Best practices for segmentation of the corporate network of any company

Overview

Anurag's GitHub stats

Best-practice-for-network-segmentation

What is this?

This project was created to publish the best practices for segmentation of the corporate network of any company. In general, the schemes in this project are suitable for any company.

Where can I find diagrams?

Graphic diagrams are available in the Release page
The schema sources are located in the repository

Schematic symbols

Elements used in network diagrams:
Schematic symbols
Crossing the border of the rectangle means crossing the firewall.

Level 1 of network segmentation: basic segmentation

Level 1

Advantages

Basic segmentation to protect against basic targeted attacks that make it difficult for an attacker to advance on the network. Basic isolation of the productive environment from the corporate one.

Disadvantages

The default corporate network should be considered potentially compromised. Potentially compromised workstations of ordinary workers, as well as workstations of administrators, have basic and administrative access to the production network.

In this regard, the compromise of any workstation can theoretically lead to the exploitation of the following attack vector. An attacker compromises a workstation in the corporate network. Further, the attacker either elevates privileges in the corporate network or immediately attacks the production network with the rights that the attacker had previously obtained.

Attack vector protection:

Installation the maximum number of information protection tools, real time monitoring suspicious events and immediate response.
OR!
Segmentation according to level 2 requirements

Level 2 of network segmentation: adoption of basic security practices

Level 2

Advantages

More network segments in the corporate network.
Full duplication of the main supporting infrastructure for production network such as:

  1. mail relays;
  2. time servers;
  3. other services, if available.

Safer software development. Recommended implementing DevSecOps at least Level 1 of the DSOMM, what requires the introduction of a separate storage of secrets for passwords, tokens, cryptographic keys, logins, etc., additional servers for SAST, DAST, fuzzing, SCA and another DevSecOps tools. In case of problems in the supporting infrastructure in the corporate segment, this will not affect the production environment. It is a little harder for an attacker to compromise a production environment.
Or you can implement at least Level 2 of the SLSA.

Disadvantages

As a result, this leads to the following problems:

  1. increasing the cost of ownership and the cost of final services to customers;
  2. high complexity of maintenance.

If u like it?

Please subscribe - this is free support for the project image

Level 3 of network segmentation: high adoption of security practices

The company's management (CEO) understands the role of cybersecurity in the life of the company. Information security risk becomes one of the company's operational risks. Depending on the size of the company, the minimum size of an information security unit is 15-20 employees. Level 3

Advantages

Implementing security services such us:

  1. security operation center (SIEM, IRP, SOAR, SGRC);
  2. data leak prevention;
  3. phishing protection;
  4. sandbox;
  5. intrusion prevention system;
  6. vulnerability scanner;
  7. endpoint protection;
  8. web application firewall;
  9. backup server.

Disadvantages

High costs of information security tools and information security specialists

Level 4 of network segmentation: advanced deployment of security practices at scale

Each production and corporate services has its own networks: Tier I, Tier II, Tier III.

The production environment is accessed from isolated computers. Each isolated computer does not have:

  1. incoming accesses from anywhere except from remote corporate laptops via VPN;
  2. outgoing access to the corporate network:
    • no access to the mail service - the threat of spear phishing is not possible;
    • there is no access to internal sites and services - it is impossible to download a trojan from a compromised corporate networks.

🔥 Only one way to compromise an isolated computer is to compromise the production environment. As a result, a successful compromise of a computer, even by phishing, will prevent a hacker from gaining access to a production environment.

Implement other possible security services, such as:

  1. privileged access management;
  2. internal phishing training server;
  3. compliance server (configuration assessment).

Level 4

Advantages

Implementing security services such us:

  1. privileged access management;
  2. internal phishing training server;
  3. compliance server (configuration assessment);
  4. strong protection of your production environment from spear phishing.

🔥 Now the attacker will not be able to attack the production network, because now a potentially compromised workstation in the corporate network basically does not have network access to the production. Related problems:

  1. separate workstations for access to the production network - yes, now you will have 2 computers on your desktop.
  2. other LDAP catalog or Domain controller for production network;
  3. firewall analyzer, network equipment analyzer;
  4. netflow analyzer.

Disadvantages

Now you will have 2 computers on your desktop if you need access to production network. It hurts 😀

Support the project

Please subscribe - this is free support for the project

Have an idea for improvement?

You might also like...
Intel® Nervana™ reference deep learning framework committed to best performance on all hardware

DISCONTINUATION OF PROJECT. This project will no longer be maintained by Intel. Intel will not provide or guarantee development of or support for this

Let Python optimize the best stop loss and take profits for your TradingView strategy.

TradingView Machine Learning TradeView is a free and open source Trading View bot written in Python. It is designed to support all major exchanges. It

Using deep actor-critic model to learn best strategies in pair trading

Deep-Reinforcement-Learning-in-Stock-Trading Using deep actor-critic model to learn best strategies in pair trading Abstract Partially observed Markov

Code for
Code for "Learning the Best Pooling Strategy for Visual Semantic Embedding", CVPR 2021

Learning the Best Pooling Strategy for Visual Semantic Embedding Official PyTorch implementation of the paper Learning the Best Pooling Strategy for V

PyTorch implementation of the Value Iteration Networks (VIN) (NIPS '16 best paper)
PyTorch implementation of the Value Iteration Networks (VIN) (NIPS '16 best paper)

Value Iteration Networks in PyTorch Tamar, A., Wu, Y., Thomas, G., Levine, S., and Abbeel, P. Value Iteration Networks. Neural Information Processing

Pytorch implementation of Value Iteration Networks (NIPS 2016 best paper)
Pytorch implementation of Value Iteration Networks (NIPS 2016 best paper)

VIN: Value Iteration Networks A quick thank you A few others have released amazing related work which helped inspire and improve my own implementation

A best practice for tensorflow project template architecture.
A best practice for tensorflow project template architecture.

A best practice for tensorflow project template architecture.

Top #1 Submission code for the first https://alphamev.ai MEV competition with best AUC (0.9893) and MSE (0.0982).

alphamev-winning-submission Top #1 Submission code for the first alphamev MEV competition with best AUC (0.9893) and MSE (0.0982). The code won't run

Created as part of CS50 AI's coursework. This AI makes use of knowledge entailment to calculate the best probabilities to win Minesweeper.
Created as part of CS50 AI's coursework. This AI makes use of knowledge entailment to calculate the best probabilities to win Minesweeper.

Minesweeper-AI Created as part of CS50 AI's coursework. This AI makes use of knowledge entailment to calculate the best probabilities to win Minesweep

Comments
  • WSUS Server Terminology

    WSUS Server Terminology

    WSUS no longer uses the master/slave terminology. Instead use upstream & downstream servers.

    https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment

    bug 
    opened by LinealJoe 2
  • Add Social preview

    Add Social preview

    Add Social preview Upload an image to customize your repository’s social media preview.

    Images should be at least 640×320px (1280×640px for best display). Download template

    enhancement 
    opened by sergiomarotco 1
  • [ImgBot] Optimize images

    [ImgBot] Optimize images

    Beep boop. Your images are optimized!

    Your image file size has been reduced by 9% 🎉

    Details

    | File | Before | After | Percent reduction | |:--|:--|:--|:--| | /Other/Powtoon_GIF.gif | 561.10kb | 507.21kb | 9.61% | | /Schematic symbols/Schematic symbols.jpg | 63.88kb | 61.17kb | 4.24% | | | | | | | Total : | 624.98kb | 568.38kb | 9.06% |


    📝 docs | :octocat: repo | 🙋🏾 issues | 🏪 marketplace

    ~Imgbot - Part of Optimole family

    opened by imgbot[bot] 0
  • Level 4 with one computer (Privileged Access Workstation)

    Level 4 with one computer (Privileged Access Workstation)

    Level four can be achieved with only one physical computer on your desktop. One can use virtual machines and call it a Privileged Access Workstation: https://techcommunity.microsoft.com/t5/data-center-security/privileged-access-workstation-paw/ba-p/372274

    It hurts a little less than two physical computers. ;)

    good first issue 
    opened by C0FFEEC0FFEE 7
Releases(4.1.3)
Owner
Security evangelist
TensorFlow Implementation of "Show, Attend and Tell"

Show, Attend and Tell Update (December 2, 2016) TensorFlow implementation of Show, Attend and Tell: Neural Image Caption Generation with Visual Attent

Yunjey Choi 902 Nov 29, 2022
Wind Speed Prediction using LSTMs in PyTorch

Implementation of Deep-Forecast using PyTorch Deep Forecast: Deep Learning-based Spatio-Temporal Forecasting Adapted from original implementation Setu

Onur Kaplan 151 Dec 14, 2022
Cascading Feature Extraction for Fast Point Cloud Registration (BMVC 2021)

Cascading Feature Extraction for Fast Point Cloud Registration This repository contains the source code for the paper [Arxive link comming soon]. Meth

7 May 26, 2022
Machine learning evaluation metrics, implemented in Python, R, Haskell, and MATLAB / Octave

Note: the current releases of this toolbox are a beta release, to test working with Haskell's, Python's, and R's code repositories. Metrics provides i

Ben Hamner 1.6k Dec 26, 2022
Source code for EquiDock: Independent SE(3)-Equivariant Models for End-to-End Rigid Protein Docking (ICLR 2022)

Source code for EquiDock: Independent SE(3)-Equivariant Models for End-to-End Rigid Protein Docking (ICLR 2022) Please cite "Independent SE(3)-Equivar

Octavian Ganea 154 Jan 02, 2023
Official pytorch implementation of the paper: "SinGAN: Learning a Generative Model from a Single Natural Image"

SinGAN Project | Arxiv | CVF | Supplementary materials | Talk (ICCV`19) Official pytorch implementation of the paper: "SinGAN: Learning a Generative M

Tamar Rott Shaham 3.2k Dec 25, 2022
[CVPR 2022 Oral] Versatile Multi-Modal Pre-Training for Human-Centric Perception

Versatile Multi-Modal Pre-Training for Human-Centric Perception Fangzhou Hong1  Liang Pan1  Zhongang Cai1,2,3  Ziwei Liu1* 1S-Lab, Nanyang Technologic

Fangzhou Hong 96 Jan 03, 2023
Pytorch re-implementation of Paper: SwinTextSpotter: Scene Text Spotting via Better Synergy between Text Detection and Text Recognition (CVPR 2022)

SwinTextSpotter This is the pytorch implementation of Paper: SwinTextSpotter: Scene Text Spotting via Better Synergy between Text Detection and Text R

mxin262 183 Jan 03, 2023
A Shading-Guided Generative Implicit Model for Shape-Accurate 3D-Aware Image Synthesis

A Shading-Guided Generative Implicit Model for Shape-Accurate 3D-Aware Image Synthesis Project Page | Paper A Shading-Guided Generative Implicit Model

Xingang Pan 115 Dec 18, 2022
Autonomous Perception: 3D Object Detection with Complex-YOLO

Autonomous Perception: 3D Object Detection with Complex-YOLO LiDAR object detect

Thomas Dunlap 2 Feb 18, 2022
[内测中]前向式Python环境快捷封装工具,快速将Python打包为EXE并添加CUDA、NoAVX等支持。

QPT - Quick packaging tool 快捷封装工具 GitHub主页 | Gitee主页 QPT是一款可以“模拟”开发环境的多功能封装工具,最短只需一行命令即可将普通的Python脚本打包成EXE可执行程序,并选择性添加CUDA和NoAVX的支持,尽可能兼容更多的用户环境。 感觉还可

QPT Family 545 Dec 28, 2022
ICNet for Real-Time Semantic Segmentation on High-Resolution Images, ECCV2018

ICNet for Real-Time Semantic Segmentation on High-Resolution Images by Hengshuang Zhao, Xiaojuan Qi, Xiaoyong Shen, Jianping Shi, Jiaya Jia, details a

Hengshuang Zhao 594 Dec 31, 2022
FaceOcc: A Diverse, High-quality Face Occlusion Dataset for Human Face Extraction

FaceExtraction FaceOcc: A Diverse, High-quality Face Occlusion Dataset for Human Face Extraction Occlusions often occur in face images in the wild, tr

16 Dec 14, 2022
PyTorch Implementation of Temporal Output Discrepancy for Active Learning, ICCV 2021

Temporal Output Discrepancy for Active Learning PyTorch implementation of Semi-Supervised Active Learning with Temporal Output Discrepancy, ICCV 2021.

Siyu Huang 33 Dec 06, 2022
CLOOB: Modern Hopfield Networks with InfoLOOB Outperform CLIP

CLOOB: Modern Hopfield Networks with InfoLOOB Outperform CLIP Andreas Fürst* 1, Elisabeth Rumetshofer* 1, Viet Tran1, Hubert Ramsauer1, Fei Tang3, Joh

Institute for Machine Learning, Johannes Kepler University Linz 133 Jan 04, 2023
A Real-ESRGAN equipped Colab notebook for CLIP Guided Diffusion

#360Diffusion automatically upscales your CLIP Guided Diffusion outputs using Real-ESRGAN. Latest Update: Alpha 1.61 [Main Branch] - 01/11/22 Layout a

78 Nov 02, 2022
Exploring Versatile Prior for Human Motion via Motion Frequency Guidance (3DV2021)

Exploring Versatile Prior for Human Motion via Motion Frequency Guidance This is the codebase for video-based human motion reconstruction in human-mot

Jiachen Xu 5 Jul 14, 2022
source code for 'Finding Valid Adjustments under Non-ignorability with Minimal DAG Knowledge' by A. Shah, K. Shanmugam, K. Ahuja

Source code for "Finding Valid Adjustments under Non-ignorability with Minimal DAG Knowledge" Reference: Abhin Shah, Karthikeyan Shanmugam, Kartik Ahu

Abhin Shah 1 Jun 03, 2022
Towards Flexible Blind JPEG Artifacts Removal (FBCNN, ICCV 2021)

Towards Flexible Blind JPEG Artifacts Removal (FBCNN, ICCV 2021) Jiaxi Jiang, Kai Zhang, Radu Timofte Computer Vision Lab, ETH Zurich, Switzerland 🔥

Jiaxi Jiang 282 Jan 02, 2023
Differential Privacy for Heterogeneous Federated Learning : Utility & Privacy tradeoffs

Differential Privacy for Heterogeneous Federated Learning : Utility & Privacy tradeoffs In this work, we propose an algorithm DP-SCAFFOLD(-warm), whic

19 Nov 10, 2022