Secure network design

  • 6 minutes

Secure network design ensures the protection of sensitive data and the integrity of educational resources, balancing accessibility with stringent security measures like network segmentation, firewalls, and intrusion detection systems. Using these measures, you're better equipped to fortify school networks against evolving cyber threats and uphold secure and resilient digital learning environments.

Network segmentation

Segmentation is a model in which you take your networking footprint and create software defined perimeters. You then set rules that govern the traffic from/to these perimeters so that you can have different security postures for various parts of your network. When you place different applications (or parts of a given application) into these perimeters, you can govern the communication between these segmented entities. If a part of your application stack is compromised, you're better able to contain the impact of this security breach and prevent it from laterally spreading through the rest of your network.

Benefits of network segmentation for schools include:

  • Enhanced Security: Network segmentation limits the lateral movement of threats within the network, preventing attackers from accessing sensitive resources or compromising entire network infrastructure.
  • Containment of Security Breaches: In there's a security breach, segmented networks restrict the transmission of malicious activities, minimizing the impact and scope of the incident.
  • Granular Access Control: Segmentation allows tailored security policies and access controls to be applied to different network segments, ensuring that only authorized users and devices can access specific resources.
  • Improved Performance: Segmentation can improve network performance and reliability, especially in large-scale environments such as educational institutions.

When you operate on Azure, you have a wide and diverse set of segmentation options available to help you be protected. Learn more about each option.

Segmentation option Description
Subscription Subscriptions are a high-level construct, which provides platform powered separation between entities. It's intended to carve out boundaries between large organizations within a company. Communication between resources in different subscriptions needs to be explicitly provisioned.
Virtual network Virtual networks are created within a subscription in private address spaces. The networks provide network-level containment of resources, with no traffic allowed by default between any two virtual networks. Like subscriptions, any communication between virtual networks needs to be explicitly provisioned.
Network security groups (NSG) NSGs are access control mechanisms for controlling traffic between resources within a virtual network as a layer 4 firewall. An NSG also controls traffic with external networks, such as the internet, other virtual networks, and so on. NSGs can take your segmentation strategy to a granular level by creating perimeters for a subnet, group of VMs, or even a single virtual machine.
Application security group (ASG) ASGs provide control mechanisms similar to NSGs but are referenced with an application context. An ASG allows you to group a set of VMs under an application tag. It can define traffic rules that are then applied to each of the underlying VMs.
Azure Firewall Azure Firewall is a cloud native stateful Firewall as a service. This firewall can be deployed in your virtual networks or in Azure Virtual WAN hub deployments for filtering traffic that flows between cloud resources, the Internet, and on-premises. You create rules or policies (using Azure Firewall or Azure Firewall Manager) specifying allow/deny traffic using layer 3 to layer 7 controls. You can also filter traffic that goes to the internet using both Azure Firewall and third parties. Direct some or all traffic through third-party security providers for advanced filtering and user protection.

Firewalls

Nearly every router, Windows PC, and Mac have firewalls, a security system that acts as a filter for incoming and outgoing traffic to your computer's network, installed on them. Most organizations include additional firewalls on employees' computers and on their internal networks. These additional steps are frequently taken to protect proprietary information and keep the organization safe from ransomware and hacking.

A firewall can block outsiders from breaking into your computer or network and gaining access to private data. It can also block viruses and malware from infecting your computer by setting policies that help to defend your network by detecting invasive or suspicious activity.

Windows Firewall

Windows Firewall is a security feature that helps to protect your device by filtering network traffic that enters and exits your device based on several criteria, including source and destination IP address, IP protocol, or source and destination port number. Windows Firewall can be configured to block or allow network traffic based on the services and applications that are installed on devices. This allows you to restrict network traffic to only those applications and services that are explicitly allowed to communicate on the network.

Windows Firewall offers several benefits to address your organization's network security challenges:

  • Reduced risk of network security threats: By reducing the attack surface of a device, Windows Firewall provides an additional layer of defense to the defense-in-depth model. This increases manageability and decreases the likelihood of a successful attack.
  • Protection of sensitive data and intellectual property: Windows Firewall integrates with IPsec to provide an easy way to enforce authenticated, end-to-end network communications. This allows for scalable, tiered access to trusted network resources, helping to enforce data integrity and, if necessary, protect data confidentiality.
  • Extended value of existing investments: Windows Firewall is a host-based firewall included with the operating system, so no additional hardware or software is required. It's also designed to complement existing non-Microsoft network security solutions through a documented API.

A screenshot of Windows Security Firewall and network protection interface.

Firewall recommendations

Remember this list of recommendations when designing your firewall rules:

  • Default settings: Maintain the default firewall settings whenever possible. The settings are designed to secure your device for use in most network scenarios. One key example is the default block behavior for inbound connections.
  • Rule group enabling: Create your rules for your firewall profiles, but only enable the firewall rule group on the profiles that suit your scenarios. For example, if you're installing a sharing application that is only used on a private network, then it would be best to create firewall rules in all three profiles, but only enable the firewall rule group containing your rules on the private profile.
  • Restriction configuration: Configure restrictions on your firewall rules depending on which profile the rules are applied to. For applications and services that are designed to only be accessed by devices within a home or small organizational network, it's best to modify the remote address restriction to specify Local Subnet only. The same application or service wouldn't have this restriction when used in a large-scale environment. This can be done by adding the remote address restriction to rules that are added to the private and public profiles, while leaving them unrestricted in the domain profile. This remote address restriction shouldn't apply to applications or services that require global Internet connectivity.
  • Be specific: A general security recommended practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
  • Rule documentation: When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins.
  • Monitor exceptions: To maintain maximum security, admins should only deploy firewall exceptions for apps and services determined to serve legitimate purposes.

Intrusion detection prevention systems (IDPS)

A network intrusion detection and prevention system (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it.

Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.

Several benefits arise from this type of IDPS:

  • Minimal false positives: Through precise pattern matching, the likelihood of false positive alerts is minimized. This accuracy helps you focus your efforts on legitimate threats.
  • Rapid detection: Signature-based IDPS excels in swiftly recognizing established attack patterns, ensuring that potential threats are identified in real-time.
  • Comprehensive analysis: The system conducts in-depth analyses of various attack vectors, pinpointing specific patterns of malicious behavior.

Next steps

Review your school's network design strategies. Then answer these questions:

  • How are you ensuring network segmentation? Are there additional options you should consider?
  • Review the firewall rule recommendations. Which areas may need improvements?
  • How might an IDPS support your school network?