture – Security Design
Security has become more and more of a problem for the modern network architect. Security can be divided into two areas of risk, Internal and External. Overall security strategies can be divided into Monolithic or centralized and Distributed or de-centralized. Many people think that most security attacks come from external sources. The reality is that far more security comes internally from employees within the organization. Modern Network architecture models need to include a system for monitoring both internal and external security breaches. This article touches on some of the thoughts when planning a secure network.
Hollywood movies are all about rogue technical geniuses who can break into any system at any moment. The reality is that most external hacks like we see in the movies require practice, deep technical understanding and month’s (sometimes years) of planning. When it comes to security spend, most of the security budget (often over 70%) is spent on protecting against these types of security attacks. Yet 90% of security breaches are made by internal users on the network.
There is a certain level of trust associated with an FTP employee. I often walk into businesses where everyone is administrator or everyone knows the administrator password. Often an owner will say, “We trust all our employees.” I can only repeat the old New England adage “Good fences make good neighbors.” Even when there is thought to be a strong security, something always happens when a new system administrator takes over the network.
Whenever I take over a new network I’ll have a visitor. Without asking I’ll be asked to step outside with one of the employees. That employee will warn me that security has been breached. Usually the employee records, managed by Human Resources (HR), are being openly read by certain employees. HR personnel often complain that they catch someone reading private documents when sent to a shared printer. I’ve even caught an employee breaking their NDA (Non-disclosure agreement) as they are leaving to work for a competitor. Architecting the right security structure is an essential consideration when architecting network infrastructure.
Smaller organizations have what some books describe as a Monolithic security model. This is a centralized model of security where a small group of security experts manage every security policy and security setting across the entire organization. A distributed model delineates the organization into smaller redundant organizations. Then a security admin is placed in charge of their section, but has no rights in another security admin’s section.
Imagine an organization with millions of users. Following a monolithic model might require waiting months to create access for a new employee. In a distributed model, the time can be shortened because each security section has its own admin.
Active Directory can be designed to support either model. Security can be managed at the forest level for a monolithic security model. The forest can be delineated into domains for most security activities. Organizational units can further delineate the domain for support and distribution of some security policies.
What happens though if there is a breach? If no one even realizes that a system has been broken, the breach can remain open for years. Designing a system for monitoring access to the system allows management and security to enforce security principles. Windows has several built in utilities for monitoring access to data and network resources. These systems require that the company follow certain security best practices.
One organization I worked with had an employee that left suddenly and was working for a competitor across town. After reviewing the access logs from the night before, we noticed that 100’s of documents had been printed on one of the corporate printers. The last document printed was a letter of resignation by the employee. The employer had the corporate attorney explain the situation to the competitor. The attorney also explained that the NDA and other clauses prohibited the competitor from disclosing certain intellectual property to his employers. Further that if the competitor used any information that was printed before the employee left, the competitor and the employee would be sued.
Most organizations could use a better security policy. As the network architect needs to identify potential security risks and architect the network to mitigate these risks when possible. Smaller companies tend to use a Monolithic or centralized security model where larger companies tend to have much more distributed models. Without some system for monitoring data and resources across the network for inappropriate access and usage the organization cannot protect itself. The network architect is not only in charge of architecting security into the network architecture but also documenting, disseminating and enforcing the network security and other policies for the management teams.