Solved

Extranet Security

Posted on 2014-01-09
1
484 Views
Last Modified: 2014-02-02
Hi

Looking for some pointers on development of various aspects of security layers when it comes to provisioning access to users who are not within the complete trust zone of an enterprise. The users may fall into below broad categories

1. Joint Ventures / Acquisitions ( Users needing joint access to certain applications only and their data over Site to Site VPN / Leased Lines - doesn't exist within our active directory- AD yet)

2. Customers located inside the premises ( Same needs as 1 but from within the LAN)

3. Road Warriors ( trusted employees access LAN from Remote VPN)

4. Vendors for software development and support ( Vendors needing complete access to servers both from LAN and internet over VPN - doesn't reside in AD)

For such permutations, what's the best mechanism to commission the  infrastructure security design from ground up?

TIA
0
Comment
Question by:fahim
1 Comment
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39770056
Extranet DMZ has tier architecture (web/appl or appl gateway) as the proxy zone which will be the identified segment "exposed" access to remote user and vendor etc. This can include the FW and NIPS separating the tier and really depends on the risk appetite of the Enterprise (such as leakage, breach and reputation impact).

Simply see the external segments as another "Bouncer" to inspect traffic prior to granting access.

Example of possible extranet segments such as

- Internet Ext DMZ (for mobile user, remote user that need to go through the MDM gateway, VPN gateway which will connected to RADIUS for NAC or the hops into the internal AD via the intermediary FW/NIPS)
 
- Appl Ext DMZ (for specific appls intended for public access, use of MS LDS (ADAM) to expose a light weight AD, use of SAML/ XML gateway which serve possible use of SAML token to validate user identity but really dependent on the web appl/service exposed, can b via WAN like MPLS if needed more dedicated "close" access )

- Staging Ext DMZ (for validation, don't neglect its security posture since it is exposed externally and probably used by vendor / remote user for UAT, keep this to minimal, always segregate from production segments)

- Data / Voice Ext DMZ (for media feeds termination)

Internally, the traffic will then be passed on to reached the intranet resources. It can be pretty much back the same depending on your existing architecture.

Other consideration include really always think of end to end encryption for data in motion (IPSEC and better layered with L2 encryptor used) and likewise for application level confidentiality too.

You may find the below handy

It shared use case that may be implemented under a common shared infrastructure or on independent Internet edges.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#wp41952

9 Immutable Laws of Network Design
http://www.networkcomputing.com/data-networking-management/9-immutable-laws-of-network-design/240161432

....make sure your choice is serving a purpose and providing flexibility as your network grows in the future. Don’t get pigeonholed in to a single-vendor solution when the costs outweigh the benefits, and don’t miss opportunities to standardize on platforms that can increase effectiveness of management and security.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question