Information Security Best Practices: 205 Basic Rules


Section 5: INFOSEC Network Architecture Design Rules

5.1 Physical Network Separation

If you are installing a large network, then you may have to create more than one network segment. Practically, if there are a very large number of nodes on an Ethernet network, then separate physical networks must be created. These separate networks can be connected together via a router. Such a large network space increases the risk of network security problems. Therefore, traffic between separate networks must be restricted only to those systems that need to access data. This limited access will decrease the number of users that may compromise each separate physical network.

The Best Practices in this section give guidelines for reducing security risks when dealing with a number of physically separate network segments.

INFOSEC Best Practice #4

Restrict access between separate physical networks via a filtering router.

A filtering router must be used to restrict access between network segments. Filtering routers or packet-screening routers control the flow of IP packets between two or more network segments based on a set of rules as shown in Figure 5-1. A filtering router has the ability to filter IP traffic using filtering rules.


Figure 5-1: Router-based Network Architecture

The network and INFOSEC administrator can set up filtering rules that specifically allow or disallow IP packets destined for a specific resource such as a TCP service port (e.g., SMTP mail = port 25, HTTP = port 80, etc.), or a specific IP address. Therefore, filtering routers increase security because they restrict traffic between network segments. Access to...