As internet keeps on growing, letting more people to come online, the number of network security breaches are increasing as well. To guard against these security breaches a good secure network design needs to be in place. This article will discuss some of theses principles of a securely designed network. Below is the five principle that will be discussed.
- Defense in depth
- Principle of Least Privilege
- Weakest Link in the chain
- Accountability and Traceability
Defense in depth
This is a term that includes several of the principles of network design. The large number of components that builds up a network and its complexity makes the network vulnerable in many areas, its hard to identify which one has the weak security features built in. Hence, it is desirable to build a network, with many layers of security giving a more depth of security against the weakness in different components.
The following three rules apply to defense in depth strategy.
- Defense in multiple places: This principle states that network could be attack from multiple points (insiders and outsiders), so security devices should be deployed at different points in the network, to prevent attacks that pass through one device.
- Build layered defenses: More than one security layer should be built, to stop attackers from reaching their target. For example nested firewalls, couple with IDS/IPS could be deployed at outer and inner boundaries.
- Use robust components: This rule states that the security devices should be deployed based on the value of what you are protecting and threat at the point of application.
IT system resources of different sensitivity levels(i.e., different risk tolerance values and threatsusceptibility) should be located in different security zones, be it physically or logically.
With proper placement and configurations of firewalls help create secure architectures by dividing the network infrastructure into security zones and controlling communication between them.
Principle of Least Privilege
This rule states that access of systems or should be restricted to minimum user or administrators. This also covers the physical access to the domain, access to the systems, applications and web services as well. In addition to this, control of external user access is also covered. An extension of this rule is the “Need-to-know” rule, which states the information should be given to the people who absolutely need to know it.
Weakest Link in the chain
The security of the IT system depends on the least secured element of the system. A layered approach to network design with weaker and least protected assets residing in a separated domain mitigates the existent of these weakest link (Humans are considered to be the weakest link in information security architectures).
Accountability and Traceability
This principle states that the security risks will exist, we need to do our best to manage and mitigate the risk as soon as the risk appears.
Hence, the the network architecture should provide means of tracking the users, attackers and administrator actions. This principle translate to functions such as auditing, event management and monitoring and forensics.