Network Architecture and Segmentation

  • We have

    • Switches

    • Routers

    • Access Points

    • Cabling

  • We protect them with:

    • Physical security controls

      • Doors, locks, fences, guards

    • Hosts become virtual machines

    • Not so different from physical networks

      • Same networking protocols

      • Same operating systems

      • Same networking devices (but virtual)

      • Same security devices (but virtual)

    • VMescape attacks: targeting the hypervisor

    • VM to VM traffic (East-West) might cross the physical network.

  • Software Defined Networking (SDN)

    • Traditional networking puts everything in one device:

      • Management

      • Routing decision

      • Traffic forwarding

    • SDN

      • Control plane – routing decisions, algorithms, tables

      • Data plane – forwarding, dumb fast switches

      • Management plane – config, monitoring, CLI, REST, APIs, orchestration

      • Management Application <-> SDN Controller <-> Physical devices

      • Management App <-> SDN controller is Northbound API

      • SDN Controller <-> Physical devices is Southbound API

  • VPC (Virtual Private Cloud)

    • Microsoft Azure – virtual network

    • AWS – VPC

    • Oracle – VCN (virtual cloud network)

    • Google Cloud – VPC

  • VPN (Virtaul Private Network)

    • Data tunnel through a public infrastructure

    • Provides remote connectivity

    • VPN is not necessarily secure. Data tunnel only unless it’s an encrypted tunnel.

  • Serverless function (Function as a Service)

    • AWS Lambda

    • Azure functions

    • Google – Cloud functions

  • Network Segmentation

    • Good for management and performance

    • Air gapping. Completely disconnecting a network segment physically.

      • Tough to manage.

      • Military, power systems, systems that can’t have any outside interference

      • Protecting CA private keys in PKI

        • CA generates and signs certs using it’s private key

        • Trusting a CA implies trusting certs signed by it.

    • Layer 2 segmentation, VLANs, private VLANs, port security

    • Layer 3+ segmentation: subnetworks, traffic policies, ACLs

    • DMZ – Network segment for publicly facing servers

    • Jumpbox / Bastion Host – A machine used to access another network

Last updated