Network Security Architecture Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Continuing on with network
00:00
>> security architecture Part 2.
00:00
>> The learning objectives for this lesson are to
00:00
show how network segmentation improves security,
00:00
to explain deperimeterization and
00:00
how it relates to zero trust,
00:00
and to demonstrate the use of
00:00
Software Defined Networks in secure architecture.
00:00
Let's get started. Network segmentation.
00:00
Network segmentation simply means
00:00
breaking a network up into smaller parts.
00:00
But for security, the reason we might want to do
00:00
this is that some parts of our network
00:00
may contain data that we don't want
00:00
necessarily want everyone on
00:00
the network having access to,
00:00
so for example, a corporation's,
00:00
HR department may need to
00:00
be on its own separate segment of
00:00
the network so that it's separated from everyone else.
00:00
Another reason for security
00:00
that you might want to segment
00:00
your network is that if
00:00
one part of the network would have become compromised,
00:00
it wouldn't bring down the rest of the network.
00:00
We can accomplish this through a variety of technologies.
00:00
The first is subnetting,
00:00
simply breaking the network into smaller pieces.
00:00
The next is virtual LANs or VLANs.
00:00
These are software-defined and they're usually
00:00
performed by your managed network switches.
00:00
This allows for one device
00:00
to separate your network traffic.
00:00
We can also use a screened subnet.
00:00
This is placing two firewalls on either side of the DMZ.
00:00
The firewall that faces the
00:00
outside is known as a screening firewall
00:00
and the one that faces the
00:00
inside is known as a choke firewall.
00:00
We can also use environments
00:00
to help us segment our network.
00:00
A staging environment is where we
00:00
create an exact duplicate of
00:00
our production environment for
00:00
the purposes of testing new software,
00:00
security patches, hardware, or setting changes that we
00:00
might want to use before
00:00
pushing it out to our production environment.
00:00
We could also use a guest environment
00:00
which is an isolated network,
00:00
completely removed from our production network
00:00
to allow guest access.
00:00
We can use access control lists
00:00
to help us with segmentation.
00:00
An access control list simply allows data to flow
00:00
or to be denied based on
00:00
the rules that are set up in the control list itself.
00:00
In networking, this is usually handled by
00:00
switches and routers who may or
00:00
may not allow access to
00:00
data based on their own individual ACLs.
00:00
We can also use a jump box
00:00
to help us segment our network.
00:00
A jump box is a hardened and monitored system
00:00
that is used to perform administrative functions.
00:00
The reason this is a really smart
00:00
>> thing to do is that in
00:00
>> larger environments you may have many devices
00:00
that need to be configured, such as firewalls,
00:00
switches, routers,
00:00
and you don't want to
00:00
perform those from your own workstation,
00:00
the one that you're checking email on
00:00
or browsing the web or that thing.
00:00
A jump box is one that you would log into remotely,
00:00
perform all the functions from there,
00:00
and then when you're done, you come
00:00
back to your regular workstation.
00:00
What this does is it allows
00:00
one device to have all the credentials,
00:00
rather than having it on a workstation that
00:00
has a higher chance of being compromised.
00:00
We can also air gap,
00:00
which is when we physically remove
00:00
and disconnect a host from any network.
00:00
It's not connected to a network,
00:00
it's a lot harder to get to.
00:00
We also have a peer-to-peer environment.
00:00
These are decentralized networks that provide
00:00
services only when you're connected to them.
00:00
An example of that today will be
00:00
the Tor network, but if you're old school like me,
00:00
you might remember Napster.
00:00
Cloud-based network segmentation.
00:00
The first thing we can use is micro-segmentation,
00:00
which is isolating workloads from each other
00:00
and then we protect those workloads individually.
00:00
We can use virtual private Clouds or virtual networks.
00:00
This allows for creating
00:00
Cloud resources within a private network.
00:00
The last part is Nac lists,
00:00
pronounced nackles, but it
00:00
stands for network access control.
00:00
These are used to control
00:00
inbound and outbound traffic between VPCs.
00:00
Think of these as just simply ACLs
00:00
for your Cloud segmentation.
00:00
We can also use security groups.
00:00
It's a virtual firewall that limits
00:00
inbound and outbound traffic
00:00
to a particular Cloud instance.
00:00
Regions are the physical location of
00:00
our data centers in a globally distributed Cloud.
00:00
With Cloud-based network segmentation,
00:00
we have data zones.
00:00
A data zone simply describes the state and
00:00
the location of the data
00:00
and how to isolate and protect it.
00:00
The first is our raw zone.
00:00
This is where data is collected from multiple sources.
00:00
Then we go to our structured or curated zone.
00:00
In this zone, the data that was collected in
00:00
the raw zone is checked for
00:00
quality and then it's reformatted
00:00
for users to make use of later.
00:00
Then we have our analytical zone
00:00
and at this zone is where the data is ready
00:00
to be used by
00:00
the different users for
00:00
their particular purposes, such as reporting.
00:00
Software defined networking.
00:00
The first thing you have to understand with
00:00
software defined networking is
00:00
to understand what a plane is.
00:00
Well, a plane is
00:00
just an abstract model that was created to help
00:00
us understand software defined networking and in SDN,
00:00
we have three different planes.
00:00
The first plane is our control plane.
00:00
The control plane decides on the traffic priority and
00:00
its security and where the data should be switched.
00:00
The data plane is the one that handles
00:00
the actual switching of the data and routing of traffic,
00:00
but it also controls ACLs.
00:00
Finally, we have our management plane,
00:00
which monitors traffic and
00:00
conditions of the overall network.
00:00
Think of this as making sure
00:00
everything is working well together.
00:00
We have three different approaches to SDN.
00:00
The first is open SDN,
00:00
which makes use of open source and open
00:00
standards so that we're not
00:00
locked into one particular vendor.
00:00
We can also make use of a hybrid SDN,
00:00
which uses SDN along
00:00
with traditional networks, and they work together.
00:00
Finally, we have our SDN overlay.
00:00
This uses our existing hardware with the software,
00:00
and it allows us to create and
00:00
manage new virtual networks.
00:00
The overlay is what's responsible for
00:00
moving data across physical network infrastructure,
00:00
but the SDN is the one managing it all.
00:00
The network hardware is moving the data,
00:00
but it is controlled by the SDN.
00:00
No longer the switches or routers are in control,
00:00
the software is the one moving everything
00:00
around or controlling the moving.
00:00
Deparimeterization.
00:00
Up until recently,
00:00
you could think of our networks as a castle.
00:00
Castles have high walls.
00:00
They have towers to watch over everything.
00:00
They have gates to control access so
00:00
that you can know who's coming in and who's going out.
00:00
This is how our networks were.
00:00
We had firewalls, intrusion detection systems,
00:00
and we were very focused on users and assets.
00:00
However, the world is
00:00
changing and with that change and that access to data,
00:00
we've had to come up with a new system.
00:00
Some of the trends that are helping
00:00
pushing us towards that,
00:00
our remote work, mobile usage in the Cloud adoption.
00:00
With mobile usage, now we
00:00
have devices that are outside of
00:00
our network that need access to our data at all times,
00:00
and with Cloud adoption,
00:00
it's a similar thing where our data is no longer
00:00
behind our closed walls or castle walls,
00:00
it is now on a server somewhere else.
00:00
Our data being scattered across
00:00
the world and then also having need of it
00:00
24/7 has changed our approach to controlling
00:00
access to our data and that leads us to zero trust.
00:00
You can think of zero trust as never trust,
00:00
always verify, and always assume breach.
00:00
Every connection and request
00:00
is individually evaluated, and then validated.
00:00
It focuses on resources rather than users and assets,
00:00
and if you'd like to read more about zero trust,
00:00
you can read the NIST special publication,
00:00
800- 207: Zero Trust Architecture.
00:00
Network Integration.
00:00
There are a lot of different things that
00:00
impact how our networks are integrated together,
00:00
so for example, with peering,
00:00
we're connecting virtual private Clouds
00:00
together with a VPC peering connection,
00:00
but we also have mergers and
00:00
acquisitions to think about when
00:00
a company buys out another one
00:00
or it merges with another one,
00:00
we have to find a way to
00:00
integrate those networks together.
00:00
We also have directory services.
00:00
This is similar to a database that
00:00
contains attributes for users,
00:00
security groups,
00:00
and devices for the purposes of privilege management.
00:00
The active airectory for
00:00
Microsoft is a directory service.
00:00
We also have federation.
00:00
This is simply trusting the accounts
00:00
created and managed by another organization.
00:00
Identity providers and testing.
00:00
This is a four-step process.
00:00
I'm going to break it down to make
00:00
it in its most basic form.
00:00
If a user wants to access
00:00
a service or data at a service provider,
00:00
they will be redirected to an identity provider.
00:00
The user authenticates with
00:00
the identity provider and they will
00:00
receive an attestation of identity.
00:00
This is usually in the form of a token.
00:00
The user then takes that token
00:00
or attestation and presents it
00:00
back to the service provider
00:00
and then based on that token,
00:00
the service provider will allow access to the user.
00:00
Let's summarize what we did.
00:00
We discussed various ways we can
00:00
segment networks, including Cloud networks.
00:00
We discussed software-defined networks and their parts.
00:00
We went over deperimeterization and how that is
00:00
shifting us towards zero trust and finally,
00:00
we went over the different types of network integration.
00:00
Let's do some example questions.
00:00
Example 1, what type
00:00
of device would be described as being
00:00
a hardened and closely monitored system
00:00
for performing administrative tasks?
00:00
Jump box. We use these
00:00
so we can configure routers, firewalls,
00:00
and switches from a hardened system,
00:00
rather than doing it from our own workstations.
00:00
Number 2. What type of environment
00:00
is a mirror of the production environment and is used
00:00
to test the changes to hardware and software
00:00
before implementing those changes
00:00
on the production network?
00:00
Staging environment. Example 3.
00:00
What process is described as isolating the workloads
00:00
themselves from each other
00:00
and protecting them individually?
00:00
Microsegmentation.
00:00
Finally, Question 4.
00:00
What type of architecture considers everything to be
00:00
external and follows the never trust,
00:00
always verify and assume breach?
00:00
Zero trust architecture.
00:00
I hope this lesson was helpful to you,
00:00
and I'll see you in the next one.
Up Next
Instructed By
