3.3 Secure Network Designs Flashcards
• Distribute the load – Multiple servers – Invisible to the end-user • Large-scale implementations – Web server farms, database farms • Fault tolerance – Server outages have no effect – Very fast convergence
Balancing the load
• Configurable load – Manage across servers • TCP offload – Protocol overhead • SSL offload – Encryption/Decryption • Caching – Fast response • Prioritization – QoS • Content switching – Application-centric balancing
Load balancer
• Round-robin – Each server is selected in turn • Weighted round-robin – Prioritize the server use • Dynamic round-robin – Monitor the server load and distribute to the server with the lowest use • Active/active load balancing
Scheduling
• Affinity
– A kinship, a likeness
• Many applications require communication to the same
instance
– Each user is “stuck” to the same server
– Tracked through IP address or session IDs
– Source affinity / sticky session / session persistence
Affinity
• Some servers are active
– Others are on standby
• If an active server fails, the passive server takes its place
Active/passive load balancing
• Physical, logical, or virtual segmentation
– Devices, VLANs, virtual networks
• Performance
– High-bandwidth applications
• Security
– Users should not talk directly to database servers
– The only applications in the core are SQL and SSH
• Compliance
– Mandated segmentation (PCI compliance)
– Makes change control much easier
Segmenting the network
• Devices are physically separate - Air gap between
Switch A and Switch B
• Must be connected to provide communication
– Direct connect, or another switch or router
• Web servers in one rack - Database servers on another
• Customer A on one switch, customer B on another
– No opportunity for mixing data
• Separate devices
– Multiple units, separate infrastructure
Physical segmentation
• Virtual Local Area Networks (VLANs)
– Separated logically instead of physically
– Cannot communicate between VLANs without
a Layer 3 device / router
Logical segmentation with VLANs
• Previously known as the demilitarized zone (DMZ)
– An additional layer of security between
the Internet and you
– Public access to public resources
Screened subnet
• A private network for partners
– Vendors, suppliers
• Usually requires additional authentication
– Only allow access to authorized users
Extranet
• Private network - Only available internally
• Company announcements, important documents,
other company business
– Employees only
• No external access
– Internal or VPN access only
Intranet
• Traffic flows within a data center
– Important to know where traffic starts and ends
• East-west
– Traffic between devices in the same data center
– Relatively fast response times
• North-south traffic
– Ingress/egress to an outside device
– A different security posture than east-west traffic
East-west traffic
• Many networks are relatively open on the inside
– Once you’re through the firewall, there are few
security controls
• Zero trust is a holistic approach to network security
– Covers every device, every process, every person
• Everything must be verified
– Nothing is trusted
– Multifactor authentication, encryption, system
permissions, additional firewalls, monitoring and
analytics, etc.
Zero-trust
• Virtual Private Networks – Encrypted (private) data traversing a public network • Concentrator – Encryption/decryption access device – Often integrated into a firewall • Many deployment options – Specialized cryptographic hardware – Software-based options available • Used with client software – Sometimes built into the OS
VPNs
• Uses common SSL/TLS protocol (tcp/443) – (Almost) No firewall issues! • No big VPN clients – Usually remote access communication • Authenticate users – No requirement for digital certificates or shared passwords (like IPSec) • Can be run from a browser or from a (usually light) VPN client – Across many operating systems
SSL VPN (Secure Sockets Layer VPN)
• On-demand access from a remote device – Software connects to a VPN concentrator • Some software can be configured as always-on
Remote access VPN
• Layer 2 Tunneling Protocol
– Connecting sites over a layer 3 network as if they
were connected at layer 2
• Commonly implemented with IPsec
– L2TP for the tunnel, IPsec for the encryption
– L2TP over IPsec (L2TP/IPsec)
L2TP
• Security for OSI Layer 3
– Authentication and encryption for every packet
• Confidentiality and integrity/anti-replay
– Encryption and packet signing
• Very standardized
– Common to use multi-vendor implementations
• Two core IPSec protocols
– Authentication Header (AH)
– Encapsulation Security Payload (ESP)
IPSec (Internet Protocol Security)
• Data integrity • Origin authentication • Replay attack protection • Keyed-hash mechanism • No confidentiality/encryption - • Hash of the packet and a shared key – SHA-2 is common – Adds the AH to the packet header • This doesn’t provide encryption – Provides data integrity (hash) – Guarantees the data origin (authentication) – Prevents replay attacks (sequence numbers)
AH (Authentication Header)
• Data confidentiality (encryption) • Limited traffic flow confidentiality • Data integrity • Anti-replay protection --
• Encrypts and authenticates the tunneled data
– Commonly uses SHA-2 for hash, AES for encryption
– Adds a header, a trailer, and an Integrity Check Value
• Combine with Authentication Header (AH) for integrity
and authentication of the outer header
ESP (Encapsulating Security Payload)
IPsec Transport mode and Tunnel mode AH and ESP • Combine the data integrity of AH with the confidentiality of ESP -- IPsec Transport mode and Tunnel mode • Tunnel mode is the most common – Transport mode may not even be an option
IPsec Transport mode and Tunnel mode - AH and ESP
• Hypertext Markup Language version 5
– The language commonly used in web browsers
• Includes comprehensive API support
– Application Programming Interface
– Web cryptography API
• Create a VPN tunnel without a separate VPN application
– Nothing to install
• Use an HTML5 compliant browser
– Communicate directly to the VPN concentrator
HTML5 VPNs
• There’s a lot of security that happens at the physical switch interface – Often the first and last point of transmission • Control and protect – Limit overall traffic – Control specific traffic types – Watch for unusual or unwanted traffic • Different options are available – Manage different security issues
Port security
• Send information to everyone at once
– One frame or packet, received by everyone
– Every device must examine the broadcast
• Limited scope - The broadcast domain
• Routing updates, ARP requests - Can add up quickly
• Malicious software or a bad NIC
– Not always normal traffic
• Not used in IPv6
– Focus on multicast
Broadcasts
• The switch can control broadcasts
– Limit the number of broadcasts per second
• Can often be used to control multicast and unknown
unicast traffic
– Tight security posture
• Manage by specific values or by percentage
– Or the change over normal traffic patterns
Broadcast storm control
• Connect two switches to each other
– They’ll send traffic back and forth forever
– There’s no “counting” mechanism at the MAC layer
• This is an easy way to bring down a network
– And somewhat difficult to troubleshoot
– Relatively easy to resolve
• IEEE standard 802.1D to prevent loops in bridged
(switched) networks (1990)
– Created by Radia Perlman
– Used practically everywhere
Loop protection