# Network Architecture and Segmentation

* We have
  * Switches
  * Routers
  * Access Points
  * Cabling
* We protect them with:
  * Physical security controls
    * Doors, locks, fences, guards
  * Hosts become virtual machines
  * Not so different from physical networks
    * Same networking protocols
    * Same operating systems
    * Same networking devices (but virtual)
    * Same security devices (but virtual)
  * VMescape attacks: targeting the hypervisor
  * VM to VM traffic (East-West) might cross the physical network.
* Software Defined Networking (SDN)
  * Traditional networking puts everything in one device:
    * Management
    * Routing decision
    * Traffic forwarding
  * SDN
    * Control plane – routing decisions, algorithms, tables
    * Data plane – forwarding, dumb fast switches
    * Management plane – config, monitoring, CLI, REST, APIs, orchestration
    * Management Application <-> SDN Controller <-> Physical devices
    * Management App <-> SDN controller is Northbound API
    * SDN Controller <-> Physical devices is Southbound API
* VPC (Virtual Private Cloud)
  * Microsoft Azure – virtual network
  * AWS – VPC
  * Oracle – VCN (virtual cloud network)
  * Google Cloud – VPC
* VPN (Virtaul Private Network)
  * Data tunnel through a public infrastructure
  * Provides remote connectivity
  * VPN is not necessarily secure. Data tunnel only unless it’s an encrypted tunnel.
* Serverless function (Function as a Service)
  * AWS Lambda
  * Azure functions
  * Google – Cloud functions
* Network Segmentation
  * Good for management and performance
  * Air gapping. Completely disconnecting a network segment physically.
    * Tough to manage.
    * Military, power systems, systems that can’t have any outside interference
    * Protecting CA private keys in PKI
      * CA generates and signs certs using it’s private key
      * Trusting a CA implies trusting certs signed by it.
  * Layer 2 segmentation, VLANs, private VLANs, port security
  * Layer 3+ segmentation: subnetworks, traffic policies, ACLs
  * DMZ – Network segment for publicly facing servers
  * Jumpbox / Bastion Host – A machine used to access another network


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cysa.coantech.net/network-architecture-and-segmentation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.