Best practices for segmentation of the corporate network of any company

Related tags

Deep Learningnetwork-securitysegmentation-networknetwork-isolationnetwork-segmentnetwork-segmenationfirewallingsegmetation-benchmarksvlaningvlan-best-practicefirewall-segmentation
Overview

Anurag's GitHub stats

Best-practice-for-network-segmentation

What is this?

This project was created to publish the best practices for segmentation of the corporate network of any company. In general, the schemes in this project are suitable for any company.

Where can I find diagrams?

Graphic diagrams are available in the Release page
The schema sources are located in the repository

Schematic symbols

Elements used in network diagrams:
Schematic symbols
Crossing the border of the rectangle means crossing the firewall.

Level 1 of network segmentation: basic segmentation

Level 1

Advantages

Basic segmentation to protect against basic targeted attacks that make it difficult for an attacker to advance on the network. Basic isolation of the productive environment from the corporate one.

Disadvantages

The default corporate network should be considered potentially compromised. Potentially compromised workstations of ordinary workers, as well as workstations of administrators, have basic and administrative access to the production network.

In this regard, the compromise of any workstation can theoretically lead to the exploitation of the following attack vector. An attacker compromises a workstation in the corporate network. Further, the attacker either elevates privileges in the corporate network or immediately attacks the production network with the rights that the attacker had previously obtained.

Attack vector protection:

Installation the maximum number of information protection tools, real time monitoring suspicious events and immediate response.
OR!
Segmentation according to level 2 requirements

Level 2 of network segmentation: adoption of basic security practices

Level 2

Advantages

More network segments in the corporate network.
Full duplication of the main supporting infrastructure for production network such as:

  1. mail relays;
  2. time servers;
  3. other services, if available.

Safer software development. Recommended implementing DevSecOps at least Level 1 of the DSOMM, what requires the introduction of a separate storage of secrets for passwords, tokens, cryptographic keys, logins, etc., additional servers for SAST, DAST, fuzzing, SCA and another DevSecOps tools. In case of problems in the supporting infrastructure in the corporate segment, this will not affect the production environment. It is a little harder for an attacker to compromise a production environment.
Or you can implement at least Level 2 of the SLSA.

Disadvantages

As a result, this leads to the following problems:

  1. increasing the cost of ownership and the cost of final services to customers;
  2. high complexity of maintenance.

If u like it?

Please subscribe - this is free support for the project image

Level 3 of network segmentation: high adoption of security practices

The company's management (CEO) understands the role of cybersecurity in the life of the company. Information security risk becomes one of the company's operational risks. Depending on the size of the company, the minimum size of an information security unit is 15-20 employees. Level 3

Advantages

Implementing security services such us:

  1. security operation center (SIEM, IRP, SOAR, SGRC);
  2. data leak prevention;
  3. phishing protection;
  4. sandbox;
  5. intrusion prevention system;
  6. vulnerability scanner;
  7. endpoint protection;
  8. web application firewall;
  9. backup server.

Disadvantages

High costs of information security tools and information security specialists

Level 4 of network segmentation: advanced deployment of security practices at scale

Each production and corporate services has its own networks: Tier I, Tier II, Tier III.

The production environment is accessed from isolated computers. Each isolated computer does not have:

  1. incoming accesses from anywhere except from remote corporate laptops via VPN;
  2. outgoing access to the corporate network:
    • no access to the mail service - the threat of spear phishing is not possible;
    • there is no access to internal sites and services - it is impossible to download a trojan from a compromised corporate networks.

🔥 Only one way to compromise an isolated computer is to compromise the production environment. As a result, a successful compromise of a computer, even by phishing, will prevent a hacker from gaining access to a production environment.

Implement other possible security services, such as:

  1. privileged access management;
  2. internal phishing training server;
  3. compliance server (configuration assessment).

Level 4

Advantages

Implementing security services such us:

  1. privileged access management;
  2. internal phishing training server;
  3. compliance server (configuration assessment);
  4. strong protection of your production environment from spear phishing.

🔥 Now the attacker will not be able to attack the production network, because now a potentially compromised workstation in the corporate network basically does not have network access to the production. Related problems:

  1. separate workstations for access to the production network - yes, now you will have 2 computers on your desktop.
  2. other LDAP catalog or Domain controller for production network;
  3. firewall analyzer, network equipment analyzer;
  4. netflow analyzer.

Disadvantages

Now you will have 2 computers on your desktop if you need access to production network. It hurts 😀

Support the project

Please subscribe - this is free support for the project

Have an idea for improvement?

You might also like...
Intel® Nervana™ reference deep learning framework committed to best performance on all hardware

DISCONTINUATION OF PROJECT. This project will no longer be maintained by Intel. Intel will not provide or guarantee development of or support for this

Nervana 3.9k Feb 9, 2021
Let Python optimize the best stop loss and take profits for your TradingView strategy.

TradingView Machine Learning TradeView is a free and open source Trading View bot written in Python. It is designed to support all major exchanges. It

Robert Roman 473 Jan 9, 2023
Using deep actor-critic model to learn best strategies in pair trading

Deep-Reinforcement-Learning-in-Stock-Trading Using deep actor-critic model to learn best strategies in pair trading Abstract Partially observed Markov

null 281 Dec 9, 2022
Code for
Code for "Learning the Best Pooling Strategy for Visual Semantic Embedding", CVPR 2021

Learning the Best Pooling Strategy for Visual Semantic Embedding Official PyTorch implementation of the paper Learning the Best Pooling Strategy for V

Jiacheng Chen 106 Jan 6, 2023
PyTorch implementation of the Value Iteration Networks (VIN) (NIPS '16 best paper)
PyTorch implementation of the Value Iteration Networks (VIN) (NIPS '16 best paper)

Value Iteration Networks in PyTorch Tamar, A., Wu, Y., Thomas, G., Levine, S., and Abbeel, P. Value Iteration Networks. Neural Information Processing

LEI TAI 75 Nov 24, 2022
Pytorch implementation of Value Iteration Networks (NIPS 2016 best paper)
Pytorch implementation of Value Iteration Networks (NIPS 2016 best paper)

VIN: Value Iteration Networks A quick thank you A few others have released amazing related work which helped inspire and improve my own implementation

Kent Sommer 297 Dec 26, 2022
A best practice for tensorflow project template architecture.
A best practice for tensorflow project template architecture.

A best practice for tensorflow project template architecture.

Mahmoud Gamal Salem 3.6k Dec 22, 2022
Top #1 Submission code for the first https://alphamev.ai MEV competition with best AUC (0.9893) and MSE (0.0982).

alphamev-winning-submission Top #1 Submission code for the first alphamev MEV competition with best AUC (0.9893) and MSE (0.0982). The code won't run

null 70 Oct 29, 2022
Created as part of CS50 AI's coursework. This AI makes use of knowledge entailment to calculate the best probabilities to win Minesweeper.
Created as part of CS50 AI's coursework. This AI makes use of knowledge entailment to calculate the best probabilities to win Minesweeper.

Minesweeper-AI Created as part of CS50 AI's coursework. This AI makes use of knowledge entailment to calculate the best probabilities to win Minesweep

Beckham 0 Jul 20, 2022
Comments
  • WSUS Server Terminology

    WSUS Server Terminology

    WSUS no longer uses the master/slave terminology. Instead use upstream & downstream servers.

    https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment

    bug 
    opened by LinealJoe 2
  • Add Social preview

    Add Social preview

    Add Social preview Upload an image to customize your repository’s social media preview.

    Images should be at least 640×320px (1280×640px for best display). Download template

    enhancement 
    opened by sergiomarotco 1
  • [ImgBot] Optimize images

    [ImgBot] Optimize images

    Beep boop. Your images are optimized!

    Your image file size has been reduced by 9% 🎉

    Details

    | File | Before | After | Percent reduction | |:--|:--|:--|:--| | /Other/Powtoon_GIF.gif | 561.10kb | 507.21kb | 9.61% | | /Schematic symbols/Schematic symbols.jpg | 63.88kb | 61.17kb | 4.24% | | | | | | | Total : | 624.98kb | 568.38kb | 9.06% |

    📝 docs | :octocat: repo | 🙋🏾 issues | 🏪 marketplace

    ~Imgbot - Part of Optimole family

    opened by imgbot[bot] 0
  • Level 4 with one computer (Privileged Access Workstation)

    Level 4 with one computer (Privileged Access Workstation)

    Level four can be achieved with only one physical computer on your desktop. One can use virtual machines and call it a Privileged Access Workstation: https://techcommunity.microsoft.com/t5/data-center-security/privileged-access-workstation-paw/ba-p/372274

    It hurts a little less than two physical computers. ;)

    good first issue 
    opened by C0FFEEC0FFEE 7
Releases(4.1.3)
Owner
Security evangelist
GitHub Repository
PyTorch Implementation of SSTNs for hyperspectral image classifications from the IEEE T-GRS paper "Spectral-Spatial Transformer Network for Hyperspectral Image Classification: A FAS Framework."

PyTorch Implementation of SSTN for Hyperspectral Image Classification Paper links: SSTN published on IEEE T-GRS. Also, you can directly find the imple

Zilong Zhong 54 Dec 19, 2022
Fast, Attemptable Route Planner for Navigation in Known and Unknown Environments

FAR Planner uses a dynamically updated visibility graph for fast replanning. The planner models the environment with polygons and builds a global visi

Fan Yang 346 Dec 30, 2022
Official Pytorch Implementation of Unsupervised Image Denoising with Frequency Domain Knowledge

Unsupervised Image Denoising with Frequency Domain Knowledge (BMVC 2021 Oral) : Official Project Page This repository provides the official PyTorch im

Donggon Jang 12 Sep 26, 2022
🛠 All-in-one web-based IDE specialized for machine learning and data science.

All-in-one web-based development environment for machine learning Getting Started • Features & Screenshots • Support • Report a Bug • FAQ • Known Issu

Machine Learning Tooling 2.9k Jan 09, 2023
Official PyTorch implementation of the paper "Graph-based Generative Face Anonymisation with Pose Preservation" in ICIAP 2021

Contents AnonyGAN Installation Dataset Preparation Generating Images Using Pretrained Model Train and Test New Models Evaluation Acknowledgments Citat

Nicola Dall'Asen 10 May 24, 2022
Robot Hacking Manual (RHM). From robotics to cybersecurity. Papers, notes and writeups from a journey into robot cybersecurity.

RHM: Robot Hacking Manual Download in PDF RHM v0.4 ┃ Read online The Robot Hacking Manual (RHM) is an introductory series about cybersecurity for robo

Víctor Mayoral Vilches 233 Dec 30, 2022
The official implementation of CVPR 2021 Paper: Improving Weakly Supervised Visual Grounding by Contrastive Knowledge Distillation.

Improving Weakly Supervised Visual Grounding by Contrastive Knowledge Distillation This repository is the official implementation of CVPR 2021 paper:

9 Nov 14, 2022
MonoScene: Monocular 3D Semantic Scene Completion

MonoScene: Monocular 3D Semantic Scene Completion MonoScene: Monocular 3D Semantic Scene Completion] [arXiv + supp] | [Project page] Anh-Quan Cao, Rao

298 Jan 08, 2023
Simple converter for deploying Stable-Baselines3 model to TFLite and/or Coral

Running SB3 developed agents on TFLite or Coral Introduction I've been using Stable-Baselines3 to train agents against some custom Gyms, some of which

Gary Briggs 16 Oct 11, 2022
Codebase for ECCV18 "The Sound of Pixels"

Sound-of-Pixels Codebase for ECCV18 "The Sound of Pixels". *This repository is under construction, but the core parts are already there. Environment T

Hang Zhao 318 Dec 20, 2022
Rapid experimentation and scaling of deep learning models on molecular and crystal graphs.

LitMatter A template for rapid experimentation and scaling deep learning models on molecular and crystal graphs. How to use Clone this repository and

Nathan Frey 32 Dec 06, 2022
Code and models for "Rethinking Deep Image Prior for Denoising" (ICCV 2021)

DIP-denosing This is a code repo for Rethinking Deep Image Prior for Denoising (ICCV 2021). Addressing the relationship between Deep image prior and e

Computer Vision Lab. @ GIST 36 Dec 29, 2022
Code for the paper 'A High Performance CRF Model for Clothes Parsing'.

Clothes Parsing Overview This code provides an implementation of the research paper: A High Performance CRF Model for Clothes Parsing Edgar Simo-S

Edgar Simo-Serra 119 Nov 21, 2022
Video Instance Segmentation with a Propose-Reduce Paradigm (ICCV 2021)

Propose-Reduce VIS This repo contains the official implementation for the paper: Video Instance Segmentation with a Propose-Reduce Paradigm Huaijia Li

DV Lab 39 Nov 23, 2022
Image to Image translation, image generataton, few shot learning

Semi-supervised Learning for Few-shot Image-to-Image Translation [paper] Abstract: In the last few years, unpaired image-to-image translation has witn

yaxingwang 49 Nov 18, 2022
Implementation of paper "Towards a Unified View of Parameter-Efficient Transfer Learning"

A Unified Framework for Parameter-Efficient Transfer Learning This is the official implementation of the paper: Towards a Unified View of Parameter-Ef

Junxian He 216 Dec 29, 2022
TensorFlow tutorials and best practices.

Effective TensorFlow 2 Table of Contents Part I: TensorFlow 2 Fundamentals TensorFlow 2 Basics Broadcasting the good and the ugly Take advantage of th

Vahid Kazemi 8.7k Dec 31, 2022
Deep Distributed Control of Port-Hamiltonian Systems

De(e)pendable Distributed Control of Port-Hamiltonian Systems (DeepDisCoPH) This repository is associated to the paper [1] and it contains: The full p

Dependable Control and Decision group - EPFL 3 Aug 17, 2022
Official Repsoitory for "Activate or Not: Learning Customized Activation." [CVPR 2021]

CVPR 2021 | Activate or Not: Learning Customized Activation. This repository contains the official Pytorch implementation of the paper Activate or Not

184 Dec 27, 2022
[CVPR 2022] "The Principle of Diversity: Training Stronger Vision Transformers Calls for Reducing All Levels of Redundancy" by Tianlong Chen, Zhenyu Zhang, Yu Cheng, Ahmed Awadallah, Zhangyang Wang

The Principle of Diversity: Training Stronger Vision Transformers Calls for Reducing All Levels of Redundancy Codes for this paper: [CVPR 2022] The Pr

VITA 16 Nov 26, 2022