Create network layers

Creating network layers is vital for safeguarding sensitive components of your architecture. By grouping resources with shared sensitivity requirements and designing a structured access pattern, you can significantly reduce the risk of unauthorized access and limit potential exposure during a breach.

Best Practices

Implement Network Segmentation

• Define and create distinct network segments according to sensitivity levels. For example, place sensitive databases in private subnets with restricted access.
• Use Security Groups and Network ACLs (Access Control Lists) to enforce strict ingress and egress rules for each segment.
• Establish a clear communication path where only necessary resources can communicate, ensuring that more sensitive components are not directly exposed to less secure resources.

Utilize Bastion Hosts for Access Control

• Set up a bastion host in a publicly accessible subnet that serves as the only entry point for administrative access to resources in private subnets.
• Limit access to the bastion host using security groups that allow connections only from trusted IP addresses.
• Regularly review and audit access logs to identify any unauthorized attempts to connect through the bastion host.

Enforce Least Privilege Access

• Limit access to network resources based on the principle of least privilege, ensuring that users and services have only the permissions necessary for their role.
• Regularly review IAM policies and roles associated with network components to minimize access rights over time.
• Implement proper tagging of resources to facilitate auditing and ensure sensitive resources are appropriately protected.

Regularly Audit Network Configurations

• Conduct regular audits of your network architecture and security group configurations to identify and rectify security gaps.
• Utilize automated tools to monitor configurations against best practices and compliance standards.
• Set up alerts for any changes made to network resources to respond promptly to unauthorized alterations.

Control Internet Access and Traffic Flow

• Ensure that resources that do not require internet access are placed in a public subnet with no routes to the internet.
• Review and restrict the outbound rules of security groups to limit traffic to only necessary endpoints.
• Implement a web application firewall (WAF) in front of public-facing applications to provide additional security against common web vulnerabilities.

Questions to ask your team

• Have you segmented your network to isolate sensitive resources?
• Are your subnets configured to restrict internet access as needed?
• Is traffic between layers controlled through security groups and network ACLs?
• Do you perform regular reviews of your network architecture to ensure compliance with security best practices?
• Have you implemented least privilege access controls for all network components?
• Are your logging and monitoring in place to detect unauthorized access attempts?
• Is there a defined process for responding to network security incidents?

Who should be doing this?

Network Architect

• Design the network architecture with multiple layers of defense.
• Identify components that share sensitivity requirements and group them into appropriate layers.
• Ensure that sensitive resources are deployed in subnets with restricted access.
• Implement network routing policies to control traffic flow between layers.
• Regularly review and update network designs to address new security threats.

Security Engineer

• Conduct vulnerability assessments to identify potential weaknesses in the network layers.
• Implement security controls and monitoring for each network layer.
• Collaborate with the network architect to ensure effective segmentation and isolation of sensitive resources.
• Develop and maintain incident response procedures for network-based threats.
• Stay updated on the latest security trends and practices to enhance network defenses.

DevOps Engineer

• Integrate security best practices into deployment processes for network resources.
• Automate the provisioning of network layers in line with security requirements.
• Continuously monitor and log access to network components for suspicious activity.
• Facilitate communication between development and security teams to ensure compliance with security measures.
• Assist in the documentation of network architecture and security protocols.

Compliance Officer

• Ensure that network designs adhere to regulatory and industry standards.
• Conduct regular audits of network resources and layers for compliance.
• Review security policies related to network access and provide recommendations for improvements.
• Assist in training staff on compliance requirements related to network security.
• Help generate reports for stakeholders regarding network security posture.

What evidence shows this is happening in your organization?

• Network Layer Security Policy: A comprehensive policy that outlines the requirements for creating network layers within the organization, specifying guidelines for segmenting components based on sensitivity levels and ensuring minimal access paths.
• VPC Architecture Diagram: A visual representation of the Virtual Private Cloud (VPC) setup, illustrating the defined subnets, security groups, and access control mechanisms that segregate sensitive resources into different layers.
• Network Layer Security Checklist: A checklist to ensure best practices are followed when configuring network layers, including items like subnet isolation, routing rules, and access controls.
• Access Control Strategy Document: A document detailing the strategy for managing access to different layers of network resources, including who is authorized to access sensitive components and how this access is monitored.
• Incident Response Playbook for Network Threats: A defined playbook that outlines steps to take in case of network-related security incidents, ensuring that response efforts are streamlined and effective.

Cloud Services

AWS

• Amazon VPC: Allows you to create a logically isolated network in the AWS cloud, where you can define your network structure and control traffic flow.
• AWS Security Groups: Functions as virtual firewalls for your instances to control inbound and outbound traffic at the instance level.
• AWS Network Access Control Lists (NACLs): Provides an additional layer of security by allowing you to set rules for the traffic in and out of your VPC subnets.
• AWS PrivateLink: Enables private connectivity between VPCs and services, ensuring that traffic does not traverse the public internet.
• AWS Transit Gateway: Simplifies the architecture between VPCs and on-premises networks, allowing for efficient routing between multiple networks.

Azure

• Azure Virtual Network: Creates a private network in Azure where you can securely connect Azure resources to each other and to on-premises networks.
• Azure Network Security Groups (NSGs): Allows you to control inbound and outbound traffic to Azure resources at the subnet or individual instance level.
• Azure Firewalls: A cloud-native network security service that protects resources from threats with built-in high availability and scalability.
• Azure Private Link: Brings Azure services into your virtual network, ensuring that traffic is kept off the public internet.

Google Cloud Platform

• Google VPC: Creates a private network within GCP where you can define IP ranges and control the routing of data.
• Google Cloud Firewall: Provides the ability to control traffic to and from virtual machine instances in Google Cloud.
• Google Cloud Private Service Connect: Allows you to create private connections to services across VPCs without using public IPs.

Question: How do you protect your network resources?
Pillar: Security (Code: SEC)