I need your opinions about securing a LAN.

[hack3rcon]

Hello,
I need security experts advice about designing a secure local network and I'm thankful if anyone share his\her ideas.
Consider a local network with 1000 clients. This LAN connected to the Internet and use a gateway to share the internet to to the clients and has below components:
1- Some servers (DNS, DHCP, File Server, Active Directory, Fax Server) that are Virtualized.
2- NAS Storage.
3- MSSQL Server.
4- VOIP Server (MITEL).
5- Web Server (Apache and IIS).
This network use VLAN for each floor and my questions are:
1- Which security architecture is good for protecting this LAN from the outside threats? I googled it and found some architecture, but I'm not a security expert and I don't know which is good. I'm thankful if anyone share a diagram.
2- For protecting internal servers which tools must be considered? For example, IDS/IPS, Honeypot, Log server, SIEM and etc.
3- Which application is good to monitor operating systems Vulnerabilities?

Please share your ideas.

Thank you.

[icecream-guy]

sounds like you have the VLANs worked out:
1- Some servers (DNS, DHCP, File Server, Active Directory, Fax Server) that are Virtualized.
2- NAS Storage.
3- MSSQL Server.
4- VOIP Server (MITEL).
5- Web Server (Apache and IIS).

you shouldn't have different types of devices on the same networks,  depending on the architecture, you may need to have some/all of these VLANs on each floor,
or consolidate to spread VLANs across floors,

They should all be connected to the firewall(s) for security.

A1.  security comes in layers, like an onion, to protect your high-value assets behind multiple security layers.
A2. IDS/IPS, scanning, logging, SIEM, Standard configurations,   least access allowed, i.e.  zero trust,  HIPS/HIDS
A3. Not monitoring, scanning, i.e tenable or redseal.

[Otanx]

What kind of budget do you have, and what kind of gear do you have on hand already? Ristau gave  you a good answer. I would build it very similarly. Firewall the clients from all the servers, and then firewall servers from each other based on the value of the data stored, and communication requirements. For example the MSSQL server probably does not need to talk to the Fax server.

For tools there are a ton of them out there. The key point to remember is someone has to pay attention, and maintain the tools. It doesn't help to have a honeypot if nobody every looks to see what is going on with it. A SIEM can help with this by aggregating the data from multiple tools, but it isn't a silver bullet.

For vulnerability stuff like Ristau said. Tenable or Redseal. I know Tenable is used by almost everyone. It isn't perfect, but it works. However, again you can't just set it up, and forget it. You need to patch and fix what it finds. That typically means setting up patching tools like SCCM.

-Otanx

[deanwebb]

Hello I work for a security vendor.

Every security layer needs to be well-maintained to be of value, and every IT tower needs to be involved and aware of the security tools and how to coordinate with them. If I had a dollar for every time an Active Directory team made a change that crippled one or more security tools, I'd have a sizable bonus.

Your emails are a primary source of malware and phishing links. Your end users clicking on stuff are going to be a primary inroad for Evil - on top of that firewall, you're going to need a proxy server.

[KDog]

Yep, copy what the others have written above. I'm going to add my own thoughts which you can apply/disregard as you see fit.

1. Use VLANs to separate via logical function, don't use VLANS because of physical floors. Unless your floors are divided into personal functions ie floor 1 is storeroom staff, floor 2 accounting, floor 3 legal etc.
2. Have a VLAN for servers, VLAN for desktops, VLAN for storage, VLAN for authentication servers, VLAN for printers/scanners, VLAN for management etc.
3. Are your Web servers internal only ie intranet, or will they be exposed to the public internet? If exposed then they should be in a DMZ and the sites should be pentested for security. The operating system should be hardened using CIS guides, Root accounts disabled, restricted SSH etc.
4. IDS, IPS are sometimes useful, the other tools such as SIEM/syslog are there so you can analyze an event after it has occurred. Honeypots are only useful if an adversary falls for it and you regularly check it. A solid network design with least privilege and restricted access is the best help.
5. Use a good email spam filter in front of your mail (whether gmail or O365), mimecast and proofpoint are both good but there are many others.
6. Heavily consider using an application whitelisting solution to protect all of your servers and desktops. If malware isn't allowed to run it can't do any damage. It is far superior to any antivirus. Airlock Digital and Threatlocker are two very good solutions.
7. A good vulnerability scanner or siem is a must. I can recommend Tenable as a good scanning solution to monitor your patching. You should also have a good automated patching solution in place, the scanner is then there to confirm it is working as intended.
8. Delete old software that just isn't needed and represents a security risk ie you most likely don't require flash, java etc.
9. Robust security policies and change control management.

There is an absolute mountain of basic stuff you (and everyone else) should be doing, but there is no way to cover it all in a single forum.

[deanwebb]

Also, stop using telnet.
Also, stop using ftp.
Also, stop using http.

There, fixed that for you.