We have 30+ small office branches that connects to our Data Centre via WAN routers
& these WAN routers connect to a core switch in DC.
Each branch has 2 flat Class C subnets : one for wired LAN & one to our corporate
Wifi LAN. We don't expect more than 100 PCs/devices in each branch. All devices
& PCs at each branch are connected to L2 switches (including the branch WAN router).
There are PCs & devices (Cashiers, cameras, small robots/automation, scanners and mini
databases) in the branches that run applications that do not need to communicate to
servers in the DC other than to AV EPO, SCCM patching, central encryption management
servers, HIPS (endpoint IPS) console & the likes but backups are taken by NAS located at
However, there are some semi critical mini servers & databases which we deem ought to
be segregated from the rest of the organization to prevent DoS though PCs for emails
& Internet access will need to go back to the DC.
What are among the best practices for such branches network traffic?
Hub & spoke design? Layered security? Micro-segmentation within each branch?
Do we treat each branch's network to be of lower, equal or higher trust levels than
DMZ, applications servers zone or backend servers zones (typical network trust
For traffic filtering / microsegmentation, is it best practice to configure
a) ACLs at each branches' WAN routers (as switches at branches are Layer 2 &
at most can only do MAC address filtering which is not an option for us) Or
b) Windows firewalls on the PCs that host mini databases & mini servers
(but note that there are appliances which we may not have firewalls in them) Or
c) use the HIPS firewalls (they run on the PCs) but not the appliances Or
d) replace "default gateway" setting on the mini servers / databases with Or
restrictive persistent routes (ie static route as it's called in Cisco) that allows
communications with the SCCM, AV EPO, HIPS console etc : can Windows
GPO manage/enforce such persistent routes?
e) or which combinations of the above
For each of the controls a-d above, do we filter for ingress or egress traffic or both?
Sounds silly: should we move all these mini servers / devices to the DC ? They are
usually powered off at nights or Sundays. Sometimes, they may need to be to just
simply restarted or frequent servicing : have seen hospital branches/clinics, bank
branches & post offices having these equipments in their premises (ie don't need
DC air con, humidity controls etc)