Extranet Security

Hi

Looking for some pointers on development of various aspects of security layers when it comes to provisioning access to users who are not within the complete trust zone of an enterprise. The users may fall into below broad categories

1. Joint Ventures / Acquisitions ( Users needing joint access to certain applications only and their data over Site to Site VPN / Leased Lines - doesn't exist within our active directory- AD yet)

2. Customers located inside the premises ( Same needs as 1 but from within the LAN)

3. Road Warriors ( trusted employees access LAN from Remote VPN)

4. Vendors for software development and support ( Vendors needing complete access to servers both from LAN and internet over VPN - doesn't reside in AD)

For such permutations, what's the best mechanism to commission the  infrastructure security design from ground up?

TIA
SwiftAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Extranet DMZ has tier architecture (web/appl or appl gateway) as the proxy zone which will be the identified segment "exposed" access to remote user and vendor etc. This can include the FW and NIPS separating the tier and really depends on the risk appetite of the Enterprise (such as leakage, breach and reputation impact).

Simply see the external segments as another "Bouncer" to inspect traffic prior to granting access.

Example of possible extranet segments such as

- Internet Ext DMZ (for mobile user, remote user that need to go through the MDM gateway, VPN gateway which will connected to RADIUS for NAC or the hops into the internal AD via the intermediary FW/NIPS)
 
- Appl Ext DMZ (for specific appls intended for public access, use of MS LDS (ADAM) to expose a light weight AD, use of SAML/ XML gateway which serve possible use of SAML token to validate user identity but really dependent on the web appl/service exposed, can b via WAN like MPLS if needed more dedicated "close" access )

- Staging Ext DMZ (for validation, don't neglect its security posture since it is exposed externally and probably used by vendor / remote user for UAT, keep this to minimal, always segregate from production segments)

- Data / Voice Ext DMZ (for media feeds termination)

Internally, the traffic will then be passed on to reached the intranet resources. It can be pretty much back the same depending on your existing architecture.

Other consideration include really always think of end to end encryption for data in motion (IPSEC and better layered with L2 encryptor used) and likewise for application level confidentiality too.

You may find the below handy

It shared use case that may be implemented under a common shared infrastructure or on independent Internet edges.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp41952

9 Immutable Laws of Network Design
http://www.networkcomputing.com/data-networking-management/9-immutable-laws-of-network-design/240161432

....make sure your choice is serving a purpose and providing flexibility as your network grows in the future. Don’t get pigeonholed in to a single-vendor solution when the costs outweigh the benefits, and don’t miss opportunities to standardize on platforms that can increase effectiveness of management and security.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.