Network Architecture and Segmentation
We have
Switches
Routers
Access Points
Cabling
We protect them with:
Physical security controls
Doors, locks, fences, guards
Hosts become virtual machines
Not so different from physical networks
Same networking protocols
Same operating systems
Same networking devices (but virtual)
Same security devices (but virtual)
VMescape attacks: targeting the hypervisor
VM to VM traffic (East-West) might cross the physical network.
Software Defined Networking (SDN)
Traditional networking puts everything in one device:
Management
Routing decision
Traffic forwarding
SDN
Control plane – routing decisions, algorithms, tables
Data plane – forwarding, dumb fast switches
Management plane – config, monitoring, CLI, REST, APIs, orchestration
Management Application <-> SDN Controller <-> Physical devices
Management App <-> SDN controller is Northbound API
SDN Controller <-> Physical devices is Southbound API
VPC (Virtual Private Cloud)
Microsoft Azure – virtual network
AWS – VPC
Oracle – VCN (virtual cloud network)
Google Cloud – VPC
VPN (Virtaul Private Network)
Data tunnel through a public infrastructure
Provides remote connectivity
VPN is not necessarily secure. Data tunnel only unless it’s an encrypted tunnel.
Serverless function (Function as a Service)
AWS Lambda
Azure functions
Google – Cloud functions
Network Segmentation
Good for management and performance
Air gapping. Completely disconnecting a network segment physically.
Tough to manage.
Military, power systems, systems that can’t have any outside interference
Protecting CA private keys in PKI
CA generates and signs certs using it’s private key
Trusting a CA implies trusting certs signed by it.
Layer 2 segmentation, VLANs, private VLANs, port security
Layer 3+ segmentation: subnetworks, traffic policies, ACLs
DMZ – Network segment for publicly facing servers
Jumpbox / Bastion Host – A machine used to access another network
Last updated