Network Based Policy Enforcement

Visibility into real-time active connections occurring within your network as well as your ability to compare them to historical metrics and also apply security policy to the flows on your network is a critical step towards providing a truly secure networking transport layer.

In order to best understand this topic, we must first introduce the concept of networking zones. A networking zone is a segment of your network that has identifiable demarcation points and contains known expected applications, users, devices and communications. Some examples of network zones include: 

  • Email-DMZ Zone
  • Marketing Zone
  • Guest Network Zone
  • Printers and Fax Zone
  • IPTelephony Zone
  • Internet Zone

Once we have identified and defined our organization's zones, we can begin to collect normal network flow data within each zone (via network counters or NetFlow). This data will be used to provide metrics and watermarks used for alerting on potentially anomalous network access and also provide the data required to configure our Zone-to-Zone access policies.

If configured correctly, you can create a very secure network by placing access control policies on the Zone borders that both enforce your written security policy and also limit your exposure to risks associated with unexpected protocols entering and exiting that zone. Additionally, you can also monitor the inter-zone and intra-zone traffic for unexpected increases and decreases in the volume of expected flows per protocol that will provide you an early detection mechanism for potential malicious activity or network and application outages.

There are several mechanisms that can be used when applying policy based enforcement controls of zone-to-zone traffic which include:

  • Firewalls
  • Access Control Lists
  • IDS/IPS
  • VLANs
  • VRFs

All of the above mechanisms are excellent tools that are capable of controlling flows, providing statistics, and potentialling causing the triggering of downstream alerts as a result when combined with a proven differentiated access identity scheme such as what can be accomplished with Network Admission Control,  802.1X, TrustSec, and authenticated wireless/VPN. Once you identify who is connected and place them in the correct zone, it is easy to leverage these control points to ensure only approved access is granted and monitored in real-time.

More Information:

For more information on Network-Based Policy Enforcement Products, Solutions and Priveon Implementation Services, please contact us.