1. Aron Warren, George Khalil, Michael Hoehl February 2012
Implementing and Automating Critical Control 19: Secure Network Engineering for Next Generation Data Center Networks
This document provides technical approaches to implement and automate safeguards consistent with control 19 “Secure Network Engineering” of the SANS Twenty Critical Security Controls for Effective Cyber Defense.
The scope is for high speed 40G networks designed to host Internet facing web and mobile applications.
Aron Warren, George Khalil, Michael Hoehl
February 2012
SANS Technology Institute - Candidate for Master of Science Degree

2. SANS Technology Institute - Candidate for Master of Science Degree
Objectives
Introduction
Secure Network Engineering
Challenges for Next Generation Networks
Functional Requirements
Key Risk Considerations
High-Level Design and Build Approach
N-Tier Application and Infrastructure Control Checklist
Lessons Learned
Introduction to SANS 20 Critical Security Controls for Effective Cyber Defense, drilldown on Security Control 19 “Secure Network Engineering” and scope of Joint Written Project (JWP)
Secure Network Engineering concepts are explained.
Insight is provided based on research with vendors and customers of high speed networks. Challenges for 40GbE and 100GbE networks are identified.
Technical and business requirements used to develop this paper’s recommendations are presented. Most are based upon the fictitious company GIAC Enterprises organization profile. The expectation is these same functional requirements would be used by readers to help author RFP and design documents.
In addition to functional requirements, key risk considerations are presented. These risks include mixing IT assets of different value, control integration, remote access for admins and configuration errors
High-Level Design and Build Approach is presented. Key controls discussed in Critical Control 19 are incorporated.
Additional details about applications and infrastructure enclaves is offered.
Pitfalls and Promising Solutions are presented based on interviews and research.
SANS Technology Institute - Candidate for Master of Science Degree

3. SANS Technology Institute - Candidate for Master of Science Degree
Introduction
SANS 20 Critical Security Controls for Effective Cyber Defense
Security Control 19 “Secure Network Engineering”
Technical approaches to advance this control
Scope is for Web/Mobile App and 40GbE
The SANS Institute extracted twenty critical technical security controls from Revision 3 of the NIST Special Publication (National Institute of Standards and Technology, 2010), the recommended security controls for federal information systems (SANS, 2011). These controls are prioritized based upon NSA attack remediation strategies scores and are directed towards CISOs, CIOs and IGs (SANS, 2011). The controls form a shared top priority list for protection against today’s and tomorrow’s cyber attacks.
This paper is based on Critical Control number 19, “Secure Network Engineering” which focuses on the design aspects of the network infrastructures. Security Control 19 covers best practices for network design, maintenance and operations through monitoring, isolating and protecting critical resources.
For this STI Joint Written Project, a fictitious organization was created and named GIAC Enterprises. GIAC Enterprises is a small to medium sized growing business (1,000 employees, two data centers, 200 people in central business and IT) and is the largest supplier of Fortune Cookie sayings in the world. The CIO has created a special tiger project team. GIAC Enterprises has recently decided to implement a 40GbE network to meet the demands of mobile apps that deliver fortunes. The recommendations and scope of this paper are associated with this type of organization profile. Further, the business has asked that automation be considered wherever available so that additional staffing is minimized.
Before authoring this paper, the STI team approached vendors, consultants, and early adopters of 40GbE to share their expertise and lessons learned. This research incorporates their feedback. Current benchmarks and standards were also reviewed for applicability to 40GbE.
SANS Technology Institute - Candidate for Master of Science Degree

4. Secure Network Engineering
Document Gathering is First Step
Understand Data Flows
Log Events and Correlate
Apply Least Privileged Principles
Divide and Secure
Establish Trust and Validate Data Integrity
Test and Validate Routinely
Secure network engineering begins with gathering documentation—not creating documentation. Understanding the business purpose of the new infrastructure, risk appetite of the organization, existing infrastructure, current data flows, planned interfaces, financial constraints, corporate security policies, contractual (e.g., PCI) and regulatory (e.g., SOX) obligations are important first steps. Gaps are typically discovered during this first phase. A small investment of time here can result in big payoffs later in the project.
“Know thy network!” Attackers will succeed if they know more about your network than you. Creating an accurate map of the current and intended network is necessary early on in the project. A traditional network topology map is an excellent start however this does not provide the entire picture. Documentation should also include all protocols running through the network, data flows, chokepoints, asset lists (including value), access controls, and system administration methods. Inter-system dependency should also be documented (for example, an IP host cannot talk to its peer over the network without names resolution). Several of these documents are living and change regularly. Establish a change management procedure as well as a means to properly secure the documentation.
Log all data and events for analysis and auditing. This area is a great opportunity for automation to reduce the amount of manual labor required to process large amounts of data. A company must evaluate their network in order to find all possible event logging sources. A SIEM's correlation engine is more effective as more logging sources are added. Be sure to confirm proper logging levels are enabled.
Only permit necessary communication between resources to allow systems to perform their function. All other traffic should be explicitly denied. Same lease privilege principles apply to high authority access to infrastructure and applications. Access should be granted and limited to only allow tasks specifically related to job function all other access should be explicitly denied.
Today’s advanced web and mobile applications are tiered in architecture. This provides another credible argument for separation of hosts into communities. Enclaves, also referred to as network segments, allow grouping of assets of similar functionality or value. Trust boundaries can be created, making it easier to assign responsibilities and establish accountabilities. Chokepoints can be introduced between the enclaves to prioritize network flows, inspect traffic, and perform forensics. The chokepoints can also be used to limit access to the hosts and their associated applications.
“Inspect what you expect.” Regularly test and validate your security configuration settings. Vulnerability Testing helps identify configuration errors as well as product defects.
SANS Technology Institute - Candidate for Master of Science Degree

5. Challenges for Next Generation Networks
40GbE is still early in “hype” cycle for Enterprises
Throughput speed ≠ Wire speed
Uncertainty increases relative to speed
Limited forensic team experience with 40 GbE
Existing operations resource capacity
The IEEE 802.2ba specification for 40GbE was ratified June Many vendors do not offer 40GbE solutions yet in 2012.
Security vendors are catching up, however network products that are currently available on the market are ahead of security solutions.
Forensics analysis teams are only now beginning to ramp up for 40GbE. Organizations must be careful not to get too far ahead of incident handling teams, law enforcement, and assessment teams. In the event these teams are not prepared to work with the 40GbE infrastructure, the enterprise may find work being done on production systems—or that the production systems may get confiscated to conduct investigations.
Security device adoption of the 40GbE interface standard is slower than network devices.
The level of uncertainty increases relative to speed too. For example, in the past if 1% of traffic was missed on a 100Mbps pipe, this only resulted in an actual uncertainty of 1Mbps. However, this same 1% is equivalent to 100Mbps of traffic not analyzed at 10GbE and 400Mbps at 40GbE. With an increase in speed, the scale of unanalyzed traffic (uncertainty) scales to an unacceptable level.
Automation will be critical if adding staff is not desirable. 40GbE can quickly overwhelm existing operations resource and human capital capacity.
SANS Technology Institute - Candidate for Master of Science Degree

6. Functional Requirements
Documentation
Data Center Physical Controls
Enclaves
Firewalls and Security Apps
Internet Access
DNS
Hardening
Config and Change Mgt
Virtual and Blade Servers
Vulnerability and Threat Mgt
Log Mgt
Asset Mgt
Access Mgt
Performance Mgt
Forensic Mgt
Service Mgt
As with all projects and designs, a clear understanding of business and technical requirements is required. Based upon the fictitious company GIAC Enterprises organization profile, the following requirements were used to develop this paper’s recommendations.
With 40GbE networks, security cannot be “bolted on” as an afterthought. The design will not be successful if security is not included early in the requirements and planning phases. Secure network engineering is only 1 of 20 critical security controls—however it can be one of the most impactful. Further, there are no higher level controls that can overcome a serious deficiency with lower level network controls. Without proper design and build practices, many of the other 19 critical security controls can be defeated or simply circumvented.
Documentation
Secure network engineering begins with gathering documentation—not creating documentation. Understanding the specific business purpose(s) of the new infrastructure, risk appetite of the organization, existing infrastructure, current data flows, planned interfaces, financial constraints, corporate security policies, contractual (e.g., PCI) and regulatory (e.g., SOX) obligations are important first steps. Gaps are typically discovered during this first phase. A small investment of time here can result in big payoffs later in the project. Creating an accurate map of the current and intended network is necessary early on in the project. A traditional network topology map is an excellent start however this does not provide the entire picture. Documentation should also include all protocols running through the network, data flows, chokepoints, asset lists (including value), access controls, and system administration methods. Inter-system dependency should also be documented (for example, an IP host cannot talk to its peer over the network without names resolution). Several of these documents are living and change regularly. Establish a change management procedure for documents, as well as a means to properly secure the documentation.
2. Data Center Physical Controls
Network engineers will commonly consider Data Center environmentals (e.g., cooling, power, cable distribution, and rack space). However, Data Center physical security controls must also be inspected and planned for.
3. Enclaves
“Fast, fat, and flat” may seem like an ideal mantra for next generation networks. However, this design approach leads to operational and security risks. Today’s advanced web and mobile applications are tiered in architecture. This provides another credible argument for separation of hosts into communities or “enclaves”. An enclave, also referred to as network segment or DMZ, allows grouping of assets of similar functionality or value. Trust boundaries can be created, making it easier to assign responsibilities and establish accountabilities. Chokepoints can be introduced between the enclaves to prioritize network flows, inspect traffic, and perform forensics.
4. Firewalls and Security Apps
Firewalls are used to interconnect the enclaves. Firewalls must be configured to perform stateful inspection of network traffic. A “security fabric” is recommended that includes conventional switch and firewall functionality, as well as integrated security applications. These security applications are integrated into a high-speed (500GbE or faster) backplane chassis, reducing the need for cabling and 40G physical ports. Security applications in scope are Intrusion Prevention, In-line Malware and Spyware Scanning. If supported, Web Application Firewall (WAF) and Database Activity Monitor (DAM) services should also be integrated into the security fabric.
5. Internet Access
Redundancy and diversity are recommended for Internet Access. Design considerations should also include multiple data centers and disaster recovery.
6. DNS
Internal DNS must be designed in a hierarchical manner. DNS Servers are required for hosts within the N-Tier Application and Infrastructure Enclaves only. These DNS Servers must point to trusted DNS Servers within the Enterprise Core. The Enterprise Core DNS Servers then connect to authoritative servers on the Internet. DNS Servers within the Network Application Enclave as well as all DNS Clients within the other enclaves are not permitted direct Internet access for names resolution.
7. Hardening
System and infrastructure hardening is required. Benchmarks from SANS, CIS, or similar authoritative source must be adopted as part of standard system build process. Verification of build standard must be done prior to commissioning system. Automation of security control verification and recurring configuration inspection must be implemented. Procedures should follow an authoritative standard (e.g., NIST Special Publication Guide for Security-Focused Configuration Management of Information Systems). Lastly, formal certification and accreditation procedures for systems must be created and integrated into Change Management.
8. Configuration and Change Management
Automated file-integrity monitoring (also known as change-detection software) is required to track network and security component alterations. These tools must alert staff to unauthorized modification of critical system files, configuration files, or content files. Recurring configuration comparisons must be performed to ensure integrity of applications, systems, and infrastructure. All detected configuration changes with material impact must be reconciled to Change Management tickets.
9. Virtual and Blade Servers
Virtual switching is inherent to hypervisor platforms. Care must be taken when implementing layer 3 virtual switch capabilities. Network based security controls (e.g., firewalls, NIPS, etc.) are not to be circumvented using these virtual switches. Netflow or similar technology must be included in the solution to baseline traffic patterns and to identify communication anomalies between virtual clients
10. Vulnerability and Threat Management
Vulnerability Scanning and Penetration Testing must be performed routinely. Scanning and Testing must be performed using sources originating from the Internet as well as within each enclave. This provides insight into the initial surface of attack as well as pivot weaknesses.
An operational framework is required that delivers patch and non-patch remediations in a timely manner. Consider an approach based on NIST Special Publication Version 2.0 Creating a Patch and Vulnerability Management Program.
Real-time Threat Analysis must be performed using Intrusion Prevention Systems (IPS), In-line Malware and Spyware Scanning. Host Intrusion Prevention Systems are highly recommended for seasonal companies that cannot patch systems promptly throughout the year. Seasonal “freezes” (e.g., Chinese New Year) may require systems to go unaltered for months, preventing implementation of patch and non-patch remediations within 30 days. A Host Intrusion Prevention System can help serve as a bridge during these freezes. Additional Intrusion Prevention Systems are recommended including Web Application Firewalls (WAF) and Database Activity Monitoring (DAM). For Next Generation Networks, WAF and DAM services are becoming vital for detecting higher level attacks that may be deluded among the millions of events and alerts that are being reported by the systems.
11. Log Management
Threat monitoring with actionable intelligence is a prerequisite for rapid response. A Security Information and Event Management (SIEM) system is required to gather, process, correlate, alert, and archive security events. Resiliency depends on clear understanding of operational and security threats. If the log sources are not properly configured, then the SIEM and SOC cannot be effective. Log and event sources for SIEM include operating systems, applications, databases, network, and security components. Secure Network Engineering includes the proper configuration of these components to generate the necessary events that drive incident response.
12. Asset Management
An Asset Management or CMDB is required to track assets and configuration information in a secure manner. This information should be verified routinely using automated tools that scan the network and fingerprint assets. Assets must be scanned for data classification, too. Scanners must incorporate algorithms to identify restricted data (e.g., Luhn Mod-10 method for identifying and validating credit card primary account numbers).
Rogue device detection must be performed routinely.
13. Access Management
Authentication, Authorization, and Auditing systems for customers must be separate from system administrators. High Authority accounts used by dbas, firewall admins, network engineers, system admins, and vendors must be located in a separate Management enclave from customer accounts. No trust is to be established between Enterprise Core, High Authority, and Customer credential systems. Network Access Control (NAC) products are to be implemented to check the status of malware prevention, personal firewall, patches, and vulnerabilities on administrator computers prior to revealing the jump boxes.
14. Performance Management
SNMP, RMON, and Netflow are common tools for network engineers to perform performance monitoring and capacity planning. These protocols must be properly secured. Vendor defaults (e.g., SNMP community string PUBLIC) are not permitted. SNMP v3 is required. When available, authentication and encryption controls must be incorporated into performance management design.
15. Forensic Management
Support for Forensic Analysis and Network Monitoring “Out of band” is required. Network taps or in-line OSI Layer 1 network monitoring devices are acceptable. These devices are to be transparently connected so that they do not introduce performance degradation. SPAN or similar technology features are not to be used on 40GbE components. In addition, the integration of the network monitoring devices must be in a manner that does not allow circumvention of network based security controls (e.g., firewall). Dedicated network monitoring systems for each enclave would provide the necessary boundary to prevent this exploit.
16. Service Management
Where there is a business advantage, consider the use of Managed Service Providers as an alternative to additional staffing. Opportunities include domain hosting, Managed PKI, Firewall/IPS/IDS/AV Management, Security Operations Center services, Computer Security Incident Handling, Vulnerability Scanning and Penetration Testing. Some of these same services are available as a cloud computing offering. This option might be desirable for reducing capital and expense commitments. This allows the limited IT staff to focus on business communications and solutions by reducing the demands of daily security operations. This also provides an elastic bench of resources for the busy seasons and rapid business growth.
SANS Technology Institute - Candidate for Master of Science Degree

7. Key Risk Considerations
Mixing assets of different value
Integrating security and network controls
High event volume and Impact of false negatives
Understanding data flows and security policies
Performance impact of inspection
Protecting high authority access
Configuration errors and product defects
Although the network is divided into separate enclaves, the risk still exists if a system is incorrectly placed in the wrong zone. An error could expose high value assets in low value asset enclave. Misconfiguration is not limited to wrong enclave placement. Firewall ACL’s can be misconfigured to allow access between zones exposing high value assets. Strict change control and regular vulnerability testing is a key to identifying and correcting mistakes when they occur.
Security is not an isolated silo. To achieve security objectives the organization must integrate security procedures into day to day network and infrastructure operations. Security needs to be a part of the change control panel to provide insight and guidance on proposed changes as well as raise the awareness level.
A large volume of logs will be created by 40GbE traffic flow and events. Gathering, parsing, and correlation of data will demand automation. Storage and retention considerations are necessary so that the analysis tools do not suffer performance problems processing large volumes of outdated or irrelevant data. The risk of false negatives grows due to the potential large volume of data flowing through the high speed network. Real threats are deluded by 40GbE of data flows. Understanding data flows and security policies becomes vital to identifying threats.
To alleviate this risk all switches were only dedicated to core operations. All span and monitor functions were moved to a stand alone monitoring switch reducing the CPU and processing overhead on network switches. This approach allows inspection without performance impact. Monitoring of analysis engines is critical to validate if data is being dropped due to processing or other limitations.
Although the network is providing full speed 40GbE, individual application CPU or disk processing might not be able to catch up. The design takes that in consideration and recommends adding load balancers if needed to distribute the processing load across multiple systems.
Admins are often targets due to elevated permissions as well as their access to the organization’s core infrastructure. NAC and account separation is critical to isolate and secure admin access.
Automation is necessary to detect intended and unintended configuration changes that result in vulnerabilities. Determining eligibility for product patches and security updates can be a challenge, so automation is recommended to track vendor notifications as well as presence of product defect.
SANS Technology Institute - Candidate for Master of Science Degree

8. High-level Design and Build Approach
The network was designed by using separate enclaves separating different risk levels. Enclaves are also known as network segments or DMZs.
Enclaves pass traffic through a firewall, IPS and inline AV.
Web Application, Internet Access, and Database enclaves have additional controls to defend against attacks specific to their function (e.g., Web Application Firewall).
Boundary devices such as Internet router and Internet firewall are standalone high powered devices. These are necessary to handle traffic and prevent internal systems from overload in the event of a resource starvation attack.
High Authority and Administrative access is only allowed through the Management enclave. IT Staff must go through the Management enclave to access infrastructure and applications with high authority. Access level is validated, target and source system confirmed, and administrator’s computer inspected by the NAC appliance prior to being granted access to the appropriate management jump box.
SANS Technology Institute - Candidate for Master of Science Degree

9. N-Tier Application Control Checklist
Enclave for each app function
Dedicated Internet Access Firewall
Security Fabric
Separate Infrastructure Firewall
SSL Accelerator and Proxies
Tiered DNS
Virtualization and Blade Servers
Netflow
Network Address Translation
Network Monitoring Switch
Load Balancers
N-Tier Application enclaves were separated based on risk, function and asset value.
Internet access is connected on dedicated hardware to prevent resource starvation attacks.
N-Tier Application enclaves are connected via a shared security fabric to apply multiple security services through a high speed shared backplane.
Traffic is explicitly permitted and denied to cross to adjacent enclaves.
SSL Accelerators terminate encryption tunnels as well as challenge customers for authentication. Proxies are also recommended to keep the surface of attack as small as possible.
DNS is tiered as a security controls as well as to optimize performance.
Virtualization and Blade Servers introduce challenges that conventional servers do not. Virtual switching is inherent to hypervisor platforms. Care must be taken when implementing layer 3 virtual switch capabilities. Network based security controls (e.g., firewalls, NIPS, etc.) are not to be circumvented using these virtual switches.
Netflow or similar technology must be included in the solution to baseline traffic patterns and to identify communication anomalies between hosts (virtual and physical)
Network Address Translation (NAT) is used to disguise the private network and provide portability for DR.
Network Monitoring Switches provide “out of band” options for forensic analysis, IPS, and other inspection tools. These solutions do not introduce a performance penalty like SPAN.
Load Balancers may be necessary for host redundancy and to “spray” traffic across multiple security and host systems.
SANS Technology Institute - Candidate for Master of Science Degree

10. Infrastructure Control Checklist
Enclave for each function
No direct Internet access
Infrastructure Firewall
Dedicated Enterprise Firewall
Customer Authentication
Admin Authentication
Jump Boxes
Network Access Control (NAC)
Business-to-Business (B2B)
VPN
System and Security Event Mgt
Provides segmentation of infrastructure services such as customer authentication, network applications, vendor connections, and remote management.
Management is only allowed through jump box within management enclave to monitor and restrict management activates.
Common network application services (e.g., DNS, NTP, etc.) reside in the network applications enclave. These network application services are revealed securely to the n-Tier Application enclaves using ACLs.
Customer Authentication system is separate and distinct from High Authority Authentication system.
No Internet access is allowed directly from the infrastructure enclaves to prevent data leaks or Internet based threats.
A dedicated Enterprise Firewall is required to create a trust boundary
A separate credential store is necessary for IT staff authentication when accessing infrastructure, systems, and applications with high authority
“Jump Boxes” provide secure access to infrastructure, systems, and applications with high authority. Microsoft, Citrix, and VMWare solutions can be considered. Non-console administrative access using HTTP and HTTPS must be proxied. Two-factor authentication is necessary for all jump box and proxy access. NAC is implemented to inspect controls on PCs used by IT staff.
B2B Enclave provides network and services in which vendor partners can land securely. Vendors include managed service providers, payment processors, outsourcing teams, EDI providers, and cloud service providers. VPN IPSec site-to-site and routed connections land here.
Infrastructure, systems, and applications will all create logs to alert administrators to significant events. Security events are also of interest. Threat monitoring with actionable intelligence is a prerequisite for rapid response. A Security Information and Event Management (SIEM) system is required to gather, process, correlate, alert, and archive security events.
SANS Technology Institute - Candidate for Master of Science Degree

11. SANS Technology Institute - Candidate for Master of Science Degree
Lessons Learned
Pitfalls
Poor Documentation
Too many ACLs and Flows
Netflow “meltdown”
4 x10 Port Aggregation
Virtual Switch Overload
Poorly designed QoS
Forensic Teams
Promising Solutions
Security Fabric
Firewall Policy Mgt
Virtual Switch Replacement
IEEE 802.1AE (MACsec)
Pitfalls…
Documentation gathering is the first step—and foundational for the success of the next generation network design. Failures and unplanned rework will occur during RFP, design, and build without proper documentation. Controls will not be able to be sustained without proper documentation.
Firewall ACL optimization is required for rapid implementation of changes and firewall performance. In addition to ACL optimization, network engineers must consider the number of flows passing through the firewall. Poorly written ACLs and high number of flows can materially impact firewall performance.
40GbE with many brief flows (e.g., Internet clients accessing SSL Accelerator) may cause existing Netflow management platform integrity and capacity issues. Further, Netflow data from a 40GbE network could unintentionally saturate 100Mbps and 1Gbps connections that lead to the Netflow Management platform.
Port aggregation technologies available today provide the ability to achieve 40 gigabit speed. However, the implementation of this feature may prevent integration of new security controls in-line.
Physical switches running at 10GbE and 40GbE can quickly overwhelm virtual switches within hypervisor platforms. Baselines for processing by the hypervisor platform will change when integrating physical high-speed Ethernet. A Blade Server chassis can also experience similar “drinking from the fire hose” conditions. Network design should include considerations for all data flows—physical and virtual.
Mismanaged traffic will result in more work for the security controls to follow flows for threats and policy enforcement. When the security controls are over-utilized with network traffic tracking, the network throughput quickly declines.
In the event Forensic teams are not prepared to work with the 40GbE infrastructure, the enterprise may find work being done on production systems—or that the production systems may get confiscated to conduct investigations.
Promising Solutions…
Security Fabric = firewalls with 500Gbps+ integrated switching fabric and the ability to add security applications such as IPS, IDS, in-line virus and spyware scanning, proxy, WAF, and DAM. Parallel processing reduces latency considerably as compared to using external appliances serially connected 40GbE. In addition, these vendors offer integrated management solutions with a standard user interface.
Firewall Policy Management (FPM) is extremely helpful for optimization and visualization so that admins can effectively reduce firewall rules and policies. They also provide insight into permitted data flows across multiple firewalls (even from multiple firewall vendors).
New replacement virtual switch solutions replace the default virtual switch found on the Hypervisor platform. Products from Cisco (Nexus 1000V) and Lancope (StealthWatch FlowSensor VE) are useful in the virtual environment for anomaly detection, data flow mapping, and network performance monitoring.
The new IEEE 802.1AE standard (also known as MACsec) provides a new method of protecting data traversing Ethernet LANs without the hosts having to provide CPU cycles or supplicant to benefit from the encryption. This standard also provides an effective method to identify unauthorized hosts on a LAN. Communication with these unauthorized hosts is automatically prevented. Snooping attacks are also defeated.
SANS Technology Institute - Candidate for Master of Science Degree

12. SANS Technology Institute - Candidate for Master of Science Degree
Benefits
Improved Security
Increased Design Credibility
Better Manageability
Lower Total Costs
Faster Response to Threats
Ultimately, adopting these design recommendations will provide a solid foundation for safeguarding infrastructure and data at the highest speeds available today—and tomorrow.
Benefits include…
Improved Security - Secure Network Engineering provides several safeguards as well as a solid foundation for higher level security controls.
Increased Design Credibility - When Network Architects integrate security early in the planning and design phase, less rework is required. SDLC advances smoother. Rework is avoided. Unplanned expenses are minimized.
Better Manageability - Security is easier to maintain and compliance can be sustained.
Lower Total Costs - Rework is always more expensive than incorporating solutions early in the planning cycle.
Faster Response to Threats - Resiliency depends on clear understanding of operational and security threats. The recommendations provided by this paper provide the greatest level of visibility into threats and vulnerabilities.
Ultimately, adopting these design recommendations will provide a solid foundation for safeguarding infrastructure and data at the highest speeds available today—and tomorrow.
SANS Technology Institute - Candidate for Master of Science Degree