3.3 Secure Network Design
Load Balancing
Distributing the load coming to the servers. This is invisible to the users. If one of the server fails, all requests to the failed server is redirected to the available server, users doesn't understands this redirection.
Here you can see the capabilities of a load balancer:
Round-robin = each server will have same amont of load from the users - each server is selected in turn
Affinity = uses a client’s IP address to keep track of them throughout their session in order to continue sending them to the same server even with subsequent requests
Weighted round-robin = prioritize the server load
Dynamic round-robin = monitor the server load and distribute to the server with the lowest load
Active/Passive load balancing = some servers are active, and some of are standby. If one of the active server goes down, the standby server becomes active and respond to requests
Network Segmentation
Separating the network into physical, logical, or virtual segments like different segment for database which users can not directly talk with those servers usually used for security purposes
VLAN - separate logically instead of physically DMZ - this is for incoming Internet traffic, where we put our Internet facing application in the infrastructure
DMZ (screened subnet) - this is for incoming Internet traffic, where we put our Internet facing application in the infrastructure sensitive servers won't be placed here
Extranet - we build separate network, other than the private, for vendors/suppliers, it is like a private network for partnerts Intranet - this is the private network, only accessible from internally
Zero trust - you trust nothing in your network, with zero trust you consider all devices or systems being untrusted, eveything must be verified with MFA, encryption, system permissions, additional firewalls
Virtual Private Networks
Concentrator = encrypts/decrypts outgoing and incoming data and uses security protocols to create safe tunnels - secure remote access over the public internet or untrusted networks, via secure tunnel Full tunnel = eveything sends to the concentrator from the end-user, cncentrator decides where the data goes within the network
Split tunnel = some information goes through the tunnel and some of them are not, this is for communicating with servers that are not in the private network
Port Security
control and protect specific data types
limit overall traffic
watch for unusual or unwanted traffic Broadcast = send from one device to multiple Broadcast storm control - switch can control and limit the number of broadcasts per second STP (spanning tree protocol) - common way for loop control
Secure Networking
DNSSEC - ability to confirm the DNS response, origin authentication and data integrity - DNS records are signed with trusted third party
DNS sinkhole address = if a user visits a known malicious server, the DNS server redirects the users to a sinkhole address which is trusted and safe
QoS (quality of service) = prioritize traffic performance, VoIP has priority over web-browsing - prioritize by maximum bandwidth, traffic rate, VLAN - describes the process of controlling traffic flows
FIM (file integrity monitoring) = monitor important OS and application files and identify whether they are changed - Windows - SFC (system file checker) - Linux - tripwire
Firewalls
Network-based firewalls - filter traffic by ports number or application stateless firewall - doesn't keep track of traffic flows, each packet is individually examined stateful firewall - the firwall keeps the state of the session
UTM (unified threat management) - url filter/content inspection/malware inspection/spam filter/VPN endpoint
NGFW - application layer gateway, adds the most latency - every packet needs to be analyzed and categorized before security decisions are determined
WAF (web application firewall) = applies rules to HTTP/HTTPS communications, allow or deny based on expected input, unexpected input can be bypassed
Access Control Lists (ACLs) = allow or disallow traffic based on tuples - list of rules which decide whether to allow or disallow traffic - source/destination IP, port number, time of the day, application
Network Access Controls
Posture assessment - BYOD - malware infections/missing anti-malware software on personal devices - before connecting to the network, a health check needs to be performed and asked these questions below - is it a trusted device? - is it running anti-virus software? - are the corporate aplications installed?
Proxies
sits between the user and external network receives the user requests and sends the request on user's behalf useful for caching information, access control, URL filtering, content scanning most proxies are application proxies
Forward proxy = protect and control users access to internet (internal proxy) - located inside the internal network, checks the requests being made to the Internet
Reverse proxy = hosts from Internet are hitting the proxy to gain access internal services in the internal network - proxy will examine the requests from external users
Intrusion Prevention
detection - alarm or alert prevention - stop it before it gets into the network
passive monitoring - examine a copy of the traffic, no way to block traffic out-of-band response - when malicious traffic is identified, IPS sends TCP RST frames inline monitoring - IDS/IPS physicaly sits in between, can analyze all trafic
identification technologies signature-based = look for malware matches anomaly-based = build a baseline of what is normal behavior-based = observe and report the behavior heuristics = use AI to identify
Other Network Appliances
Jump server = provides an access mechanism to secure/protected network - SSH/tunnel/VPN connection to connect to jump server - compromise to the jump server is a significant breach
HSM (hardware security module) = manager large number of keys and certificates - used in large environment, clusters - high-end cryptographic devices, key backup, secured storage
Last updated
Was this helpful?