Firewalls, VPNs, security policies, security awareness were some of the topics that were covered in previous posts. We also discussed the layered security or defense in depth approach. We will now see how see these different topics come together to form network perimeter security design for a fictitious eCommerce site. Perimeter security is securing the network (servers, workstations, databases to name a few) with different concepts. The network must be designed securely to withstand any type of attack.

Before designing an effective security plan for the network, there are three questions that have to be answered:

  1. What is it that we are trying to protect?

We will have to determine what are the workstations, servers, databases and other devices that have to be protected.

  1. What are the threats?

Next, we determine what are the different type of threats. Internet facing systems are always under the possibility of an attack. Other threats can also be from former employees who have access to vital resources.

  1. And finally the business requirements of the organization.

Last but not least, the security design must meet the business goals of an organization. An eCommerce site with more online transactions will need a more robust security design than a site which just needs an online presence.

Now we will move onto designing the security plan for the fictitious eCommerce site. These are a few details on which we will base our security design:

  1. Customer data of the eCommerce site along with crucial and vital information such as birthdates, social security numbers, credit card numbers needs to be protected.

  2. The site has to be always online 24 hours a day, 7 days a week.

  3. Employee workstations have to be protected as well

  4. Employees might need to access the business resources from an offsite location too

  5. None of the design elements can be outsourced

  6. And the security budget is limited keeping in mind the size of the organization

For the above case, we could design the perimeter security the following way:

  1. There will be two separate network services – public network and the internal network. The public network will hold public services such as web servers, email servers. These servers have to be public because the customers must place their Internet orders and send email notifications. The Internal network will hold workstations and servers that are shielded from public access.

  1. A border router is placed before the organization’s traffic tries to reach the Internet. This router acts as the “cop” and is the first in the line of defense against malicious elements. Inbound packets that have illegal addresses will be blocked in this line of defense. Outbound packets that do not have a valid IP address will also be blocked. Valid outbound packets are blocked so that the servers are not used in any type of attack.

  1. Next in line of defense will be the “firewall”. As we have already seen “firewalls” are the “chokepoints” of the network. It has a set of rules that will determine what goes through it and what cannot. The firewall rules will be configured to protect customer information. Thus, a firewall acts as a type of access control regulating traffic.

  1. IDS or Intrusion Detection systems are placed so that they listen for malicious activities and raise an alarm.

  1. VPN access will be given to the employees to access the corporate data using the existing public infrastructure such as the Internet, LAN or WAN. It can be recollected that the information is encrypted on the sender’s end and decrypted on the receiver’s end.

  1. The employee workstations can be placed on the internal network and can access the Internet only through a proxy firewall. This ensures that they are protected as well.

  1. Apart from these security controls, patch management will also be applied to patch vulnerabilities in applications.

All these security controls when applied will secure the eCommerce environment. This is one way of designing a security plan for the fictitious eCommerce website. However it is important to remember that the security design will be different for different types of organizations and their business goals.

Happy learning! We wish you good luck in your CISSP certification journey!

Bibliography

Stephen Northcutt, L. Z. Inside Network Perimeter Security.

Our Cyber Security Certifications Duration And Fees

Cyber Security Certifications typically range from a few weeks to several months, with fees varying based on program and institution.

Program NameDurationFees
Post Graduate Program in Cyber Security

Cohort Starts: 16 Apr, 2024

6 Months$ 3,000
Caltech Cybersecurity Bootcamp

Cohort Starts: 15 Jul, 2024

6 Months$ 8,000
Cyber Security Expert6 Months$ 2,999

Get Free Certifications with free video courses

  • Introduction to Cyber Security

    Cyber Security

    Introduction to Cyber Security

    3 hours4.6255.5K learners
  • Introduction to CISSP Security Assessment & Testing and Security Operations

    Cyber Security

    Introduction to CISSP Security Assessment & Testing and Security Operations

    4 hours4.610.5K learners
prevNext

Learn from Industry Experts with free Masterclasses

  • CISSP Demo Session

    Cyber Security

    CISSP Demo Session

    29th Aug, Monday9:00 AM CDT
  • CISSP Demo Session

    Cyber Security

    CISSP Demo Session

    15th Aug, Monday9:00 AM CDT
  • Expert Webinar: Ask Our Cyber Security Expert

    Cyber Security

    Expert Webinar: Ask Our Cyber Security Expert

    28th Jul, Thursday10:00 AM CDT
prevNext