Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Extranet Security

Posted on 2014-01-09
1
487 Views
Last Modified: 2014-02-02
Hi

Looking for some pointers on development of various aspects of security layers when it comes to provisioning access to users who are not within the complete trust zone of an enterprise. The users may fall into below broad categories

1. Joint Ventures / Acquisitions ( Users needing joint access to certain applications only and their data over Site to Site VPN / Leased Lines - doesn't exist within our active directory- AD yet)

2. Customers located inside the premises ( Same needs as 1 but from within the LAN)

3. Road Warriors ( trusted employees access LAN from Remote VPN)

4. Vendors for software development and support ( Vendors needing complete access to servers both from LAN and internet over VPN - doesn't reside in AD)

For such permutations, what's the best mechanism to commission the  infrastructure security design from ground up?

TIA
0
Comment
Question by:fahim
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39770056
Extranet DMZ has tier architecture (web/appl or appl gateway) as the proxy zone which will be the identified segment "exposed" access to remote user and vendor etc. This can include the FW and NIPS separating the tier and really depends on the risk appetite of the Enterprise (such as leakage, breach and reputation impact).

Simply see the external segments as another "Bouncer" to inspect traffic prior to granting access.

Example of possible extranet segments such as

- Internet Ext DMZ (for mobile user, remote user that need to go through the MDM gateway, VPN gateway which will connected to RADIUS for NAC or the hops into the internal AD via the intermediary FW/NIPS)
 
- Appl Ext DMZ (for specific appls intended for public access, use of MS LDS (ADAM) to expose a light weight AD, use of SAML/ XML gateway which serve possible use of SAML token to validate user identity but really dependent on the web appl/service exposed, can b via WAN like MPLS if needed more dedicated "close" access )

- Staging Ext DMZ (for validation, don't neglect its security posture since it is exposed externally and probably used by vendor / remote user for UAT, keep this to minimal, always segregate from production segments)

- Data / Voice Ext DMZ (for media feeds termination)

Internally, the traffic will then be passed on to reached the intranet resources. It can be pretty much back the same depending on your existing architecture.

Other consideration include really always think of end to end encryption for data in motion (IPSEC and better layered with L2 encryptor used) and likewise for application level confidentiality too.

You may find the below handy

It shared use case that may be implemented under a common shared infrastructure or on independent Internet edges.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp41952

9 Immutable Laws of Network Design
http://www.networkcomputing.com/data-networking-management/9-immutable-laws-of-network-design/240161432

....make sure your choice is serving a purpose and providing flexibility as your network grows in the future. Don’t get pigeonholed in to a single-vendor solution when the costs outweigh the benefits, and don’t miss opportunities to standardize on platforms that can increase effectiveness of management and security.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question