Best practices for segmentation of the corporate network of any company

Related tags

Deep Learningnetwork-securitysegmentation-networknetwork-isolationnetwork-segmentnetwork-segmenationfirewallingsegmetation-benchmarksvlaningvlan-best-practicefirewall-segmentation
Overview

Anurag's GitHub stats

Best-practice-for-network-segmentation

What is this?

This project was created to publish the best practices for segmentation of the corporate network of any company. In general, the schemes in this project are suitable for any company.

Where can I find diagrams?

Graphic diagrams are available in the Release page
The schema sources are located in the repository

Schematic symbols

Elements used in network diagrams:
Schematic symbols
Crossing the border of the rectangle means crossing the firewall.

Level 1 of network segmentation: basic segmentation

Level 1

Advantages

Basic segmentation to protect against basic targeted attacks that make it difficult for an attacker to advance on the network. Basic isolation of the productive environment from the corporate one.

Disadvantages

The default corporate network should be considered potentially compromised. Potentially compromised workstations of ordinary workers, as well as workstations of administrators, have basic and administrative access to the production network.

In this regard, the compromise of any workstation can theoretically lead to the exploitation of the following attack vector. An attacker compromises a workstation in the corporate network. Further, the attacker either elevates privileges in the corporate network or immediately attacks the production network with the rights that the attacker had previously obtained.

Attack vector protection:

Installation the maximum number of information protection tools, real time monitoring suspicious events and immediate response.
OR!
Segmentation according to level 2 requirements

Level 2 of network segmentation: adoption of basic security practices

Level 2

Advantages

More network segments in the corporate network.
Full duplication of the main supporting infrastructure for production network such as:

  1. mail relays;
  2. time servers;
  3. other services, if available.

Safer software development. Recommended implementing DevSecOps at least Level 1 of the DSOMM, what requires the introduction of a separate storage of secrets for passwords, tokens, cryptographic keys, logins, etc., additional servers for SAST, DAST, fuzzing, SCA and another DevSecOps tools. In case of problems in the supporting infrastructure in the corporate segment, this will not affect the production environment. It is a little harder for an attacker to compromise a production environment.
Or you can implement at least Level 2 of the SLSA.

Disadvantages

As a result, this leads to the following problems:

  1. increasing the cost of ownership and the cost of final services to customers;
  2. high complexity of maintenance.

If u like it?

Please subscribe - this is free support for the project image

Level 3 of network segmentation: high adoption of security practices

The company's management (CEO) understands the role of cybersecurity in the life of the company. Information security risk becomes one of the company's operational risks. Depending on the size of the company, the minimum size of an information security unit is 15-20 employees. Level 3

Advantages

Implementing security services such us:

  1. security operation center (SIEM, IRP, SOAR, SGRC);
  2. data leak prevention;
  3. phishing protection;
  4. sandbox;
  5. intrusion prevention system;
  6. vulnerability scanner;
  7. endpoint protection;
  8. web application firewall;
  9. backup server.

Disadvantages

High costs of information security tools and information security specialists

Level 4 of network segmentation: advanced deployment of security practices at scale

Each production and corporate services has its own networks: Tier I, Tier II, Tier III.

The production environment is accessed from isolated computers. Each isolated computer does not have:

  1. incoming accesses from anywhere except from remote corporate laptops via VPN;
  2. outgoing access to the corporate network:
    • no access to the mail service - the threat of spear phishing is not possible;
    • there is no access to internal sites and services - it is impossible to download a trojan from a compromised corporate networks.

🔥 Only one way to compromise an isolated computer is to compromise the production environment. As a result, a successful compromise of a computer, even by phishing, will prevent a hacker from gaining access to a production environment.

Implement other possible security services, such as:

  1. privileged access management;
  2. internal phishing training server;
  3. compliance server (configuration assessment).

Level 4

Advantages

Implementing security services such us:

  1. privileged access management;
  2. internal phishing training server;
  3. compliance server (configuration assessment);
  4. strong protection of your production environment from spear phishing.

🔥 Now the attacker will not be able to attack the production network, because now a potentially compromised workstation in the corporate network basically does not have network access to the production. Related problems:

  1. separate workstations for access to the production network - yes, now you will have 2 computers on your desktop.
  2. other LDAP catalog or Domain controller for production network;
  3. firewall analyzer, network equipment analyzer;
  4. netflow analyzer.

Disadvantages

Now you will have 2 computers on your desktop if you need access to production network. It hurts 😀

Support the project

Please subscribe - this is free support for the project

Have an idea for improvement?

You might also like...
Intel® Nervana™ reference deep learning framework committed to best performance on all hardware

DISCONTINUATION OF PROJECT. This project will no longer be maintained by Intel. Intel will not provide or guarantee development of or support for this

Nervana 3.9k Feb 9, 2021
Let Python optimize the best stop loss and take profits for your TradingView strategy.

TradingView Machine Learning TradeView is a free and open source Trading View bot written in Python. It is designed to support all major exchanges. It

Robert Roman 473 Jan 9, 2023
Using deep actor-critic model to learn best strategies in pair trading

Deep-Reinforcement-Learning-in-Stock-Trading Using deep actor-critic model to learn best strategies in pair trading Abstract Partially observed Markov

null 281 Dec 9, 2022
Code for
Code for "Learning the Best Pooling Strategy for Visual Semantic Embedding", CVPR 2021

Learning the Best Pooling Strategy for Visual Semantic Embedding Official PyTorch implementation of the paper Learning the Best Pooling Strategy for V

Jiacheng Chen 106 Jan 6, 2023
PyTorch implementation of the Value Iteration Networks (VIN) (NIPS '16 best paper)
PyTorch implementation of the Value Iteration Networks (VIN) (NIPS '16 best paper)

Value Iteration Networks in PyTorch Tamar, A., Wu, Y., Thomas, G., Levine, S., and Abbeel, P. Value Iteration Networks. Neural Information Processing

LEI TAI 75 Nov 24, 2022
Pytorch implementation of Value Iteration Networks (NIPS 2016 best paper)
Pytorch implementation of Value Iteration Networks (NIPS 2016 best paper)

VIN: Value Iteration Networks A quick thank you A few others have released amazing related work which helped inspire and improve my own implementation

Kent Sommer 297 Dec 26, 2022
A best practice for tensorflow project template architecture.
A best practice for tensorflow project template architecture.

A best practice for tensorflow project template architecture.

Mahmoud Gamal Salem 3.6k Dec 22, 2022
Top #1 Submission code for the first https://alphamev.ai MEV competition with best AUC (0.9893) and MSE (0.0982).

alphamev-winning-submission Top #1 Submission code for the first alphamev MEV competition with best AUC (0.9893) and MSE (0.0982). The code won't run

null 70 Oct 29, 2022
Created as part of CS50 AI's coursework. This AI makes use of knowledge entailment to calculate the best probabilities to win Minesweeper.
Created as part of CS50 AI's coursework. This AI makes use of knowledge entailment to calculate the best probabilities to win Minesweeper.

Minesweeper-AI Created as part of CS50 AI's coursework. This AI makes use of knowledge entailment to calculate the best probabilities to win Minesweep

Beckham 0 Jul 20, 2022
Comments
  • WSUS Server Terminology

    WSUS Server Terminology

    WSUS no longer uses the master/slave terminology. Instead use upstream & downstream servers.

    https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/plan/plan-your-wsus-deployment

    bug 
    opened by LinealJoe 2
  • Add Social preview

    Add Social preview

    Add Social preview Upload an image to customize your repository’s social media preview.

    Images should be at least 640×320px (1280×640px for best display). Download template

    enhancement 
    opened by sergiomarotco 1
  • [ImgBot] Optimize images

    [ImgBot] Optimize images

    Beep boop. Your images are optimized!

    Your image file size has been reduced by 9% 🎉

    Details

    | File | Before | After | Percent reduction | |:--|:--|:--|:--| | /Other/Powtoon_GIF.gif | 561.10kb | 507.21kb | 9.61% | | /Schematic symbols/Schematic symbols.jpg | 63.88kb | 61.17kb | 4.24% | | | | | | | Total : | 624.98kb | 568.38kb | 9.06% |

    📝 docs | :octocat: repo | 🙋🏾 issues | 🏪 marketplace

    ~Imgbot - Part of Optimole family

    opened by imgbot[bot] 0
  • Level 4 with one computer (Privileged Access Workstation)

    Level 4 with one computer (Privileged Access Workstation)

    Level four can be achieved with only one physical computer on your desktop. One can use virtual machines and call it a Privileged Access Workstation: https://techcommunity.microsoft.com/t5/data-center-security/privileged-access-workstation-paw/ba-p/372274

    It hurts a little less than two physical computers. ;)

    good first issue 
    opened by C0FFEEC0FFEE 7
Releases(4.1.3)
Owner
Security evangelist
GitHub Repository
Cognate Detection Repository

Cognate Detection Repository Details This repository contains the data for two publications: Challenge Dataset of Cognates and False Friend Pairs from

Diptesh Kanojia 1 Apr 26, 2022
[CVPR 2021] Teachers Do More Than Teach: Compressing Image-to-Image Models (CAT)

CAT arXiv Pytorch implementation of our method for compressing image-to-image models. Teachers Do More Than Teach: Compressing Image-to-Image Models Q

Snap Research 160 Dec 09, 2022
Joint Versus Independent Multiview Hashing for Cross-View Retrieval[J] (IEEE TCYB 2021, PyTorch Code)

Thanks to the low storage cost and high query speed, cross-view hashing (CVH) has been successfully used for similarity search in multimedia retrieval. However, most existing CVH methods use all view

4 Nov 19, 2022
Session-aware Item-combination Recommendation with Transformer Network

Session-aware Item-combination Recommendation with Transformer Network 2nd place (0.39224) code and report for IEEE BigData Cup 2021 Track1 Report EDA

Tzu-Heng Lin 6 Mar 10, 2022
CNN designed for pansharpening

PROGRESSIVE BAND-SEPARATED CONVOLUTIONAL NEURAL NETWORK FOR MULTISPECTRAL PANSHARPENING This repository contains main code for the paper PROGRESSIVE B

SerendipitysX 3 Dec 29, 2021
EMNLP 2021 Findings' paper, SCICAP: Generating Captions for Scientific Figures

SCICAP: Scientific Figures Dataset This is the Github repo of the EMNLP 2021 Findings' paper, SCICAP: Generating Captions for Scientific Figures (Hsu

Edward 26 Nov 21, 2022
PyTorch implementation of ShapeConv: Shape-aware Convolutional Layer for RGB-D Indoor Semantic Segmentation.

Shape-aware Convolutional Layer (ShapeConv) PyTorch implementation of ShapeConv: Shape-aware Convolutional Layer for RGB-D Indoor Semantic Segmentatio

Hanchao Leng 82 Dec 29, 2022
The AugNet Python module contains functions for the fast computation of image similarity.

AugNet AugNet: End-to-End Unsupervised Visual Representation Learning with Image Augmentation arxiv link In our work, we propose AugNet, a new deep le

Ming 74 Dec 28, 2022
Elegy is a framework-agnostic Trainer interface for the Jax ecosystem.

Elegy Elegy is a framework-agnostic Trainer interface for the Jax ecosystem. Main Features Easy-to-use: Elegy provides a Keras-like high-level API tha

435 Dec 30, 2022
Lightweight, Portable, Flexible Distributed/Mobile Deep Learning with Dynamic, Mutation-aware Dataflow Dep Scheduler; for Python, R, Julia, Scala, Go, Javascript and more

Apache MXNet (incubating) for Deep Learning Master Docs License Apache MXNet (incubating) is a deep learning framework designed for both efficiency an

ROCm Software Platform 29 Nov 16, 2022
ReSSL: Relational Self-Supervised Learning with Weak Augmentation

ReSSL: Relational Self-Supervised Learning with Weak Augmentation This repository contains PyTorch evaluation code, training code and pretrained model

mingkai 45 Oct 25, 2022
SOLO and SOLOv2 for instance segmentation, ECCV 2020 & NeurIPS 2020.

SOLO: Segmenting Objects by Locations This project hosts the code for implementing the SOLO algorithms for instance segmentation. SOLO: Segmenting Obj

Xinlong Wang 1.5k Dec 31, 2022
CenterFace(size of 7.3MB) is a practical anchor-free face detection and alignment method for edge devices.

CenterFace Introduce CenterFace(size of 7.3MB) is a practical anchor-free face detection and alignment method for edge devices. Recent Update 2019.09.

StarClouds 1.2k Dec 21, 2022
Download & Install mods for your favorit game with a few simple clicks

Husko's SteamWorkshop Downloader 🔴 IMPORTANT ❗ 🔴 The Tool is currently being rewritten so updates will be slow and only on the dev branch until it i

Husko 67 Nov 25, 2022
RTSeg: Real-time Semantic Segmentation Comparative Study

Real-time Semantic Segmentation Comparative Study The repository contains the official TensorFlow code used in our papers: RTSEG: REAL-TIME SEMANTIC S

Mennatullah Siam 592 Nov 18, 2022
Implement slightly different caffe-segnet in tensorflow

Tensorflow-SegNet Implement slightly different (see below for detail) SegNet in tensorflow, successfully trained segnet-basic in CamVid dataset. Due t

Tseng Kuan Lun 364 Oct 27, 2022
A PyTorch implementation of the Relational Graph Convolutional Network (RGCN).

Torch-RGCN Torch-RGCN is a PyTorch implementation of the RGCN, originally proposed by Schlichtkrull et al. in Modeling Relational Data with Graph Conv

Thiviyan Singam 66 Nov 30, 2022
A flag generation AI created using DeepAIs API

Vex AI or Vexiology AI is an Artifical Intelligence created to generate custom made flag design texts. It uses DeepAIs API. Please be aware that you must include your own DeepAI API key. See instruct

Bernie 10 Apr 06, 2022
AfriBERTa: Exploring the Viability of Pretrained Multilingual Language Models for Low-resourced Languages

AfriBERTa: Exploring the Viability of Pretrained Multilingual Language Models for Low-resourced Languages This repository contains the code for the pa

Kelechi 40 Nov 24, 2022
An AFL implementation with UnTracer (our coverage-guided tracer)

UnTracer-AFL This repository contains an implementation of our prototype coverage-guided tracing framework UnTracer in the popular coverage-guided fuz

113 Dec 17, 2022