Semi critical servers / equipment at branch offices : network design to secure them

We have 30+ small office branches that connects to our Data Centre via WAN routers
& these WAN routers connect to a core switch in DC.  

Each branch has 2 flat Class C subnets : one for wired LAN & one to our corporate
Wifi LAN.   We don't expect more than 100 PCs/devices in each branch.  All devices
& PCs at each branch are connected to L2 switches (including the branch WAN router).

There are PCs & devices (Cashiers, cameras, small robots/automation, scanners and mini
databases) in the branches that run applications that do not need to communicate to
servers in the DC other than to AV EPO, SCCM patching, central encryption management
servers, HIPS (endpoint IPS) console & the likes  but backups are taken by NAS located at
branches.

However, there are some semi critical mini servers & databases which we deem ought to
be segregated from the rest of the organization to prevent DoS  though PCs for emails
& Internet access will need to go back to the DC.

Q1:
What are among the best practices for such branches network traffic?
Hub & spoke design?   Layered security?  Micro-segmentation within each branch?

Q2:
Do we treat each branch's network to be of lower, equal or higher trust levels than
DMZ, applications servers zone or backend servers zones (typical network trust
zones)?

Q3:
For traffic filtering / microsegmentation, is it best practice to configure
a) ACLs at each branches' WAN routers (as switches at branches are Layer 2 &
    at most can only do MAC address filtering which is not an option for us)           Or
b) Windows firewalls on the PCs that host mini databases & mini servers
    (but note that there are appliances which we may not have firewalls in them)  Or
c) use the HIPS firewalls (they run on the PCs) but not the appliances                     Or
d) replace "default gateway" setting on the mini servers / databases with             Or
    restrictive persistent routes (ie static route as it's called in Cisco) that allows
    communications with the SCCM, AV EPO, HIPS console etc : can Windows
    GPO manage/enforce such persistent routes?
e)  or which combinations of  the above


Q4:
For each of the controls a-d above, do we filter for ingress or egress traffic or both?

Q5:
Sounds silly: should we move all these mini servers / devices to the DC ?   They are
usually powered off at nights or Sundays.  Sometimes, they may need to be to just
simply restarted or frequent servicing : have seen hospital branches/clinics, bank
branches &  post offices having these equipments in their premises (ie don't need
DC air con, humidity controls etc)
sunhuxAsked:
Who is Participating?
 
atlas_shudderedSr. Network EngineerCommented:
Q1:
What are among the best practices for such branches network traffic?
Hub & spoke design?   Layered security?  Micro-segmentation within each branch?

A1 - By the point that you are connecting back to a central DC, you are already running a hub and spoke.  You can leave this design in place and minimize the security deployment to your remote sites but, the other side of this is that you will need to spend more at your DC as it will be the passthrough - e.g larger circuit, faster firewalls, layering of filtering, inspection and defense between sites.  Micro-segmentation is not recommended in the remote sites as the expense can get out of hand and the technology just isn't developed to the point to provide the cost:benefit ratio to justify the expense.

Q2:
Do we treat each branch's network to be of lower, equal or higher trust levels than
DMZ, applications servers zone or backend servers zones (typical network trust
zones)?

A2 - this depends on your overall trust model which is going to be based on what types of transactions and what kind of users are at the remote site.  General rule of thumb, whitelist - deny by default, permit by exception

Q3:
For traffic filtering / microsegmentation, is it best practice to configure
a) ACLs at each branches' WAN routers (as switches at branches are Layer 2 &
    at most can only do MAC address filtering which is not an option for us)           Or
b) Windows firewalls on the PCs that host mini databases & mini servers
    (but note that there are appliances which we may not have firewalls in them)  Or
c) use the HIPS firewalls (they run on the PCs) but not the appliances                     Or
d) replace "default gateway" setting on the mini servers / databases with             Or
    restrictive persistent routes (ie static route as it's called in Cisco) that allows
    communications with the SCCM, AV EPO, HIPS console etc : can Windows
    GPO manage/enforce such persistent routes?
e)  or which combinations of  the above

A3 - this is going to be determined based on the type of data being processed, housed and the trust model for your remote sites.  I would say that the only thing that I would not use is Windows firewall.  If you are utilizing HBIP, then stick with the third party vendor's solution.  ACLs on the routers are best practice, perimeter firewalls are better.  Let a switch, switch, a router, route and a firewall, firewall.  I think there may be some confusion about default gatewaying and static routing here.  GPO's don't enforce the routing but they can be used to associate scripting to the local machines.  Still wouldn't use this though.  Combination is best but needs will define that combination.  Hard to answer without more info.


Q4:
For each of the controls a-d above, do we filter for ingress or egress traffic or both?

A4 - again, trust models.  If you don't implicitly trust all traffic from all sites then define what and where you don't trust and then deny it as near the source as possible.

Q5:
Sounds silly: should we move all these mini servers / devices to the DC ?   They are
usually powered off at nights or Sundays.  Sometimes, they may need to be to just
simply restarted or frequent servicing : have seen hospital branches/clinics, bank
branches &  post offices having these equipments in their premises (ie don't need
DC air con, humidity controls etc)

A5 - This would be something answered from a staffing, access and need.  If you are constantly having to access them for maintenance, especially break fix, can you offset cost by having them local to the DC?  If you only have to touch them on occasion and they aren't critical to operations, it may make more sense to keep them were they are.  Would moving them to the DC and virtualizing make more sense?  More info needed.

Q6:
There's plan 1 year later to replace the L2 switches at the branches (as the Cisco 2960s are going EoSL).
A colleague just asked: should we segmentize each branch's LAN into several segments of trust such
that those semi critical PCs (hosting mini servers & databases) are on a higher-trust segment while
the normal PCs (used for emails/Internet access) are on another segment or should we go one segment
per system, eg: all cash/cashier related equipment in one segment/subnet of a branch, scanning/copiers
in another, queue/ticketing in another subnet, ... : sounds overkill or should we just place everything in
one subnet for each branch?

A6 - Again, trust model.  I'll pitch the question back to you.  Does your security model today fit your needs?  If not, what changes would be of benefit.  Do all your users at a given site need access to every other resource?  If not, is there actual at risk/sensitive data at the remote site?  If yes, then maybe you should consider segmentation.  Just for clarity - this would be macro-segmentation not micro.  Micro-segmentation is the isolation of hosts at the access port level and controls within the actual switching fabric itself up to layer 3 and extending to the gateway or environment edge.

Q7:
If we were to get L3 switches, should the L3 switches do the filtering with ACLs or let the WAN router
do the filtering or both or the PCs' firewalls (but appliances can't do that) ?

A7 - if you are routing on the L3 switch and need filtering between VLANS/subnets, then you will want to do at least some filtering within the switch, however, keep that minimized as filtering will impact performance.  Again, switch be switch.  Use a firewall instead if feasible.  HBIP is an idea but layer three segmentation with deep packet inspection, IPS, etc. is an excellent option, depending on your needs, budget and goals.

Q8:
Should we even consider dynamic routing protocol with ACLs ?
Or the scale is too small currently to consider this?

A8-  I always recommend dynamic routing where possible.  It eases management of routing.  Especially in a multi site environment.  You can filter on the routers and should do at least some filtering but I would still point you back to a firewall to actually handle that task.

Final note - I would recommend two things.  First, it is clear that you need experienced input to this process.  You are asking good questions but by the same token, you are also asking questions around items/areas that you haven't fully defined your architecture or goals within.  Get a consultant.  Second, you really should post these questions as individual items.  You've currently jammed well over a dozen actual questions into one and you it's going to make any discussion on the items more and more confusing as time goes past.  You've got a big project and you are going to need to make a lot of decisions.  Confusion and lack of clarity are not your friends with this.
0
 
sunhuxAuthor Commented:
Q6:
There's plan 1 year later to replace the L2 switches at the branches (as the Cisco 2960s are going EoSL).
A colleague just asked: should we segmentize each branch's LAN into several segments of trust such
that those semi critical PCs (hosting mini servers & databases) are on a higher-trust segment while
the normal PCs (used for emails/Internet access) are on another segment or should we go one segment
per system, eg: all cash/cashier related equipment in one segment/subnet of a branch, scanning/copiers
in another, queue/ticketing in another subnet, ... : sounds overkill or should we just place everything in
one subnet for each branch?

Q7:
If we were to get L3 switches, should the L3 switches do the filtering with ACLs or let the WAN router
do the filtering or both or the PCs' firewalls (but appliances can't do that) ?



Lastly, all branches PCs authenticate to AD server that's located in the DC (in internal zone, not DMZ)
0
 
sunhuxAuthor Commented:
Need to assess the options in terms of security, supportability/maintability and
'future-proof' (say the branches plan to have a broadband to connect to Internet
one day to bypass going thru the DC but we're not allowing this currently as we
want them to go thru the proxy, DLP (Data Loss Protection) at the DC.

My views:

a) for immediate/fast implementation (as we have a couple months only), defining
    static/persistent routes is fastest & least disruptive as we may not have full
    inventory of all the mini servers &  equipment that had gone into the branches
    last few decades.  Some appliances like NAS only could allow default gateways
    to be set & not static/persistent route but it meets our security needs if we just
    remove the 'default gateway' setting as the NAS only serve the subnet within
    the branch (no routing needed)

b) setting Windows firewall : doubt we can use GPO to centrally manage/enforce
    it : can be unsustainable & some appliances don't have it (say SMS Sendlink
    device or Redbox voice recorders

c) ACL WAN router at each branch: not so micro-segmented but at least it covers
    appliances that don't have built-in firewalls : however, this option met with
    huge resistance from Network team, citing this is not secure & firewall on the
    HIPS is most secure (but sounds to me that Network guys dont want to take
    up this task)

c) HIPS administrator objected too as he said supporting 30 branches firewall
    in the HIPS is unsustainable
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
sunhuxAuthor Commented:
Q8:
Should we even consider dynamic routing protocol with ACLs ?
Or the scale is too small currently to consider this?
0
 
Dale McKayGlobal Principal ArchitectCommented:
You are asking a lot of deep, technical questions and expecting someone to spend a lot of time to answer those questions.  

Actually what you are asking for is for someone to design your remote branch for you, and you have offered nothing in return.

Why not make this a paid project? You would probably get a much better response.
0
 
Bryant SchaperCommented:
This is a long question, and certainly many questions will come up. You mention cashiers for one, what compliance do you deal with, PCI, SOX?

Personally I would be a big fan of moving it all to the data center and virtualization.  Many benefits to this, but your connections to the DC need to be stable.  Then many of your questions probably go away.  Each site would be left with routing/firewall/switching/computers/printers/cameras.  So leave the DVR local, more bandwidth to send that to the DC, so I would segment that off.

Then you can vlan and acl access to resources and run all traffic through a central firewall(s) in the DC.  That is my take on it.  But this would really be a long discussion to engineer your solution.
0
 
sunhuxAuthor Commented:
We are with PCI-DSS compliance.


Thanks very much Atlas.

>A6 - Again, trust model.  I'll pitch the question back to you.
We have a current Network Security Architecture doc which has 1-liner mention that a branch  is of "Medium Secure Trust".
The doc mentions 4 levels of trust : High Secure, Med Secure, Low Trust, Untrusted (ie Internet)
0
 
atlas_shudderedSr. Network EngineerCommented:
By that definition the whole site would be of equal trust.  Under that definition you would be able to allow open access.

Now, if you go from the perspective of PCI compliance, there is clear directive within the guidance that user and process traffic are to be both separated along an active boundary.  This means a minimum of app firewalling and depending on the auditor can involve more.

sunhux.  Just a heads up, this is the last reply I will be posting to this thread.  As noted earlier, I think the number of questions are unreasonable for just one "question" and I also think that what you are asking would be better served via a consultant.  I'm going to go out on a limb here and say that it's a fair bet that the rest of the community would agree on these points given that you have only received one other reply and that affirming what I am now, and have previously, posted.

Cheers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.