Implementing a Secure Internal Network

This paper presents how-to options and suggestions for designing and securing an internal network. Scenarios are provided concerning designs that may currently be in place and discussions and analysis on the risks involved and the vulnerabilities presented are included. Figures 1 through 5 illustrate a phased approach that can be used to migrate to a more secure environment through the use of a combination of router and switch configurations. The final internal network design in figure 5 demonstrates a marked improvement over the initial design found in figure 1. Bridges and hubs are removed and replaced with routers and switches to segment the network. Virtual LANs (VLANs) were implemented to further separate network traffic to and from workgroups and servers. Workgroup and enterprise servers were moved from the workgroup clouds, moved to a secure area and directly connected to the core router/switch with port security enabled. The internet router running access control lists (ACL) was replaced with a Cisco router with firewall IOS which was configured with context-based access control (CBAC) to harden the front line of defense. The public servers - Web, DNS, FTP and mail - were moved into a demilitarized zone (DMZ) and secured with ACLs. Finally, 802.1x security was configured on the workgroup servers.