Natalie Timms


Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

Building An Information Security Policy Part 3: Logical And Physical Design

In my previous blog, I discussed key points for the selection of appropriate hardware and software in order to build and maintain an effective security policy. In this post, I will cover security considerations when designing the physical and logical aspects of a network.

Although this seems like basic networking, it is surprising how many organizations do not have a detailed knowledge of the underlying network design, which is essential for troubleshooting. Network devices such as routers, switches, and servers must be secured physically as well as locked down from an authorization and management perspective.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

Understanding the physical cabling plan that supports the logical segmentation of the network is critical. Documentation of the physical topology is vital to understanding data flows and troubleshooting connectivity issues. Sometimes what appears to be a configuration error or even a security breach turns out to be the result of incorrect cabling or a bad port on a network device.

In my previous post, I discussed the need to select hardware that provides required scalability and capacity. This is often achieved by distributing load across multiple devices. Physical placement and interconnect to create backup or clustering is just as important as forwarding data. If state sharing is required for high availability, how is this information propagated between devices -- using the same physical path as the data or via separate connections? When overlaying multiple logical data flows over physical media, always ensure there will be adequate capacity and no device restrictions on a port. Map port capabilities to design requirements, for example, trunk versus access ports and routed port versus switch port.

Logical design provides data segmentation, which is the first real step to a secure and resilient network design. Sub-interfaces, VLANs, virtual and tunnel interfaces separate traffic, and also allow various forwarding and security methods to be applied to individual flows.

[Read about a Cisco technology for enforcing identity-based network access in "Cisco Security Group Access: An Introduction."]

Devices such as firewalls and intrusion prevention appliances are physically connected to routers or switches, but logical design identifies firewall contexts and virtual sensors that handle segmented flows. A Web server may be connected to a switch used for externally sourced traffic, however the logical design ensures incoming flows are redirected through a firewall first. Guest data may be separated from employee data using logical separation via VLANs across a switch trunk port.

Virtual data center switch and server access also is a well-known use case based on segmented data flows using logical paths overlaid on physical infrastructure that can be secured individually.

Various logical methods may be applied to enhance network resiliency. A good example of this is grouping several physical interfaces with an EtherChannel. Logical redundancy and resiliency requires its own security methods. For example, redundant paths and layer 2 require Spanning Tree, which in turn can be secured using methods such as BPDU Guard and Root Guard.

Once the design is planned and physically deployed, the next step is to focus on addressing requirements. Addresses and identifiers are the basis for which actual security policy rules and requirements are implemented. In my next post, I will discuss applying identifiers to maintain network segmentation that meet the objectives of the security policy.


Related Reading


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013



TechWeb Careers