网络是一个重要的因素在任何年代ecurity plan, because cyberattacks commonly arrive from the network and attacks also use the network to propagate the damage. Network security is a huge priority for large companies, but it’s equally important for small and midsize businesses (SMBs).
网络安全由一组政策,实践,规则和方法组成,以保护计算机网络和可访问资源的完整性,机密性和可访问性。
SMBs can use different approaches and solutions to enforce network security:
- 网络防火墙和代理通常用于保护网络周围,并专注于防止远程攻击。
- Network segmentation通常用于隔离不同的内部网络并最大程度地减少段之间的攻击。
- Endpoint securitywith antivirus, personal firewall, updated management and other solutions to increase the security of each device.
- Authenticationfor the company employees at a minimum, which is usually implemented with solutions like Microsoft Active Directory.
当然,还有许多其他安全解决方案,例如微分量,蜜罐和蜜网,系统和网络入侵检测系统以及强大的身份验证。但是,对于大多数没有专用IT员工的组织而言,这些解决方案中的大多数太成本太高且过于复杂。
But SMBs can easily improve network security simply by using modern networking products.
The network and server infrastructure should be armed with the latest innovations to prevent, guard and protect against security attacks. Limiting security to firewalls and antivirus is no longer enough for any size of organization.
Network (Micro-)Segmentation
仍然有单个平坦内部网络的中小型企业,仅使用外围防火墙。这不再是合理的。
大多数开关都允许VLAN(IEEE 802.1Q)逻辑网络允许某种网络分割以最大程度地减少(或至少控制)内部攻击表面。
VLAN并不是实现网络细分的唯一方法。有很多产品和解决方案可以实施微分量(即使在平面网络上),但是此时这些解决方案的成本和复杂性对于SMB而言是遥不可及的。
在某些开关上还支持私人VLAN(PVLAN),这些开关对于实现“简单”的微分段版本非常有用。例如,Aruba开关支持PVLAN。
When it comes to virtual networks, VMware vSphere supports PVLAN only on Distributed Virtual Switches. That means having at least the Enterprise Plus license, which is not exactly affordable for SMBs. Note that Microsoft Hyper-V includes PVLAN support in all editions.
在物理网络上具有不同的逻辑段只是第一步。这就像拥有更多专用的高速公路一样,现在您必须管理流量和适当的路由。
How do you manage the routing between logical segments? How do you manage the network security between those segments?
Using the same core switches to also manage the Layer 3 routing could be a really easy solution, but it’s not necessarily the best from the security point of view. That’s because most core switches do not provide packet filtering or packet inspection functions.
该解决方案可以使用相同的外围防火墙来管理不同的内部逻辑网络,但是这种方法可以限制性能和可扩展性。大多数SMB防火墙电器也没有足够的吞吐量来处理内部流量,或者可能具有有限数量的内部接口。
Another solution could be using network function virtualization (NFV) solutions, like virtual firewall (for example pfSense) or proxy.
对于Wi-Fi网络,存在不同的考虑因素和解决方案,但是网络细分方法(例如,对于访客无线网络),不同VLAN的使用仍然有效,并且通常在SMB中也实现。
网络身份验证
用户(和计算机)身份验证通常由Microsoft Active Directory域提供,并且在SMB中也通常使用。但是网络身份验证,例如第2层访问控件呢?
For Wi-Fi networks, this is something common and normally it’s implemented with WPA2-Enterprise (IEEE 802.11i). Modern access points no longer require a centralized controller, which really helps to keep the network implementation simple and affordable. Aruba’s portfolio of802.11AX(Wi-Fi 6)and802.11ac(Wi-Fi 5)访问点地址当今最具挑战性的Wi-Fi用例,具有灵活的控制器(立即的)deployment.
But for wired networks, SMBs do not normally use specific Layer 2 network access control (NAC) solutions. And it’s a pity because most switches support Layer 2 network authentication based on IEEE 802.1X standards. And, of course, common endpoints like Windows, Linux or MacOS based also support those standards.
Unfortunately, you need also infrastructure (basically an authentication server that supports the Radius protocol), but you can implement it also with Windows Server with the NPS feature. It’s probably still too complicated for an SMB but it can really increase the network security. There are also specific products to simplify a NAC implementation (like Aruba ClearPass), but in most cases they are focused for enterprise and not for SMB.
Network Confidentiality
For Wi-Fi networks, all the communications are encrypted by default and cipher suites are evolved to make this encryption secure.
但是对于有线网络,开关没有提供任何安全的渠道(由于以太网的性质),并且由应用程序(或会话)层提供更好的安全通信。
应用程序协议已逐渐替换为相同协议的加密版本(例如HTTPS而不是HTTP),当然,客户和服务器已更改以支持这些协议。
此外,最初是为内部通信设计的网络协议,已改进以具有安全渠道,就像Windows系统中的SMB或RDP协议一样。
Providing an end-to-end secure channel is becoming the standard and can really increase the overall network security.
Network Visibility
对于SMB而言,以简单且具有成本效益的方式提供网络分析可能是最困难的方面之一。
There are several free tools that can provide aggregated values, like network traffic. But these tools become difficult when you want to search or analyze or if you need a proactive way to check your network traffic and find network security issues.
从这个角度来看,SaaS云产品可能是SMB的更好解决方案。您只需租用服务而无需购买需要运行的复杂基础架构即可。
此外,这些工具中使用了机器学习和人工智能,以提供更有价值的信息或允许自动分析。
The Big Picture
网络安全是一个复杂的参数,需要一组具有良好集成和兼容性的不同解决方案。标准可能会有所帮助,但没有足够的标准来解决不同的安全方面。
For this reason, different vendors build their “packaged solutions.”
例如,theAruba 360 Secure Fabricis an enterprise security framework that gives security and IT teams an integrated way to gain visibility, control and advanced threat defense.
当然,这些解决方案主要是为企业设计的,但是企业案例所生的几种历史技术也是SMB的适配器。
Learn More
Get an overview of HPE networking security solutions.
