Network Architecture

Security Zones / Topologies

  • Each zone on a network is separated based on organizational role or level of security.
  • For example:
    • Secure Zone - These are the most sensitive systems, with mission-critical data.
    • General Work Zone - These are standard workstations and servers, with typical business data and functionality.
    • Low Security Zone - These are computers, network segments, and systems that have no highly sensitive information, and the breach of these systems would have minimal impact.
  • Types:
    • DMZ - Demilitarized Zones
      • A network segment located between the protected (internal) and unprotected (public) networks.
      • Provides a buffer zone / defense-in-depth.
      • Usually set up using firewalls.
      • Contains hardened systems that need to reach each network segment.
        • email
        • web
        • DNS servers
    • Extranet
      • A private network that uses Internet tech and the public telecom system to securely share part of a business's info or operations with suppliers, vendors, partners, customers, or other businesses.
    • Intranet
      • Websites or apps that are only accessible within the org's network.
    • Wireless Segmentation
      • Separating wireless access on an internal network.
      • Creating a buffer between wireless and wired networks.
      • Separating guest wireless access from internal networks.
      • Controlled by 801.1x - Port based access control.
      • MAC filtering - restricting access based on the device's NIC address (MAC).
    • Guest

Security Device Placement

  • Where should security devices be on a corporate network?
    • Firewalls / UTM (border)
    • IDS / IPS (border or internal segments)
    • VPN
    • Proxies (external)
    • Load Balancers
    • SIEM - log collection / correlation
    • DDoS Mitigation (Border Router)

Firewalls, Proxies, IDS/IPS, UTM

  • Firewall Functions:
    • Packet Filter
    • Proxy Firewall
    • Stateful Packet Inspection
  • Dual-Homed Firewall - 2 NICs
  • NAT - Network Address Translation
  • Dual-Homed Firewall
    • Has two network interfaces.
      • One connects to the public network.
      • One connects to the private network.
    • The forwarding and routing function should be disabled on the firewall to ensure the network segregation.

Segregation, Segmentation, & Isolation

  • Dividing a network into zones based on business or security needs.
  • Example: Accounting on a different network segment from manufacturing.
  • Logical (VLAN)
    • A network of computers that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a LAN.
  • Virtualization
    • Virtualized servers and workstations - easier to separate.
    • You should not allow internet browsing on a virtualization host.
      • This can present possible security breaches through the introduction of spyware or malware.
  • Air Gaps
    • Physical separation.

VPN / Tunneling

  • A private network connection through an unsecured, public network.
  • Use to connect LANs
  • Remote devices appear as if they are local.
  • Methods:
    • Site-to-Site - Connect LANs across the internet.
    • Remote Access - Connect users or devices to a corporate network.
    • Remote Access Server (RAS)

SDN - Software Defined Network

  • The entire network is virtualized.
  • Allows for easier network segmentation.
  • Allows admins to place virtualized security devices anywhere.
  • The SDN architecture is:
    • Directly Programmable
    • Agile
    • Centrally Managed
    • Programmatically Configured
    • Open Standards-Based and Vender-Neutral

Honeypots / Honeynets

  • Use:
    • Systems or networks exposed to capture malicious activity.
    • Gather investigation evidence.
    • Study attack strategies.
  • Separated from any business network.

Fibre Channel - {source}

  • A high-speed network technology used to connect server to data storage area network.
  • It handles high performance of disk storage for apps on many corporate networks.
  • Supports data backup and replication.
  • Topology:
    • Point-to-Point
    • Fibre Channel Arbitrated Loop
    • Switched Fabric Topology
Copy link
On this page
Security Zones / Topologies
Security Device Placement
Firewalls, Proxies, IDS/IPS, UTM
Segregation, Segmentation, & Isolation
VPN / Tunneling
SDN - Software Defined Network
Honeypots / Honeynets
Fibre Channel - {source}