Whatever the size of your company business, the best security measure to deploy to block threat actors from gaining access to your servers, workstations, and data is to implement a hardware firewall. A hardware firewall will make sure your digital assets are well secured, but how should your firewall be set up for optimal network security? If you follow network segmentation best practices and implement firewall security zones you can improve security and keep your internal network isolated and secured from web-based attacks.
Most companies have a well-defined network structure that incorporates a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are sets of servers and systems that have similar security requirements and includes a Layer3 network subnet to which several hosts link up to.
The firewall provides protection by managing traffic to and from those hosts and security zones, whether at the IP, port, or application level.
Network Segmentation Best Practices
There is no single configuration that will be ideal for all companies and all networks, since each business will have its own requirements and required functionalities. However, there are some network segmentation best practices that should be implemented.
Possible Firewall Security Zone Segmentation
In the above depiction we have used firewall security zone segmentation to keep servers separated. In our example we have used a a sole firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.
The servers in these DMZ zones may have to be Internet facing in order to function. For instance, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most susceptible to attack so should be separated from servers that do not require direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is infiltrated.
In the diagram above, the permitted direction of traffic is shown with the red arrows. As you can see, bidirectional traffic is allowed between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted to take place between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been located in a separate DMZ to the application and database servers for the highest possible protection.
Traffic from the Internet is permitted by the firewall to DMZ1. The firewall should only permit traffic through certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not allowed, at least not directly.
A web server may to link up with a database server, and while it may seem a good idea to have both of these virtual servers operating on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and located in different DMZs. The same applies to front end web servers and web application servers which should similarly be located in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be required, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication through active directory.
The internal zone is made up of of workstations and internal servers, internal databases that do not have to be web facing, active directory servers, and internal applications. It is recommended that Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.
Remember that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be allowed.
The above set up puts in place provides important security for your internal networks. In the event that a server in DMZ1 is impacted, your internal network will remain protected since traffic between the internal zone and DMZ1 is only allowed in one direction.
By complying with network segmentation best practices and using the above firewall security zone segmentation you can get the best out of network security. For more security, we also recommend using a cloud-based web filtering solution such as WebTitan which filters the Internet and stops end users from accessing websites known to host malware or those that break acceptable usage policies.