How to Design a Secure Network
Architecture
For
sophisticated security, there are some standard design principles that must be
followed. Here are some of these principles:
Weak link security: On all systems there are some weak
links that are not paid much attention to. Let's take an example: Consider the
online site of a banking company. Some of the portal pages provide the most
commonly used and rudimentary services (eg account transfer, account summary,
etc.), but there are some pages (e.g. the policies / regulations page) that are
rarely visited, if at all. Even though the latter may seem unimportant to the
network architect and the user, it can still be a potential source of attack if
a hacker finds a route through the page to another page of significantly
greater importance. Developers often ignore these "weak links"
because they do not see them as carrying important information that may
interest the hacker, but these weak links have long been hackers' primary
targets, so they need to be protected.
Fail-safe implementation: Any system can fail in times of
chaos and failure is virtually inevitable. What a network architect needs to
ensure is that the network / system does not fail to open. Therefore, proper
fail-safe implementation is substantially important. John Viega says in his
book, Building Secure Software, “Any sufficiently complex system will have
failure modes. Failure is inevitable and must be planned. What is preventable
are fault-related safety issues. The problem is that when many systems fail, they
exhibit unsafe behavior. "
The Least Privilege Model: The Least Privilege Model dictates
that whenever you need to grant someone permission and / or access to perform some
actions on your resources, you must grant them as few privileges as possible.
Use cutting-edge cryptographic models
and techniques:
Encryption and other cryptographic techniques have become absolutely necessary
for modern networks and systems. A network engineer should always use standard
encryption techniques and also ensure periodic updates of all distributed keys
and certificates.
Run vulnerability tests: No network is as secure as it seems.
Be sure to run as many vulnerability tests as possible on your network before
you make it active, as you can. The smaller the number of vulnerabilities, the
greater your chances of developing a secure network architecture.
The OSI Model and the CISSP
The open
system interconnection (OSI) model provides a framework for protocol
implementation in the following seven layers:
(Note: The
OSI model is not tangible and is just a concept through which we can understand
how network communications occur)
Physical layer: This is the layer in which the bit
stream / radio signal / electric pulse is transmitted.
Data link layer: In the data link layer, packets are
encoded and decoded into bits.
Network layer: All switching and routing logic is
implemented at the network layer.
Transport Layer: End-to-end flow control and
information data integrity occur at the transport layer.
Session Layer: All session management tasks
(establishment, maintenance, and termination, etc.) occur here.
Presentation Layer: This layer converts data from
network format to application format (and vice versa) for presentation and transport
purposes.
Application tier: All end-user (and application)
processes occur at the application tier of the network.
The TCP/IP Model and the CISSP
Similar to
the OSI model, the TCP / IP model is another framework through which we can
explain (and build) our network protocols. It has the following four layers:
Network access layer: This is the first layer in the four
layer model. All details of how data will be sent over the physical network are
set here. The most commonly used protocols at the network access layer are
FDDI, Ethernet, Token Ring, Frame Relay, X.25, etc.
Internet layer: The responsibility of the Internet
layer is to group data into datagrams (data packets) that will be carried by
the network access layer. These datagrams contain the source and destination
addresses (can be IP addresses or logical recipients) that are used to forward
the datagrams between multiple hosts as well as legacy networks. The most
commonly used protocols in this layer
are: Internet Protocol (IP), Reverse Address Resolution Protocol (RARP),
Address Resolution Protocol (ARP), Internet Group Management Protocol (IGMP),
and ICMP (Internet Protocol). Control Message Message).
Transport Layer: Like the OSI model transport layer,
the TCP / IP model transport layer ensures data flow control and data integrity.
The most famous protocols used at the transport layer are TCP (Transmission
Control Protocol) and UDP (User Datagram Protocol).
Application tier: The application tier is responsible
for converting data received from the transport layer into a format presentable
to the end user. Some of the protocols worth mentioning at this level are:
Telnet, SSH, Domain Name System (DNS), Hypertext Transfer Protocol (HTTP), File
Transfer Protocol (FTP), Simple Network Management Protocol (SNMP) , Dynamic
Host Configuration Protocol (DHCP), X Windows, Remote Desktop Protocol (RDP),
Simple Mail Transfer Protocol (SMTP), and so on.
Some implications
While
multi-tier architectures allow protocol stacks to be deployed through different
combinations of protocols, network devices, and programming interfaces,
flexibility comes with a performance shift. Transitions between layers can lead
to increased time costs and programming efforts. Data storage and transfer
abstractions used at all layers also require data transformation at all layers.
All of these can lead to huge performance disadvantages, as seen by [Crowcroft
et al. 1992] [Clark 1982]. The DNP3 protocol also shares the same performance /
efficiency disadvantages.
UNDERSTANDING IP NETWORKING
To
communicate on an IP network, every device must have three different
information; that is, the subnet mask, broadcast address, and IP address. All
of these addresses are usually written as octets (for example, 198.41.11.151,
255.255.255.0, and 198.41.11.255).
All IP
addresses are made up of two parts; one is the network part, which lets routers
know which device group a packet should ideally visit, and the other is the
host part, which allows routers to know the specific device to which the packet
needs to be sent.
When
managing IP addresses, a network architect can assign a distinct identity to
each specific device. IP address classes can be viewed as:
Class
|
Network
Portion
|
Hosts
Allowed
|
A
|
From 1.0 to 127.0
|
Approx. 16 million
|
B
|
From 128.0 to 191.255
|
65,536
|
C
|
From 192.0 to 223.255.255
|
255
|
The Standard IP Subnet
Classes:
Classes
|
Subnet
Mask
|
A
|
255.0.0.0
|
B
|
255.255.0.0
|
C
|
255.255.255.0
|
Some Examples of Broadcast Addresses
are:
Class
|
Network
|
Subnet
Mask
|
Broadcast
|
A
|
45.0.0.0
|
255.0.0.0
|
45.255.255.255
|
B
|
128.138.0.0
|
255.255.0.0
|
128.138.255.255
|
C
|
198.41.9.0
|
255.255.255.0
|
198.41.9.255
|
A*
|
45.21.16.0
|
255.255.252.0
|
42.21.19.255
|
C*
|
198.41.9.64
|
255.255.255.224
|
198.41.9.95
|
Software Defined Networking and CISSP
Software
Defined Networking (SDN) is an emerging technology focused on replacing the
physical network infrastructure with a software-controlled network design. It's
dynamic, cost effective and adaptable, meaning it meets the high bandwidth
needs of modern applications with peace of mind.
The SDN
architecture is responsible for separating network control and routing
functions, allowing the architect to manually program network control and
abstract the underlying infrastructure for network services and applications.
Following are some of the features of an SDN architecture:
Agility: The ability to bypass routing
control allows administrators to dynamically adjust network-wide traffic and
meet changing needs.
Central Management: SDN controllers are responsible for
maintaining a global view of the entire network. This is apparent to policy
engines and applications as a concrete logical option.
The ability to be programmatically
configured: Probably
the best part of an SDN infrastructure is that it can be programmed. It allows
network managers to add configurations at will. This enables better management,
security and optimization of network resources via automated SDN code, which
programmers of course have the luxury of writing for themselves.
Directly programmable: All network control can be
programmed directly because, as already mentioned, it is kept segregated from
routing functions.
Vendor Neutrality: If you deploy an infrastructure
using open standards, SDN allows you to simplify network design and eventual
operation. This is because instructions are not blocked by the vendor but are
obtained from SDN controllers.
COVERAGED PROTOCOLS
The
converged protocol model promotes the transport and transmission of various
types of data / traffic (such as voice, data, video, images, etc.) in a single
converged network.
ETHERNET FIBER CHANNEL (FCoE):
FCoE, or
Fiber Channel over Ethernet, is a sophisticated storage protocol that allows
Fiber Channel communications to be performed directly over Ethernet. All Fiber
Channel traffic can be moved through the Ethernet infrastructure already in
place. More information about the protocol can be found here.
MULTI-PROTOCOL LABEL SWITCH (MPLS):
MPLS is a
technique by which the performance of telecommunications networks can be
enhanced using sophisticated data transport techniques. It directs data from
one node to the next, depending on short-path labels rather than heavy network
addresses. This avoids tedious routing table lookups. Labels can identify the
virtual link (path) between distant nodes instead of endpoints.
Voice over IP (VOIP):
As the name
implies, Voice over Internet Protocol (VOIP) is a technology that allows you to
make voice calls using an Internet connection (instead of a telephone line).
Some VoIP services may allow you to call only people who use the same service,
but others allow you to call anyone who can be reached by a telephone number
(including long distance calls and international numbers). VoIP works by
encapsulating audio in data packets through a codec, transmitting them over an
IP network, and decapsing them back to audio at the receiver end. Endpoints on
a VoIP network include softphone applications (running on computers),
WebRTC-enabled browsers, mobile devices, and VoIP phones.
FINAL WORD:
The security
and integrity of communications on a network can only be ensured if standard
network design principles are remembered by the engineer during the
configuration of the network infrastructure.
This article was originally published on ------- Read More
I have always been surrounded by a lot of amazing people. Thanks for being one of them.
ReplyDelete카지노사이트