So what do I mean by a network being on a diet? I mean reducing the network footprint to the optimal level.

What is a network footprint?

The areas where my infrastructure can be attacked by malicious individuals!  With the increase in the client-side attacks on various browsers, it almost seems like the network footprint is bound to increase in size. With more devices, there are more vectors of attack, and therefore, a bigger network footprint.

How can you manage your organization’s network footprint?

There is not much one can do about the “increase in footprint” in situations where the organizations grow and more devices are provided to them.  It’s all a part of the organic growth of a business.  However, creating “sub offices” such as for home users by providing them with network infrastructure that establishes always-on VPN tunnels should be avoided to reduce this footprint.

What organizations should avoid?

Let’s take an example: if you have a physical user who is offsite, and they can use a VPN solution using 2-factor authentication there should be no reason to provide such a user with site-to-site VPN connectivity.  Site-to-site VPN, in this case, is a frivolous increase in the network footprint.  If an attacker compromises a device or a computer on this network, the “always-on” VPN would essentially give the attacker unfettered access to the corporate network. A converse example would be of say a data-center, which is not truly a user environment but a server hosting environment; using a site-to-site VPN in such a situation is a good idea because “always-on” property of site-to-site VPNs is essential to the business operation.

Lesson

Always evaluate whether a user is involved in allowing access via site-to-site VPNs.  Convenience is definitely afforded by site-to-site VPNs which are “always on” however, when it increases your organization’s network footprint, usability and security conflict with each other.  This should be evaluated with the information risk exposure and the business benefit obtained.

AT&T Security Solutions provides network architecture related consulting that specifically addresses concerns such as the ones illustrated above.