Don't Fear the Network Assessment! Part 4

In our final chapter of the “Don’t Fear the Network Assessment” series, we talk about the edge networks & firewalls assessment and give you details on the areas of focus that your team will be investigating.

In Part One we encouraged you and your support team to consider the network assessment as a valuable opportunity to review your infrastructure, validating its stability and security.  We identified that the best approach is to segment out your environment into three key categories including:

• local & wide area networks
• wireless networks
• network edge & firewalls.

By breaking down your network into these three areas, you can take a phased approach to your network assessment, or focus on the parts of your network that are the biggest pain points for the business.

PART 4: EDGE NETWORKS & FIREWALLS ASSESSMENT

Edge networks are the first line of defense for protecting your business from the public Internet.  Whether you host your company’s website within your own datacenter, offer remote access to internal IT services for employees, or just providing Internet access; the need to lock down the borders successfully is key.  An assessment of your firewalls and de-militarized zones (DMZ) is a very critical exercise for your network & security teams.

AREAS OF FOCUS

• Edge Networks & DMZ Topology
  • Document your existing edge network topology or review existing documentation
  • If you don’t currently have a DMZ, it's a great time to start considering if one should be a requirement for your type of business.
• Hardware Lifecycle
  • Review firewall appliances for EOS/EOL status
  • Review intrusion prevention/intrusion detection appliances for End of Service (EOS)/End of Live (EOL) status
  • Review web and email security appliances for EOS/EOL status
  • Identify hardware where upgrade is required or suggested
  • Identify hardware that is still under vendor maintenance and support
  • Review firmware and software running on security appliances
  • Review spare hardware inventories
• Firewall Configurations
  • Review access control list (ACL) configurations
    • Ensure that your existing ACLs are still relevant and don’t contain rule-sets that are no longer in use or required
    • Ensure ACLs are still in-line with the firewall requirements of public facing IT services
  • Review network routing
    • Are you using static routes to your DMZ and Internal networks?
    • Are you using Web Cache Communication Protocol (WCCP) to redirect web traffic to an intrusion prevention/intrusion detection or web security appliance?
  • Review network address translation (NAT) configurations
    • Check NAT configurations to make sure there are no translations in place related to retired IT services
    • Do you have NAT rules for unused public IP addresses?
• Edge Network and DMZ Segregation
  • Review DMZ/Secure Zone configurations
    • Is your DMZ properly isolated from your Internal networks?
    • Do you have both an internal and external firewall? DMZ off of one?
• Virtual Private Network (VPN) Remote Access
  • Review VPN configurations
    • Do you restrict VPN users to an Active Directory group?
    • Do VPN sessions terminate on your external firewall or a VPN appliance?
    • Are VPN users restricted in what they are allowed to access?
• Firewall Management Security and Access
  • Review firewall appliance management access configurations
    • Are your firewalls restricted to only approved administrators?
    • Do you use external authentication for secure shell and secure web admin connections?

WHAT CONSULTANTS WILL REQUIRE

If you determined that the best value to your team is to have a consultant complete the assessment for your business, there are several requirements that you may be asked to provide:

• All network topology documentation you have related to your edge networks
• Remote administrative access to all L2/L3 LAN switches related to your edge network/DMZ
• Remote administrative access to all firewall appliances
• A listing of all your externally accessible IT services with both public and private IP addressing

AFTER THE ASSESSMENT

Take all this valuable information about your edge networks infrastructure and use these follow-up steps after the assessment:

• Develop, budget, and initiate a remediation plan to address any discovered security deficiencies
• Develop, budget, and initiate a remediation plan to address any discovered configuration deficiencies
• Develop, budget, and initiate a network hardware refresh for aging infrastructure
• Updating your existing support documentation with new information for operational teams

In this series, we introduced you to many of the benefits that can be realized by conducting assessments of your most important network infrastructure.  We also described the many areas of focus and some suggestions for the types of things to consider during this process.  For those of you who may be considering having a consultant come in to perform one or more of the assessments, we provided you with a list of requirements that consultants should be asking you and your team to provide.

ENGAGE WITH US!

At McComb Technology Solutions, we offer all of the network assessments that were covered in the “Don’t Fear the Network Assessment” series, conducted by internetworking professionals with experience in enterprise environments.  For network assessment engagements, please contact me at bmccomb@mccombtechnology.ca Today!

About the Author:
Brad McComb is a Solutions Expert in Enterprise Networks and Unified Communications with McComb Technology Solutions. He is highly motivated towards promoting excellence and professionalism within the Information Technology sector and completing remarkable work for the clients he serves. Brad’s specialties include Cisco internetworking, firewalls & web security, load balancers, wireless technologies, Cisco Unified Communications, Cisco Telepresence and Riverbed technologies. For consulting engagements, please contact him at bmccomb@mccombtechnology.ca.