Design Considerations: Security and Manageability
In the first three blogs of the series “Pillars of the Earth”, I covered cost, scalability, and speed and availability. In this final blog of the series I’m covering two design considerations, security and manageability.
It’s a matter of when, not if, the network will be attacked, and whether both the network itself and the operations personnel will be ready to defend against these attacks.
I have to confess, I never liked the security domain as I prefer to see the good vs. the bad in things. Well, like it or not, in the real world we have to deal with security risks, as opposed to pretending we’re an ostrich and burying our head in the sand to avoid seeing what’s around us.
Both network resources and customer data must be protected to avoid real direct and/or indirect monetary losses, a damaged reputation, theft of intellectual property and law suits. Offenders can come from outside the company, and (sigh) sometimes from inside. They exploit known vulnerabilities and are also very good at finding new ones, disrupting normal network traffic and causing outages. Considerations for designing networks for security include:
1. Comply with company’s established security policies: These policies outline roles and responsibilities with regard to security to be consumed by Infosec personnel, internal users, partners and third parties. They include the security policy guidelines and practices (user account administration, privilege review, passwords, handling of internal and customer data), and punitive actions against violators. The policies should be periodically evaluated, and there should be periodic training and security audits to assure the security policies are understood and followed consistently. There’s no security policy? Hmmm…
2. Comply with industry and regulatory security policies: Some industries have specific policies that companies must comply with; for example Payment Card Industry (PCI) requirements exist for all companies that are involved in the transmission, processing or storage of credit and debit card data, and Health Insurance Portability and Accountability Act (HIPAA) requirements for health providers.
3. Conduct a risk analysis: Where is the network vulnerable to attack? Identify risks associated with your customer’s network components: core, distribution and access devices, servers, network management and security devices, user PCs, BYOD) and data to apply the appropriate level of security.
4. Use preventive security measures: What are the mechanisms that you can use to prepare for and repel those attacks, and how can the network devices be protected against them? Your design should include physical security, security devices, technologies and features, including Layer 2, Layer 3, remote access, and tunneling security features. Security is not static, and you should stay informed on the latest threats and follow vendors’ recommendations to prevent attacks. Balance investment on prevention (like insurance) vs. the cost of having network components and/or data compromised.
5. Use reactive security measures: Your design for security should include the ability to quickly detect security violations. When a violation is detected, the customer’s Infosec team should be quickly involved to combine different responses such as preventing further access, or isolating the violated functions (modularity plays a role here) or even the entire system.
Part of designing for manageability is to have a modular and replicable, standard network, to be able to use scripts to configure it, and to include monitoring protocols, probes, servers, and NMS systems to monitor it. But you can’t manage what you can’t see. Have documentation of the network, including a baseline, to know what “normal behavior” looks like so your customer can quickly identify when the network is misbehaving.
This article concludes the series Pillars of the Earth. I hope you found this blog series interesting.
Do you include security considerations on your network designs? Is there a topic you want to hear about on my upcoming blogs? Add it to the comments field!
Elaine Lopes is the CCDE and CCAr Certifications Program Manager and Team Lead for the CCIE program team, and she’s passionate about how lives can change for the better through education and certification.
Here are a few additional ways for us to engage and keep the conversation going:
- Cisco Learning Network CCDE Study Group
- Connect on Twitter too
- CCDE study materials for the Written and Practical exams
- Related Unleashing CCDE blogs: CCDE: The Pillars of the Earth - Part 1, CCDE: The Pillars of the Earth Part 2, CCDE: The Pillars of the Earth - Part 3, CCDE: Book of Questions, CCDE: Design Use Cases - Part 1, CCDE: Come Together, Customer Engagement in Network Design with Emanuel Lipschütz