reference architecture mpls/sd-wan … · cmdb with all changes to critical assets logged in...

1
REFERENCE ARCHITECTURE 1 WAF WAF MPLS/SD-WAN Connected Networks All switches should have port security enabled with NAC device posture checking and MFA required for networks access. Workstations Mobile devices Remote Workstations Virtual sensors deployed throughout the network for deception and security tool validation Network should be physically separate with a separate Internet connection or at a minimum segmented by a firewall from the internal network Guest Subnet IoT Subnet Separate subnets for each individual, business unit, dept. or common access IT resources access requirements Advanced malware/exploit protection EDR and DLP software installed on all workstations Remote Vulnerability Mgmt. All host routinely scanned for vulnerabilities and process in place to remediate identified vulnerabilities. PAM PAM (Prvileged account management) deployed to manage / monitor privileged access to resources. EDR Mgmt. Advanced Threat Detection / EDR software installed on all systems. Logs configured to go to SIEM TIP (Threat Intelligence Platform) External threat intelligence sources should be used to enrich data and identify potentially known malicious traffic patterns. Next-Gen AV Server Next-Gen Antivirus server to detect/ prevent malware, exploit attempts and malicious scripts from running on endpoints Assets Management Database Comprehensive list of all company IT assets with primary user and team responsible for administrative management recorded. CMDB with all changes to critical assets logged in accordance with the change management process MDM MDM (Mobile Device Management) server to manage / validate security configurations of supported mobile devices Security Management Subnet SIEM Access limited to authorized security personnel Internal Web Subnet Internal App Subnet Internal DB Subnet Internal Infra. Subnet AD/DNS Email DNS, DHCP, System and Security logs sent to SIEM DMZ Web Subnet DMZ DB Subnet System and security logs sent to SIEM DMZ App Subnet A least privileged security model should be enforced on all assets deemed business critical and/or assets that process or information deemed sensitive or confidential in nature. This is typically done through virtualization and/or containerization. Micro segmentation All AD Authentication logs, DNS logs and policy change logs sent to SIEM All inbound email scanned for threats. All outbound email inspected for DLP violation. All logs sent to SIEM. SIEM deployed to centralize storage of all security logs for analysis. System, network and application activities should be logged for all business critical asstes or assets that handle sensitive / confidential information MFA required for access to externally facing company resources and VPN Network traffic for managed systems off the network is monitored/restricted Only mobile devices managed by MDM are allowed to access resources externally MFA authentication required. Computer or company issued certificate and user credential required for access. Internal Wireless Subnet Gateway Firewall Layer 7 Firewall configured for least permissive access. All traffic logged. User-based access control to IT resources. Sandboxing and/or advanced AI/Machine learning should be used to analyze unknown files. Sandbox IDS/IPS Inspect all inbound/ outbound traffic for anomalous or known malicious activity. DLP Sensor Inspect all outbound traffic for DLP violations Web Proxy Web Proxy to control outbound web traffic Client Subnet Logs sent to SIEM DNS

Upload: nguyenque

Post on 09-Apr-2018

228 views

Category:

Documents


8 download

TRANSCRIPT

Page 1: REFERENCE ARCHITECTURE MPLS/SD-WAN … · CMDB with all changes to critical assets logged in accordance with the change management process MDM MDM (Mobile Device Management) server

REFERENCE ARCHITECTURE

1

WAFWAF

MPLS/SD-WANConnectedNetworks

All switches should have port securityenabled with NAC device posture checking

and MFA required for networks access.

Workstations

Mobile devicesRemoteWorkstations

Virtual sensors deployed throughoutthe network for deception andsecurity tool validation

Network should be physically separate with a separate Internet connection or at a minimum segmented by a firewallfrom the internal network

Guest SubnetIoT Subnet

Separate subnets for each individual, business unit, dept. or common access IT resources access requirements

Advanced malware/exploit protection EDR and DLP software installed on all workstations

Remote

VulnerabilityMgmt.

All host routinely scanned for

vulnerabilities and process in place to remediate

identified vulnerabilities.

PAMPAM

(Prvileged account management) deployed to

manage / monitor privileged

access to resources.

EDR Mgmt.Advanced ThreatDetection / EDR

software installedon all systems. Logs configured

to go to SIEM

TIP(Threat Intelligence Platform)

External threat intelligencesources should be used to

enrich data and identify potentially knownmalicious traffic patterns.

Next-Gen AV Server

Next-Gen Antivirus server to detect/prevent malware,

exploit attempts andmalicious scripts from running on endpoints

Assets Management Database

Comprehensive list of all companyIT assets with primary user and

team responsible for administrativemanagement recorded. CMDB with

all changes to critical assets loggedin accordance with the change

management process

MDMMDM

(Mobile Device Management)server to manage / validate

security configurations of supported mobile devices

Security Management SubnetSIEM

Access limited toauthorized securitypersonnel

Internal Web Subnet

Internal App Subnet

Internal DB Subnet

Internal Infra. Subnet

AD/DNS EmailDNS, DHCP, System and Security logs sent to SIEM

DMZ Web Subnet

DMZDB Subnet

System and securitylogs sent to SIEM

DMZ App Subnet

A least privileged security model should be enforced on all assets deemed business critical and/or assets that process or information deemed sensitive or confidential in nature. This is typically done through virtualization and/or containerization.

Micro segmentation All AD Authentication logs, DNS logs and policy change logs sent to SIEM

All inbound email scanned for threats. All outbound email inspected for DLP violation. All logs sent to SIEM.

SIEM deployed to centralize storage of all security logs for analysis.

System, network and application activities should be logged for allbusiness critical asstesor assets that handle sensitive / confidentialinformation

MFA required for access to externally facing company resources and VPN

Network traffic for managed systems off the network is monitored/restricted

Only mobile devices managed by MDM are allowed to accessresources externally

MFA authentication required.Computer or company issued certificate and user credential required for access.

Internal Wireless Subnet

GatewayFirewall

Layer 7 Firewall configured for least permissive access.

All traffic logged.User-based access control

to IT resources.

Sandboxing and/or advanced AI/Machine

learning should be used to analyze unknown files.

SandboxIDS/IPSInspect all inbound/

outbound traffic for anomalous

or known malicious activity.

DLP SensorInspect all outbound

traffic for DLP violations

Web ProxyWeb Proxy to control outbound web traffic

Client Subnet

Logs sent to SIEM

DNS