In the part of the Security+ series we are going to dive into design best practices. You may be already familiar with some of terms from previous posts therefore we are going to build on top of those. The exam version SY0-401 also touches cloud computing concepts, so made sure to include those as well.
A Demilitarized Zone has origins in military and describes a neutral area for both fighting parties. The same concept is used in computer networking, where this area holds services that are accessible, both from the Internet as well as Intranet. You can further divide DMZ into sub-DMZs for example, a Web Proxy Appliance can be in one zone, and your e-commerce servers can be in different zone. Each zone can have its own policies. DMZs are typically connected to firewall which enforce these policies. Inside a DMZ you can use other security technologies for further isolation, for example Private VLANs.
Subnetting is easy like Jackson Five’s ABC. Definitely one of the favorite topics in CCNA Routing and Switching or Compia’s Network+. What subnetting does, is it breaks a large chunks of address block into smaller more manageable pieces. For example you could use a private address space 10.0.0.0/8 for your company and start to divide that into subnets, one block would be used for data center (a.k.a Willy Wonka’s data factory) would receive 10.0.0.0/16, your regions would get 10.1.0.0/17 and 10.1.128.0/17 and so forth. The key here is to plan ahead, otherwise you will have a mess in your IP address management – IPAM.
Virtual Area Networks have been around for many years, they are so obvious that no one really thinks about them as visualization technology, but in fact they are. VLAN is an equivalent of broadcast domain, it provides separation on L2. It became popular after we started to push a lot of different types of traffic onto our network. Therefore not only data traffic was riding on our switch links but also voice and video traffic. To be able to communicate between VLANs we need a L3 device, multilayer switch, router or even firewall will do well.
Concept of VLAN have been later extended to include a feature that would protect between users in same VLAN. The idea is useful for example in hotels, where all guests sit on same VLAN but you need to ensure that they cannot talk to each other directly. The extension is called Private VLAN.
We already briefly touched NAT in previous post. NAT was invented to slow down the depletion of IPv4 address space. Since IPv4 addresses are “only” 32 bit long, there is finite number hosts that can access the public Internet. The idea is that inside our organization, we would use a private address range, like 10.0.0.0/8 but when we would like to access resource on internet we would translate our source address into public one assigned by service provider. Since many organization have thousand hosts inside and just a few public IPs, we need to do port multiplexing or overloading. This feature is called Port Address Translation – PAT. NAT/PAT is also used when companies merge and they have overlapping address space.
Internet is fundamentally changing the way we communicate. One of the features that many companies use is remote access. The idea here is that an employee or partner connected to Internet would create a secure tunnel to our corporate network. All communication within this tunnel is encrypted. IPSec is one the famous protocol stack that is used for this purpose. It contain many different pieces for this to happen. There are however other emerging technologies that simplify configuration of tunnels, namely SSL/TLS VPN. We will dig deeper into this area later in series.
Since the time voice services joined data on same transport network, we also must take caution protecting this type of communication. Fundamentally, it is good idea to put IP phones in separate VLAN and harden it with protocols we mentioned previously. Optionally encryption can be used for voice barrier to prevent against eavesdropping. QoS is also essential to protect these little voice fellas in transit against DoS. On the other side of control plane, call processing servers, voice mail servers need the right level of security.
Network Admission Control is feature allows you to perform a security posture on hosts that is trying to access the network. For example it will only allow access if the OS security patches are current, malware protection is enabled, host intrusion prevention system is active, disk is encrypted and so on. If that is not true, it can moved client to remediation VLAN where it can receive all patches.
Oh boy, this is a BIG one on my list. Server virtualization fundamentally changed the way we utilize hardware resources. In past, we had a model where one business app would ride on an OS and this OS would be installed directly on physical machine. It was is cumbersome, slow process. Just think how much would you wait for hardware itself.
Virtualization introduce a new layer between hardware and operating system. This layer is referred as hypervisor. Hypervisor can abstract physical resources underneath, therefore we can now run many Virtual Machines – VMs on single server. And that was just beginning, we can take pool of physical servers and cluster them, so if any of them fails we move workload somewhere else.
Image that you could do same with networking. Stay tuned for NSX series, you will love it.
The and the winner of 2013/2014 buzzword is… Cloud Computing. This is one of most abused term out there. What marketing departments did with it is beyond imagination.
To bring same value to this term back, cloud is not really new, it has been around for many years, just nobody called it that way. Essentially a cloud is a resource that located somewhere else. So even Willy Wonka’s traditional data factory can be a cloud with some additional services such as Pay As You, or utility based computing – same model as electric energy, water or gas has today.
A Software as a Service term was born when companies such as Google, Amazon, and Microsoft start to offer traditional software as a…service. You got it! The main point is, that you do not own or maintain hardware, operating systems that these run on, you just use the app. Examples include Office 365, SalesForce, Gmail, even WordPress is a SaaS.
This one made me laugh, as you can offer almost anything as a service. So a Monitoring as a Service was born. For example, Cisco offers a cloud wireless solution called Meraki. They will ship you a bunch of lightweight access points and they will be managed from controller sitting in their data center.
Moving one layer below SaaS, you find Platform as a Service. In this model, provider provides you with hardware and operating system and perhaps a development environment. Out there in the wild some known PaaS providers are Google App Engine, Amazon Elastic Beanstalk, Microsoft Azure, HP Cloud. The number is growing.
Infrastructure as a Service moves another layer below. The provider will provide hardware and hypervisor. It is up to you to build and spin virtual machines on top them. This is very extendable, you can use predefined virtual machines from market, or you can build an application blueprints and create entire application stacks very quickly. One such example include Sharepoint Reference Architecture. The list of providers include major names players – Google, Amazon, Microsoft, Vmware, HP, Rackspace and many more.
Depending on implementation and ownership you can choose between various cloud models
- Private – built in house, you manage hardware, hypervisor, os and applications
- Public – resources rented from cloud provider, responsibilities depending on type (SaaS, PaaS, IaaS)
- Hybrid – a combination of two above
- Community – multiple internal customers using same platform, for example government agencies
Defense in Depth
Defense in depth is concept where you implement security mechanisms at multiple places. Starting at user level with training, moving to host security, switch security, firewall security and so one. This approach decreases the likelihood of being compromised.
And with that my friends we are at the end of this part of series. I hope you enjoyed it and learned something new. See you in next part which will spin around Protocols and Ports.