Sergey Nivens - Fotolia


Network security design best practices and principles: Keep it simple

Comprehensive network security design means understanding the components that constitute your network and how and when everything is managed.

No two networks are alike. They may be flat LANs or multisegmented environments involving LANs, WANs and the cloud. Some modern networks for startups and SaaS organizations are fully serverless in the cloud with nothing but software facilitating it all. With all the variations of network security design, some important questions surface, including the following:

  • How can you reasonably secure each component?
  • How do you know when you have done enough to lock things down?
  • What's the best design to maximize resilience?

These questions, among others, keep IT and security professionals gainfully employed. Obviously, no single answer will suffice, but there are right ways and wrong ways to integrate security into a network.

The simplest network to secure is one that's starting from scratch. You get to design the architecture and build in necessary technical controls that can evolve with the business as it grows.

The most complex networks to secure belong to businesses that have been around for a while and have multiple systems spread across numerous locations. It's not impossible to integrate security into large networks, but those responsible for doing so have one major challenge working against them: complexity.

It's not impossible to integrate security into large networks, but those responsible for doing so have one major challenge working against them: complexity.

Complexity is the enemy of network security design, but unfortunately, most networks eventually evolve into complex ecosystems comprised of many components, including the following:

  • network infrastructure devices
  • servers and workstations
  • mobile devices
  • IoT systems
  • applications and databases
  • storage systems
  • physical security systems

These systems spread across multiple layers, and every piece along the way represents something that must be configured, controlled and monitored. Unless and until standard security controls are implemented, configurations are applied and everything is kept in check, the network is not secure.

Regardless of the size or complexity of your network, three main factors constitute a secure and resilient network:

  1. what you have
  2. where it's located
  3. how and when it's managed

From small startups to large manufacturing or healthcare organizations, having a secure environment always comes down to these three things. Additionally, three other components are essential to ensure security:

  1. actually knowing what you have;
  2. fully understanding how it's at risk; and
  3. doing what's reasonable to keep things in check.

All types of networks must be managed this way. When one or all of these three considerations are missing, that's when tangible risks come into play and incidents happen. Often, many people in charge of their network environments know little about them. They're not sure what's what and where sensitive assets are stored and processed.

There's a golden rule of security: You can't secure what you don't know about. Not knowing your environment is a data breach in the making.

There's a golden rule of security: You can't secure what you don't know about. Not knowing your environment is a data breach in the making.

Understanding network threats

Another issue in network security design is failing to acknowledge network threats and vulnerabilities, often because of a lack of proper vulnerability and penetration testing -- or, worse, none at all. Some people find, if they don't acknowledge their vulnerabilities, then they won't have to do anything about them. That's a dangerous and short-lived approach to security, but many people are willing to gamble on it.

Still, others perform adequate testing, yet they don't properly address the findings to mitigate the risks. They're not sure how their technical controls are contributing and thus have no means to measure their security to see what's working and what's not.

placement of security devices

For those who have taken all the right steps to acknowledge what's going on and the level of risk that exists, they often fail to follow up and put the proper security controls in place. On the other hand, some people simply layer new security controls on top, over and over again, which can create a false sense of security and interfere with proper oversight.

It's interesting to witness the evolution of security and see how the interpretation of a secure network has changed. Some organizations have fully virtual security configurations, relying on nothing more than workstation- and cloud-based services to lock things down. These networks are often the most secure.

Some networks in larger organizations have been engineered so well that their vulnerabilities and risks are few and far between. Still, another class of highly complex environments is chock-full of the latest and greatest security controls, and these networks are often the most exposed.

Doing what is essential but nothing more

You've no doubt heard the principle of layered security as a proven way to minimize your attack surface and risks. Network security layering can involve the following:

  • endpoint security controls, such as endpoint detection and response and cloud access security brokers;
  • network controls, such as virtual LANs and microsegmentation; and
  • perimeter controls, such as secure web gateways and next-generation firewalls.

Controls around mobile and IoT are essential as well. The important thing is doing what's necessary but nothing more. This means understanding security gaps and opportunities so you can address them with technical controls -- yet, you're not so overloaded that your responsibilities for managing so many security systems are getting in the way of security.

Many network security professionals are so buried in day-to-day minutiae they can't see the forest for the trees. That's not a good position to be in. If you feel like you don't know what you don't know or you're looking to overhaul and improve your network security design, don't be afraid to bring someone in from the outside to assist. Sometimes, all it takes is a fresh perspective to help make things more secure.

One thing's for sure: You're not going to have a secure network design if you simply keep adding on different layers of stuff. Practice the tried-and-true business principle of keeping things simple. Focus on visibility and control where it makes sense, and everything should work out just fine.

Dig Deeper on Network security

Unified Communications
Mobile Computing
Data Center