How do you design a well-organized, well managed network for small/medium business?
Let’s layout some assumptions:
- There are server in the office
- The servers are in either in a well-organized closet or in a server room (they are not in a Colo - but access is restricted)
- There may be some amount of Cloud/SaaS applications
- This is not a VDI environment (we could sketch that out in a different post)
- Security is a concern - but not security at any cost
Let’s start with what I generally see
As a consultant, I’ve been engaged by dozens of small/medium size businesses and many large businesses. What I tend to see in the small/medium group is a flat network using a single subnet - a /24 or less common a /16. There is only one VLAN and all the Servers, Switches, Hypervisors and Desktops are in the broadcast domain.
If I was an attacker, this would be a “Target Rich Environment”…
Now, I know how these companies tend to arrive at this situation - whoever originally setup the network didn’t have the equipment, budget or network knowledge at the time to do something more complicated - and small business tends to value “IT WORKS” over “IT IS SECURE AND WORKS”.
I’ve seen larger businesses that have struggled to unwinding this technical debt.
This flat network poses a lot of problems:
- A worm (e.g. NotPetya) that infects one machine has unrestricted access via Layer 2 broadcast to all other IPs
- As the number of machines increase over time the available addresses will eventually run out, requiring some re-IPing
- If a hacker gets control of one desktop they have a platform for attacking the entire network
- Insider threat is also unrestricted
What’s the better option?
Nuts and Bolts
With the goal to limit the “blast radius” - since 3 or the 4 problems I’ve listed boil down to too much access - I’ve been strongly recommending dividing the network into 4 general segments:
This isn’t revolutionary, but from the environments I’ve seen this would be a big change.
Small/Medium business do not have unlimited security budgets (who does?), they don’t generally have many IT staff members - and those they do have tend to be focused on Servers and Desktops, not the network or security - and their Business Leaders don’t have a security focus - yet.
Let’s talk about these segments - this is not a hard and fast rule, this is a basic model. Some businesses will break Servers down into two segments: Applications and Storage/Data. Some businesses will want to segregate their Accounting computers away from the rest of their desktops.
But this is the starting point I think most companies can begin from.
Critically, these four segments need to be separated by a Firewall, applying Layer 7 application controls and full UTM scanning to the traffic.
And this is why we are focusing this conversation on Small/Medium business - a Large Organization will have additional equipment and needs, and this design won’t fit.
A small business can start with an HA Pair of FortiGates and have these 4 segments setup and running on relatively low cost equipment.
The UTM scanning is important - I can add AV scanning to the firewall rule that permits SMB traffic from desktops to file servers - this is critical for preventing the spread of worms.
I can add IPS to the firewall rules that allow DMZ VMs to talk to internal servers, and I can add IPS to prevent a hacker or insider threat from moving from a desktop to the servers.
Having a firewall as the core of the network, instead of a router, provides much better security.
Let’s expand on the Management segment definition, because this is probably the least self-explanatory.
The Management segment is where the Hypervisor host management IPs are (ESXi IPs), it’s where the Hypervisor management server is (vCenter), it’s where the IPMI management cards are (iLO, iDRAC, IMM), it’s where switch management IPs are, it might be where you put your Backup Server.
(I believe I could make a pretty good case to put the backup server into yet another segment, all by itself, but let’s not digress.)
Desktops, Servers and DMZ are all pretty obvious - Servers, as mentioned earlier, might need to be broken down into more than one segment, but for a model, this is fine.
One last thing about Desktops - where possible and supported by the switch hardware, their network ports should probably be put into an Access or Protected VLAN. This might be a bit trickier for a small business, as this might not be supported on the hardware they have or the hardware they have budget for, but this should be a design ideal to aim for.
What about WIFI
Yeah, well, I could sit here and list out all the different possible things, what about printers, what about VoIP, what about Fax Machines…
I’m not here to design all the networks, I’m here discussing a model that I think is an improvement!
Not satisfied with that answer - fine. It depends. It depends on what the equipment can support, if they are using EAP to bridge laptops to the LAN, or if they are providing Guest WIFI. Likely WIFI is 2, maybe 3 more segments.
This breaks my nice neat 4 segment model, so I’ve excluded it. :P
Yeah, what about VoIP
Well, again, it depends… Most organizations have this on a separate VLAN to start, so that’s not too big a problem, but you will have to sort out where the VoIP Servers go and what firewall policies need to be put around that traffic.
Summary - Firewall Centric Design
I believe that generally available, relatively low cost hardware can provide a more secure network for small and medium size business. With a considered network design these organizations could greatly increase their network security.
I’ve been working with FortiGate products for a few years and am confident that correctly sized appliances will run this well.
I’ve a bit of experience with WatchGuard and these will probably do fine too. However, I prefer Fortinet’s products because they have Switches and APs that plug in and extend the firewall and can all be centrally managed.
I would like to hear your thoughts on this model and if you have experience with a similar design, what hardware did you use and how did users find it?