How to Design a Secure Network Architecture

How to Design a Secure Network Architecture

For sophisticated security, there are some standard design principles that must be followed. Here are some of these principles:

Weak link security: On all systems there are some weak links that are not paid much attention to. Let's take an example: Consider the online site of a banking company. Some of the portal pages provide the most commonly used and rudimentary services (eg account transfer, account summary, etc.), but there are some pages (e.g. the policies / regulations page) that are rarely visited, if at all. Even though the latter may seem unimportant to the network architect and the user, it can still be a potential source of attack if a hacker finds a route through the page to another page of significantly greater importance. Developers often ignore these "weak links" because they do not see them as carrying important information that may interest the hacker, but these weak links have long been hackers' primary targets, so they need to be protected.

Fail-safe implementation: Any system can fail in times of chaos and failure is virtually inevitable. What a network architect needs to ensure is that the network / system does not fail to open. Therefore, proper fail-safe implementation is substantially important. John Viega says in his book, Building Secure Software, “Any sufficiently complex system will have failure modes. Failure is inevitable and must be planned. What is preventable are fault-related safety issues. The problem is that when many systems fail, they exhibit unsafe behavior. "

The Least Privilege Model: The Least Privilege Model dictates that whenever you need to grant someone permission and / or access to perform some actions on your resources, you must grant them as few privileges as possible.

Use cutting-edge cryptographic models and techniques: Encryption and other cryptographic techniques have become absolutely necessary for modern networks and systems. A network engineer should always use standard encryption techniques and also ensure periodic updates of all distributed keys and certificates.

Run vulnerability tests: No network is as secure as it seems. Be sure to run as many vulnerability tests as possible on your network before you make it active, as you can. The smaller the number of vulnerabilities, the greater your chances of developing a secure network architecture.

The OSI Model and the CISSP

The open system interconnection (OSI) model provides a framework for protocol implementation in the following seven layers:

(Note: The OSI model is not tangible and is just a concept through which we can understand how network communications occur)

Physical layer: This is the layer in which the bit stream / radio signal / electric pulse is transmitted.

Data link layer: In the data link layer, packets are encoded and decoded into bits.

Network layer: All switching and routing logic is implemented at the network layer.

Transport Layer: End-to-end flow control and information data integrity occur at the transport layer.

Session Layer: All session management tasks (establishment, maintenance, and termination, etc.) occur here.

Presentation Layer: This layer converts data from network format to application format (and vice versa) for presentation and transport purposes.

Application tier: All end-user (and application) processes occur at the application tier of the network.

The TCP/IP Model and the CISSP

Similar to the OSI model, the TCP / IP model is another framework through which we can explain (and build) our network protocols. It has the following four layers:

Network access layer: This is the first layer in the four layer model. All details of how data will be sent over the physical network are set here. The most commonly used protocols at the network access layer are FDDI, Ethernet, Token Ring, Frame Relay, X.25, etc.

Internet layer: The responsibility of the Internet layer is to group data into datagrams (data packets) that will be carried by the network access layer. These datagrams contain the source and destination addresses (can be IP addresses or logical recipients) that are used to forward the datagrams between multiple hosts as well as legacy networks. The most commonly used protocols in this layer are: Internet Protocol (IP), Reverse Address Resolution Protocol (RARP), Address Resolution Protocol (ARP), Internet Group Management Protocol (IGMP), and ICMP (Internet Protocol). Control Message Message).

Transport Layer: Like the OSI model transport layer, the TCP / IP model transport layer ensures data flow control and data integrity. The most famous protocols used at the transport layer are TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

Application tier: The application tier is responsible for converting data received from the transport layer into a format presentable to the end user. Some of the protocols worth mentioning at this level are: Telnet, SSH, Domain Name System (DNS), Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP) , Dynamic Host Configuration Protocol (DHCP), X Windows, Remote Desktop Protocol (RDP), Simple Mail Transfer Protocol (SMTP), and so on.

Some implications

While multi-tier architectures allow protocol stacks to be deployed through different combinations of protocols, network devices, and programming interfaces, flexibility comes with a performance shift. Transitions between layers can lead to increased time costs and programming efforts. Data storage and transfer abstractions used at all layers also require data transformation at all layers. All of these can lead to huge performance disadvantages, as seen by [Crowcroft et al. 1992] [Clark 1982]. The DNP3 protocol also shares the same performance / efficiency disadvantages.

UNDERSTANDING IP NETWORKING

To communicate on an IP network, every device must have three different information; that is, the subnet mask, broadcast address, and IP address. All of these addresses are usually written as octets (for example, 198.41.11.151, 255.255.255.0, and 198.41.11.255).

All IP addresses are made up of two parts; one is the network part, which lets routers know which device group a packet should ideally visit, and the other is the host part, which allows routers to know the specific device to which the packet needs to be sent.

When managing IP addresses, a network architect can assign a distinct identity to each specific device. IP address classes can be viewed as:

Class	Network Portion	Hosts Allowed
A	From 1.0 to 127.0	Approx. 16 million
B	From 128.0 to 191.255	65,536
C	From 192.0 to 223.255.255	255

The Standard IP Subnet

Classes:

Classes	Subnet Mask
A	255.0.0.0
B	255.255.0.0
C	255.255.255.0

Some Examples of Broadcast Addresses are:

Class	Network	Subnet Mask	Broadcast
A	45.0.0.0	255.0.0.0	45.255.255.255
B	128.138.0.0	255.255.0.0	128.138.255.255
C	198.41.9.0	255.255.255.0	198.41.9.255
A*	45.21.16.0	255.255.252.0	42.21.19.255
C*	198.41.9.64	255.255.255.224	198.41.9.95

Software Defined Networking and CISSP

Software Defined Networking (SDN) is an emerging technology focused on replacing the physical network infrastructure with a software-controlled network design. It's dynamic, cost effective and adaptable, meaning it meets the high bandwidth needs of modern applications with peace of mind.

The SDN architecture is responsible for separating network control and routing functions, allowing the architect to manually program network control and abstract the underlying infrastructure for network services and applications. Following are some of the features of an SDN architecture:

Agility: The ability to bypass routing control allows administrators to dynamically adjust network-wide traffic and meet changing needs.

Central Management: SDN controllers are responsible for maintaining a global view of the entire network. This is apparent to policy engines and applications as a concrete logical option.

The ability to be programmatically configured: Probably the best part of an SDN infrastructure is that it can be programmed. It allows network managers to add configurations at will. This enables better management, security and optimization of network resources via automated SDN code, which programmers of course have the luxury of writing for themselves.

Directly programmable: All network control can be programmed directly because, as already mentioned, it is kept segregated from routing functions.

Vendor Neutrality: If you deploy an infrastructure using open standards, SDN allows you to simplify network design and eventual operation. This is because instructions are not blocked by the vendor but are obtained from SDN controllers.

COVERAGED PROTOCOLS

The converged protocol model promotes the transport and transmission of various types of data / traffic (such as voice, data, video, images, etc.) in a single converged network.

ETHERNET FIBER CHANNEL (FCoE):

FCoE, or Fiber Channel over Ethernet, is a sophisticated storage protocol that allows Fiber Channel communications to be performed directly over Ethernet. All Fiber Channel traffic can be moved through the Ethernet infrastructure already in place. More information about the protocol can be found here.

MULTI-PROTOCOL LABEL SWITCH (MPLS):

MPLS is a technique by which the performance of telecommunications networks can be enhanced using sophisticated data transport techniques. It directs data from one node to the next, depending on short-path labels rather than heavy network addresses. This avoids tedious routing table lookups. Labels can identify the virtual link (path) between distant nodes instead of endpoints.

Voice over IP (VOIP):

As the name implies, Voice over Internet Protocol (VOIP) is a technology that allows you to make voice calls using an Internet connection (instead of a telephone line). Some VoIP services may allow you to call only people who use the same service, but others allow you to call anyone who can be reached by a telephone number (including long distance calls and international numbers). VoIP works by encapsulating audio in data packets through a codec, transmitting them over an IP network, and decapsing them back to audio at the receiver end. Endpoints on a VoIP network include softphone applications (running on computers), WebRTC-enabled browsers, mobile devices, and VoIP phones.

FINAL WORD:

The security and integrity of communications on a network can only be ensured if standard network design principles are remembered by the engineer during the configuration of the network infrastructure.

This article was originally published on ------- Read More