By segmenting a network, and applying appropriate controls, we can break a network into a multi-layer attack surface that hinders threat agents/actions from reaching our hardened systems.
Network segmentation has been a "set it and forget it" effort, which once done is almost immediately out of date. But network segmentation needs to be managed, and policies continuously enforced to maintain the desired network segmentation and this is where we come into picture.
At NII, we see customers with hundreds of firewalls, routers, and switches across their network, each on average having hundreds of rules per device. A typical enterprise therefore has to consider tens of thousands of rules when segmenting its network in order to maintain a security and compliance.
By hardening routers and switches, we will make it much more difficult for attackers to penetrate the infrastructure components of your company. Routers and switches are often the most overlooked network components with respect to Data Security. Most people think data security is only related to firewalls, intrusion detection systems, VPN’s, monitoring systems, and security policies. By hardening your routers and switches we can help you preventing the following:
- Giving attackers information about your network so they can design a successful attack.
- Accidental or intentional reconfiguration.
- Using networking components to launch further attacks.
Without adequate defenses, monitoring, and auditing, router and switch compromises will go undetected.
Which Routers And Switches To Protect?
- Border routers that connect your company to the Internet
- Switches that are used in the DMZ and screened subnets outside the firewall
- Routers and switches that are connected to internal trusted or secure networks
- Routers and switches that perform packet filtering
VLAN Segmentation: User productivity and network adaptability are important for business growth and success. VLANs make it easier to design a network to support the goals of an organization. The primary benefits of using VLANs are as follows:
- Security: Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches.
- Cost reduction: Cost savings result from reduced need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.
- Better performance: Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.
- Shrink broadcast domains: Dividing a network into VLANs reduces the number of devices in the broadcast domain.
- Improved IT staff efficiency:
- Simpler project and application management: VLANs aggregate users and network devices to support business or geographic requirements.
We also do implement additional security features i.e. TACACS+ or RADIUS to provide access control for network devices through the use of one or more centralized servers. It provides separate authentication, authorization and accounting services over TCP and use of TACACS, TACACS+ or Radius for system authentication with separate authorization privileges to control the level of access each person has to the device.