Infrastructure Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:03
>> This is Domain 7, infrastructure security.
00:03
We've talked about resource pooling
00:03
being one of the key aspects of Cloud.
00:03
Virtualization is what allows the common pools of
00:03
physical resources to be
00:03
allocated to logical Cloud resources.
00:03
When you have multiple tenants sharing
00:03
the same physical resource pools,
00:03
the Cloud provider needs to design things in a way that
00:03
tenants can isolate themselves within those pools.
00:03
This module will focus on how the Cloud provider
00:03
organizes things to support tenant isolation.
00:03
It will talk about how the tenant needs to organize
00:03
their virtual workloads to keep themselves secure,
00:03
both from other tenants,
00:03
but more importantly from
00:03
the various threats roaming the general Internet.
00:03
In this module, we're going to cover
00:03
Cloud Network Virtualization,
00:03
Cloud Network Security,
00:03
and Cloud Computer and Workload Security.
00:03
The remainder of this video,
00:03
we will gain a perspective on where in
00:03
the stack this infrastructure security sits.
00:03
We'll talk about common designs
00:03
for the underlying Cloud Networks,
00:03
and we will review the OSI model
00:03
of traditional networking.
00:03
It's the pooling of the physical resources
00:03
that build the Cloud.
00:03
This is at the very bottom of that pyramid.
00:03
The raw physical and logical compute networks
00:03
and storage used by
00:03
Cloud providers to create
00:03
the resource pools that the Cloud customers then use.
00:03
Securing the physical is a discipline of its own.
00:03
We are talking about creating man trap doorways,
00:03
guard dogs, camera systems, and so on.
00:03
We won't be getting into this.
00:03
But if you ever want some entertainment,
00:03
go to YouTube and search for videos of
00:03
semi-trucks testing vehicle barriers.
00:03
You will see some serious metal carnage and there's
00:03
no way someone's going to blow through
00:03
one of those to get into your datacenter.
00:03
Being our focus is Cloud,
00:03
it's much more virtual,
00:03
still more abstract, and we're going to place
00:03
our emphasis on securing those resources.
00:03
This is the virtual infrastructure
00:03
managed by a Cloud user.
00:03
It is a result of what the Cloud user
00:03
creates in the management plane.
00:03
These are the virtual networks, the virtual machines,
00:03
virtual storage, and the many other virtual devices.
00:03
On the right-hand side is the logical stack
00:03
that you've seen many times over.
00:03
Domain 7, the infrastructure security domain
00:03
focuses on the infrastructure layer of that stack.
00:03
This shouldn't be much of a surprise,
00:03
but it's really worth burying
00:03
this logical stack into your mind since you
00:03
will definitely get questions
00:03
about this stack in the exam.
00:03
Cloud providers use some form of
00:03
virtual networking to abstract
00:03
the physical network and network resource pools.
00:03
Standard network designs won't
00:03
allow the Cloud provider to keep
00:03
multiple tenants secure and
00:03
empower them to define their own virtual networks.
00:03
Physical segregation of the networks used in
00:03
the Cloud is important for
00:03
operational and security reasons.
00:03
Specific providers are going to have
00:03
differences in the way they design these,
00:03
especially the very large-scale providers.
00:03
But there is generally a common theme.
00:03
The overall Cloud Network
00:03
often consists of three separate networks.
00:03
These are separated at the physical layer,
00:03
meaning separate network cables,
00:03
separate router devices, and so forth.
00:03
Starting at the bottom,
00:03
we have the service network.
00:03
This is for communication
00:03
between virtual machines and the Internet,
00:03
and it's the basis for the network resource pool.
00:03
Then we have the storage networks.
00:03
These connect data storage to
00:03
the virtual machines, to the compute.
00:03
That would include large-scale storage devices,
00:03
as well as the logical hard drives
00:03
associated with the virtual machines.
00:03
Finally, we have the management network.
00:03
This is what hosts
00:03
that management plane and sends control to all the nodes.
00:03
In Domain 6, we spent
00:03
a good amount of effort talking about
00:03
the management plane and
00:03
how you really want to secure that.
00:03
Well, putting the servers themselves that host
00:03
that management plane is
00:03
a great way to create a strong perimeter
00:03
around the management plane for the provider to give
00:03
that level of security and fulfill
00:03
their portion of the responsibilities.
00:03
There are a lot of other ways to
00:03
architect a Cloud environment.
00:03
But again, this is a common baseline often
00:03
used in private Cloud where they don't quite have
00:03
the same level of complexity and the need to deal with
00:03
scale to such an extensive amount
00:03
as the large public Cloud providers do.
00:03
The Open Systems Interconnection reference model is
00:03
very commonly used when talking about network traffic.
00:03
This is the OSI model.
00:03
You won't be directly tested on this in the CCSK,
00:03
but since we're going to be talking
00:03
about Software Defined Networks,
00:03
it's very important you have a grasp of this as they
00:03
may make reference to the layers by numbers.
00:03
For example, we just talked about
00:03
the three networks within a Cloud provider,
00:03
and these were physically separated.
00:03
In other words, I could say
00:03
these are separated at Layer 1,
00:03
which is the physical layer that the media
00:03
itself resides on and the information flows through.
00:03
For example, this includes
00:03
fiber optic cable, coaxial cable,
00:03
even radio waves floating through the air,
00:03
which is what we call WI-Fi or wireless.
00:03
Taking a moment to walk up the OSI layers,
00:03
we have Layer 2.
00:03
This is where low-level frames are created.
00:03
The physical addressing, it's the Ethernet,
00:03
it's where your switches work, your bridges.
00:03
Moving up to Layer 3,
00:03
we have the networking layer.
00:03
This is where the packets exist,
00:03
where the logical network topology is determined,
00:03
and how routing of those packets across
00:03
the logical topology is set up.
00:03
It's often referred to as the IP layer.
00:03
Moving up one,
00:03
we have the transport layer, Layer 4.
00:03
This layer helps insure
00:03
end-to-end connections and bring some reliability.
00:03
You could have TCP where
00:03
they ensure no packets get lost and
00:03
it has a protocol to
00:03
have packets resend if they get lost.
00:03
Or you can be using UDP,
00:03
which is going to be a lot faster,
00:03
but you're not going to have the same level of
00:03
reliability in the packet transmissions.
00:03
Moving up another layer,
00:03
we have Layer 5, which is the session layer.
00:03
This is the interhost communication,
00:03
we're talking about APIs and sockets.
00:03
In continuing up, we have the presentation layer,
00:03
so data formatting and encryption.
00:03
This is your SSL,
00:03
your SSH I-map for emails,
00:03
or FTP for file transfers.
00:03
Then finally, we have the application layer.
00:03
These are the network services.
00:03
The top portion of the protocols.
00:03
HTTP, SSH, and
00:03
DNS are very common protocols of this layer.
00:03
While this won't be directly tested on this CCSK exam,
00:03
it's good to have a feeling of how these layers
00:03
work and how they logically intercorrelate.
00:03
A lot of times Layer 1,
00:03
and 2 are talked about together, 3 and 4,
00:03
they work together, and then 5, 6,
00:03
and 7 are often put into a similar bucket on discussions.
00:03
If you ever want to mnemonic to memorize the OSI model,
00:03
the one that I personally like,
00:03
and there's a lot of them out there,
00:03
but one that I've found has stuck with me is
00:03
programmers do not throw sausage pizza away.
00:03
Programmers do not throw sausage pizza away.
00:03
Please keep that one in mind.
00:03
If you're ever stuck, you can just
00:03
write that down on a piece of paper
00:03
and impress all your friends by knowing the OSI model.
00:03
In this video, we started out looking at
00:03
infrastructure security and where it fits
00:03
into the grand or context of Cloud.
00:03
We talked about common designs for
00:03
underlying Cloud networks themselves.
00:03
Then we did a review of the OSI model.
00:03
We will be building on this in the next video,
00:03
and I look forward to seeing you there.
Up Next