Solved

Extranet Security

Posted on 2014-01-09
1
491 Views
Last Modified: 2014-02-02
Hi

Looking for some pointers on development of various aspects of security layers when it comes to provisioning access to users who are not within the complete trust zone of an enterprise. The users may fall into below broad categories

1. Joint Ventures / Acquisitions ( Users needing joint access to certain applications only and their data over Site to Site VPN / Leased Lines - doesn't exist within our active directory- AD yet)

2. Customers located inside the premises ( Same needs as 1 but from within the LAN)

3. Road Warriors ( trusted employees access LAN from Remote VPN)

4. Vendors for software development and support ( Vendors needing complete access to servers both from LAN and internet over VPN - doesn't reside in AD)

For such permutations, what's the best mechanism to commission the  infrastructure security design from ground up?

TIA
0
Comment
Question by:fahim
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39770056
Extranet DMZ has tier architecture (web/appl or appl gateway) as the proxy zone which will be the identified segment "exposed" access to remote user and vendor etc. This can include the FW and NIPS separating the tier and really depends on the risk appetite of the Enterprise (such as leakage, breach and reputation impact).

Simply see the external segments as another "Bouncer" to inspect traffic prior to granting access.

Example of possible extranet segments such as

- Internet Ext DMZ (for mobile user, remote user that need to go through the MDM gateway, VPN gateway which will connected to RADIUS for NAC or the hops into the internal AD via the intermediary FW/NIPS)
 
- Appl Ext DMZ (for specific appls intended for public access, use of MS LDS (ADAM) to expose a light weight AD, use of SAML/ XML gateway which serve possible use of SAML token to validate user identity but really dependent on the web appl/service exposed, can b via WAN like MPLS if needed more dedicated "close" access )

- Staging Ext DMZ (for validation, don't neglect its security posture since it is exposed externally and probably used by vendor / remote user for UAT, keep this to minimal, always segregate from production segments)

- Data / Voice Ext DMZ (for media feeds termination)

Internally, the traffic will then be passed on to reached the intranet resources. It can be pretty much back the same depending on your existing architecture.

Other consideration include really always think of end to end encryption for data in motion (IPSEC and better layered with L2 encryptor used) and likewise for application level confidentiality too.

You may find the below handy

It shared use case that may be implemented under a common shared infrastructure or on independent Internet edges.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp41952

9 Immutable Laws of Network Design
http://www.networkcomputing.com/data-networking-management/9-immutable-laws-of-network-design/240161432

....make sure your choice is serving a purpose and providing flexibility as your network grows in the future. Don’t get pigeonholed in to a single-vendor solution when the costs outweigh the benefits, and don’t miss opportunities to standardize on platforms that can increase effectiveness of management and security.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question