Design a Secure Network Now

First: Inventory Systems and Policies

Think of this as examining the two great physical assets most organizations possess: their systems and their people.

• Examine systems (on-site or off) to document what assets you manage. Many IT managers are shocked at what they find (e.g., applications that are not currently in use; servers that are extremely under allocated). As the MSP or IT provider, you need this information, and it will likely enlighten your client as well.
   
• Interview employees to learn what they know and what kind of guidance they’ve received. What policy documentation is in place? What kind of training on IT security have they received?

A systems inventory is critical, for how you can protect assets you didn’t know you have? And how can you optimize environments without knowing what they contain?

Policies and training are also important, as employees are often the “weakest link” and are the least controllable asset in a company’s possession.

Second: Workshop Needs & Plans

This is a step that is easily missed, and it's the job of the MSP to point out to upper management that there is a need for your services. When MSPs point out a need, they need also to provide the solution. Once there is buy-in from the decision makers, MSPs need to communicate what needs to be done, the steps to do it, and any internal resources that are needed for alignment and execution. 

The best way to do this is:

• Interview key management
• Run workshops with managers

Carefully document these meetings and ask management to review and approve your mutual conclusions.

Third: Audit to Identify Vulnerabilities

To prevent intrusions to your clients' networks, it is critical that an audit is executed. Security gaps need to be identified, defined, and classified in terms of severity.

An audit accomplishes many things, including the following:

• Provides the most comprehensive understanding of your overall security posture
• Prioritizes risks and fixes to those risks to reduce exposure
• Increases the integrity of your entire environment (physical assets and employees)

Focus on these Areas for a Secure Network Design

Physical Security

You might not chart physical security on a technical diagram, but physical security policy needs to be as specific as possible and communicated broadly – especially when the policy changes.

• Organizations should set terms for accessing physical assets (stationary like servers or mobile like cell phones and tablets).
• Policy documents should be tailored to those employees that have a need to access the hardware. Non-eligible employees should be alerted by emphasizing consequences for non-compliance.
• Technologies that enhance physical security include RFID cards, premium locks, fingerprint reading devices, PIN pads and retinal scanners. Management may need to be advised that the company should not skimp on purchasing quality devices to enhance physical security.

Not to be overlooked: Any physical protection guarding sensitive areas around servers that hold critical business data.

• If servers are off-site, the facility should provide documents containing their most recent security audits.
• If servers are on site, multiple barriers to entry need to be created to protect data.

Unapproved access to encryption codes, network schemes, IP addresses or administrative user IDs and passwords could have a devastating effect on your company. MSPs and IT providers are encouraged to help their clients truly think through all of these physical components, even if the MSPs rarely visits the physical business location.

Get into VLANS with Subnets and QoS

VLAN (Virtual Local Area Network) refers to the splitting off of devices in your clients' network infrastructure logically while keeping them unchanged physically. VLANs can reduce the overhead of the network, make administration easier, and improve security.

Add Subnets

A subnet is like a VLAN in that it is also a logical separation in the network. Any network that has just one subnet in which a device is compromised has all devices compromised. This compromise could be a virus or a hacker. If this happens you’ll try to recover this one subnet all at once, but by the time you’ve secured one device, more may be compromised.

Subnets break the network into more places in which you can secure or segregate. These can take the form of packet filters or complete firewalls. IDS (Intrusion detection systems) have less work to do as there is less traffic to track.

Any intrusions into subnets are going to be more isolated and easier to troubleshoot. You can shut down access from that subnet to the rest of the network, for example, to prevent a virus or hacker from spreading. It is generally a good idea to have your most sensitive data, that from the HR and finance departments, on their own networks. This gives you far more control on machines with critical data.

Engage QoS

Quality of Service (QoS) is the third element to implement in a secure network design.

QoS acts like a traffic cop (within routers and switches) by giving priority for some VLANs over others. This is important not just for security, but also for any VoIP (Voice over IP) implementations. This is because, without QoS, latency can degrade the transmission of VoIP until dropped calls and other issues develop. QoS can hold the “stop” sign to data traffic to enable full transmission of voice data.

Add More and Better Firewalls

Firewalls direct traffic like QoS; they’re just a bit more definitive. Rather than focus on priority, they give the “thumbs up” or “thumbs down” sign to traffic based on preset parameters.

Firewalls should not be used just for perimeters — they should wall off any critical data in the network, even a single server. Your HR and Finance department servers might be good places to implement firewalls.

Use the DMZ

In computer security, a DMZ or demilitarized zone is a subnetwork that exposes a company’s external-facing offerings to a larger, less trusted network (typically the internet).

Some obvious examples are websites and email systems. By isolating these systems, you’re reducing the number of the overall assets or services that need to be managed securely. This can substantially lighten your administrative load and enhance security.

Design for Hierarchy

The prototype for network hierarchy is the three-layer (or three-tier) model. It has been adopted industry wide as a model for being reliable, scalable and cost-efficient. The three-layer design includes:

• Core
• Distribution
• Access

This allows for data to take a direct path to a particular layer, which improves efficiency and adds another layer of security.

Add Port Security

Port Security is a capability in most switches that gives a device permission to use that switch. When the switch flags a violation, it can automatically shut down by disabling that port to further network access.

Port Security allows for the limiting of both the number and type of devices that are allowed on the individual switch ports.

Evaluate Wireless

Wireless security has become a critical IT priority due to its growth and importance. Smart phones, tablets and mobile POS (point of sale) devices have overtaken previous fixed wire technologies, yet have brought a new level of vulnerability to organizations deploying them. You’ve got to protect against basic intrusions into the network to safeguard cardholder data, critical network data and every user’s privacy.

Depending on the size and scope of your wireless network, you may decide to pursue the following:

• Strategy plan for overall wireless security
• Risk/Compliance plan to help you manage risk vis a vis regulatory requirements
• Threat management investigation including a thorough wireless security assessment
• Incident management plan, detailing how you’ll respond to incidents
• Architecture evaluation to assess your current plan and draft improvements
• Training and awareness to address the human behavior (to help reduce risk)
• Identity and access management plan so only trusted users (employees/partners/consumers) can efficiently access services on your network using approved wireless devices

Get Comprehensive Layered Security with SolarWinds MSP

After you’ve extracted as much value from the above plan, the next step in keeping your network secure is the use of multiple layers of protection to shield your assets from intrusion.

MSP Risk Intelligence scans for three types of threats:

• Sensitive data
• Vulnerabilities
• Unapproved access permissions

It also assesses an exact cost for the level of liability a client is assuming in their environment.

SolarWinds MSP's platform also provides the best IT security available today, with a mix of proactive, detective, and reactive security.

Sign up for a free trial of MSP RMM today, and get access to the many tools that make designing a secure network easier and more efficient.

About SolarWinds MSP

SolarWinds MSP delivers the only 100% SaaS, fully cloud-based IT service management (ITSM) platform, backed by collective intelligence and the highest levels of layered security. SolarWinds MSP's MAX products including Risk Intelligence, Remote Management, Backup & Disaster Recovery, Mail, and Service Desk – comprise the market’s most widely trusted integrated solution.

Deployed on millions of endpoints across hundreds of thousands of networks, the platform has the industry vision to define and deliver the future of the market. SolarWinds MSP provides the most comprehensive IT security available as well as LOGICcards, the first ever IT notification feature powered by prescriptive analytics and machine learning.

Our passion is helping IT professionals secure and manage their systems and data through actionable insights, rewriting the rules of IT.

For more information, contact us.