Network Infrastructure Security Design Deliverable Template
From MIKE2.0 Methodology
||This article is currently Under Construction. It is undergoing major changes as it is in the early stages of development. Users should help contribute to this article to get it to the point where is ready for a Peer Review.
|This deliverable template is used to describe a sample of the MIKE2.0 Methodology (typically at a task level). More templates are now being added to MIKE2.0 as this has been a frequently requested aspect of the methodology. Contributors are strongly encouraged to assist in this effort.
|Deliverable templates are illustrative as opposed to fully representative. Please help add examples to this template that are representative of the proposed output.
Network Infrastructure Security is used to ensure the network is secure and it is protected from attack. This includes making sure the proper hardware and software firewalls are in place and that data is encrypted across this network.
Example 1 - for a Sample Network Security Design
VPN VIA MANAGED POINT TO POINT LINK
The encryption may be performed on the terminating equipment (eg. IPSec tunnel between two Cisco routers) if bandwidth, service level and monitoring requirements are met).
- More secure as all traffic is encrypted.
- Simple solution, more simpler solution to manage
- More cost effective solution as less hardware is required
- IPSec tunnels terminate at most external point available.
- May be less suitable for high bandwidth encryption, dedicated devices might perform better.
- May make access list management more difficult for management purposes.
- Less efficient compression (if using payload compression protocol with IPSec) due to data being encrypted and encapsulated.
- Ensure each connection terminates onto separate Extranet VLAN
- Apply access lists on Firewalls, WAN and choke routers to restrict all traffic flow only between required source and destination networks. No traffic should terminate on any Extranet infrastructure.
- Implement strict access lists to allow only IPSec traffic through the external interfaces.