• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 507
  • Last Modified:

Extranet Security

Hi

Looking for some pointers on development of various aspects of security layers when it comes to provisioning access to users who are not within the complete trust zone of an enterprise. The users may fall into below broad categories

1. Joint Ventures / Acquisitions ( Users needing joint access to certain applications only and their data over Site to Site VPN / Leased Lines - doesn't exist within our active directory- AD yet)

2. Customers located inside the premises ( Same needs as 1 but from within the LAN)

3. Road Warriors ( trusted employees access LAN from Remote VPN)

4. Vendors for software development and support ( Vendors needing complete access to servers both from LAN and internet over VPN - doesn't reside in AD)

For such permutations, what's the best mechanism to commission the  infrastructure security design from ground up?

TIA
0
fahim
Asked:
fahim
1 Solution
 
btanExec ConsultantCommented:
Extranet DMZ has tier architecture (web/appl or appl gateway) as the proxy zone which will be the identified segment "exposed" access to remote user and vendor etc. This can include the FW and NIPS separating the tier and really depends on the risk appetite of the Enterprise (such as leakage, breach and reputation impact).

Simply see the external segments as another "Bouncer" to inspect traffic prior to granting access.

Example of possible extranet segments such as

- Internet Ext DMZ (for mobile user, remote user that need to go through the MDM gateway, VPN gateway which will connected to RADIUS for NAC or the hops into the internal AD via the intermediary FW/NIPS)
 
- Appl Ext DMZ (for specific appls intended for public access, use of MS LDS (ADAM) to expose a light weight AD, use of SAML/ XML gateway which serve possible use of SAML token to validate user identity but really dependent on the web appl/service exposed, can b via WAN like MPLS if needed more dedicated "close" access )

- Staging Ext DMZ (for validation, don't neglect its security posture since it is exposed externally and probably used by vendor / remote user for UAT, keep this to minimal, always segregate from production segments)

- Data / Voice Ext DMZ (for media feeds termination)

Internally, the traffic will then be passed on to reached the intranet resources. It can be pretty much back the same depending on your existing architecture.

Other consideration include really always think of end to end encryption for data in motion (IPSEC and better layered with L2 encryptor used) and likewise for application level confidentiality too.

You may find the below handy

It shared use case that may be implemented under a common shared infrastructure or on independent Internet edges.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp41952

9 Immutable Laws of Network Design
http://www.networkcomputing.com/data-networking-management/9-immutable-laws-of-network-design/240161432

....make sure your choice is serving a purpose and providing flexibility as your network grows in the future. Don’t get pigeonholed in to a single-vendor solution when the costs outweigh the benefits, and don’t miss opportunities to standardize on platforms that can increase effectiveness of management and security.
0

Featured Post

The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now