There is an easy mechanism for enterprises to not only save on their bandwidth charges but also improve their overall information security.

To achieve this, the enterprise requires an ASN number for their range of IP addresses that can be obtained from AfriNIC. This will allow the enterprise to obtain IP transit on a settlement free basis at a neutral peering point. These are typically located at co-location data centres and in South Africa there are two main Internet Exchange Points namely NAP Africa (operated by Teraco) and INX (operated by ISPA and hosted at Internet Solutions).

The method to leverage the Internet Exchange Point is to install a perimeter security appliance, such as a firewall, in a cabinet at the co-location facility and prevent any traffic flows from hackers or denial-of-service type transmission from following on the backhaul between the data centre and the enterprise head office. This reduces the traffic congestion and bandwidth on the link as the firewall at the co-location facility drops the unwanted traffic. If required, a secondary perimeter security device can be installed at the head office of the enterprise. To provide business continuity. this can be triangulated using the designated disaster recovery site of the enterprise.

Incoming traffic for the business can be staged and terminated at the co-location site using a reverse proxy that is located in a Demilitarized Zone (DMZ). This service then connects to the enterprise systems that provide customer facing services over the Internet. Since traffic congestion is not an issue for the enterprise at the co-location site an additional security measure can be introduced to add another DMZ zone that acts as a honeypot. A honeypot is a host that receives all unknown traffic directed at the enterprise and instead of dropping the packets, the firewall redirects the traffic to the host on the designated honeypot DMZ zone. Honeypots do not necessarily need to be expensive high end devices and a solution can be built using pfsense and Suricata (which are open source packages).

In the major metropolitan areas of Johannesburg, Cape Town and Durban it is possible to obtain fibre service from the likes of Dark Fibre Africa, Telkom and Neotel that facilitate the provision of carrier Ethernet type services. Carrier Ethernet service are inherently more secure than legacy Virtual Private Network (VPN) services provisioned on MPLS because it is not possible to inspect or interrupt the traffic flows.

As cloud adoption accelerates within the enterprise it makes sense that the perimeter security devices at the co-location facilities will form the backbone of enterprise cloud connectivity. To prevent complex and impossible troubleshooting methodologies having to be implemented, it is suggested that the enterprise never has traffic flows transverse more than two firewall hops. To achieve this goal, traffic flows need to transverse an Information Security backbone. Creating a long string of perimeter security devices connected in serial is no recommended as the points of failure for business service is disproportionately high.

When the above design is implemented a final consideration is to make certain that a high degree of visibility is achieved by monitoring of the link utilization and application level metrics at a suitable Network Operations Centre (NOC). This is typically achieved using suitable netflow/IPFIX tools that display a useful dashboard on the video wall of the NOC. Such tools are available from numerous vendors and even open source derivatives are available.

Should you require assistance in implementing the above recommended connectivity or building a three level NOC, please contact Dee Smith and Associates @info@deesmith.co.za or +27( 0) 11 575 3359.