Of the many adjectives that a person can associate with modern network architecture, “secure” is probably the most important. With the ever-increasing sophistication of hackers and the continuous popping up of vulnerabilities in frameworks that were previously considered safe, it’s of paramount importance to pay great heed to the security of network architecture. Anything that’s connected to the Internet can (and will) be accessible to entities that have sinister intentions and it’s the responsibility of the network architect to ensure that the data that they do get their hands on is undecipherable (for them) and that it makes its way to the intended receiving party securely. The objective of this article will be to list the standardized design principles that need to be followed in order to develop a secure network architecture design. The various protocol and architectural options available to network architectures will also be shared.
HOW TO DESIGN A SECURE NETWORK ARCHITECTURE
In order to have sophisticated security, there are some standardized design principles that should be followed. Here are some of those principles:
The weakest link’s security: In every system, there are some weak links that aren’t paid much attention to. Let’s take an example: Consider a banking company’s online website. Some of the pages on the web portal provide the most rudimentary and most frequently used services (e.g., account transfer, account summary, etc.) but there are some pages (e.g., the policy/regulations page) that are rarely visited, if at all. Even though the latter might seem unimportant to the network architect and the user, they can be potential sources of attack if a hacker finds a route via the page to another page of significantly more importance. Developers often overlook such “weak links” because they don’t see them as carriers of important information that might interest the hacker, but these weak links have been prime targets for hackers for quite a long time now, so they need to be secured.
Failsafe implementation: Any system can fail at times of chaos and failure is virtually unavoidable. What a network architect needs to ensure is that the network/system does not fail open. Hence, adequate failsafe implementation is substantially important. John Viega says, in his book, Building Secure Software, “Any sufficiently complex system will have failure modes. Failure is unavoidable and should be planned for. What is avoidable are security problems related to failure. The problem is that when many systems fail in any way, they exhibit insecure behavior.”
The least privilege model: The least privilege model dictates that whenever you have to grant somebody permission and/or access to perform some actions on your resources, you grant them should grant them the least amount of privileges as possible.
Use state-of-the-art cryptographic models and techniques: Encryption and other cryptographic techniques have become absolutely necessary for modern-day networks and systems. A network engineer should always use the standardized encryption techniques and should also ensure periodic updating of all the distributed keys and certificates.
Run vulnerability tests: No network is as secure as it looks. Make sure that you run as many vulnerability tests on your network before making it live, as you can. The lesser the number of vulnerabilities, the greater are your chances of developing a secure network architecture.
More information and principles pertinent to a safe network architecture can be found here.
The OSI MODEL and the CISSP
The open system interconnection (OSI) model provides a framework for protocol implementation in the following seven layers: (Note: The OSI model is not tangible and is just a concept via which we can understand how the network communications take place)
Physical layer: This is the layer where the bit stream/radio signal/electrical impulse gets transmitted.
Data link layer: In the data link layer, the packets get encoded and decoded into bits.
Network layer: All the switching and routing logic gets implemented at the network layer.
Transport layer: The end-to-end flow control and data integrity of the information takes place at the transport layer.
Session layer: All the session management chores (establishment, maintenance and termination etc.) take place here.
Presentation layer: This layer converts the data from the network format to the application format (and vice versa) for presentation and transportation purposes.
Application layer: All the end user (and application) processes take place at the application layer of the network.
The TCP/IP MODEL and the CISSP
Similar to the OSI model, the TCP/IP model is another framework via which we can explain (and build) our network protocols. It has the following four layers:
Network access layer: This is the first layer in the four-layered model. All the details of how the data will be sent through the physical network are defined here. The most used protocols at the network access layer are FDDI, Ethernet, token ring, Frame Relay, X.25, etc.
Internet layer: The Internet layer’s responsibility is to piece the data into datagrams (data packets) that will then be transported via the network access layer. These datagrams contain the source and destination addresses (can be IP addresses or logical addressees) that are used for forwarding the datagrams between various hosts and also past networks. The most used protocols at this layer are: IP (Internet protocol), RARP (reverse address resolution protocol), ARP (address resolution protocol), IGMP (internet group management protocol), and ICMP (internet control message protocol).
Transport layer: Just like the transport layer of the OSI model, the transport layer of the TCP/IP model ensures data flow control and integrity of the data. The most famous protocols used at the transport layer are TCP (transmission control protocol) and UDP (user datagram protocol).
Application layer: The application layer is responsible for converting the data received from the transport layer into a presentable format for the end user. Some of the worth-mentioning protocols at this level are: Telnet, SSH, DNS (domain naming system), HTTP (hypertext transfer protocol), FTP (file transfer protocol), SNMP (simple network management protocol), DHCP (dynamic host configuration protocol), X Windows, RDP (remote desktop protocol), SMTP (simple mail transfer protocol), etc.
Even though the multi-layered architectures allow protocol stacks to be implemented via different protocol combinations, network devices, and programming interfaces, the flexibility comes with a trade-off of performance. The transitions between the layers can lead to increased time costs and programming efforts. The data storage and transfer abstractions used at every layer requires the transformation of data at every layer, too. All this can lead to huge performance drawbacks as seen by [Crowcroft et al. 1992][Clark 1982]. The DNP3 protocol also shares the same performance/efficiency drawbacks.
UNDERSTANDING IP NETWORKING
To communicate on an IP network, every device needs to have three different pieces of information; namely the subnet mask, the broadcast address, and the IP address. All these addresses are normally written in the form of octets (e.g. 184.108.40.206, 255.255.255.0, and 220.127.116.11).
All IP addresses are made up of two parts; one is the network portion, which lets the routers know which group of devices a packet should ideally visit, and the other one is the host portion, which lets routers know the specific device to which the packet needs to be sent.
By managing IP addresses, a network architect can assign a distinct identity to every specific device. The IP address classes can be seen as:
The standard IP subnet classes:
Some examples of broadcast addresses are:
SOFTWARE-DEFINED NETWORKING and the CISSP
Software-defined networking (SDN) is an emerging technology focused on replacing the physical network infrastructure with a software-controlled networking design. It’s dynamic, cost-efficient, and adaptable, which means that it caters to the high bandwidth needs of modern applications with aplomb.
The SDN architecture is responsible for decoupling the network control and the forwarding functions, enabling the architect to program the network control manually and abstract the underlying infrastructure for network services and applications. Following are some of the features of a SDN architecture:
Agility: The ability to abstract control from forwarding allows the administrators to adjust the network wide traffic dynamically and meet ever-changing needs.
Central management: The SDN controllers are responsible for maintaining a global view of the whole network. This is apparent to policy engines and applications as a concrete logical switch.
The ability to be configured programmatically: Probably the best part about a SDN infrastructure is that it can be programmed. It allows the network managers to add configurations at will. This allows for better management, security, and optimization of the network resources via automated SDN code, which, of course, the programmers have the luxury to write themselves.
Directly programmable: The whole network control is capable of being directly programmed because, as already mentioned, it’s kept segregated from the forwarding functions.
Vendor neutrality: IF you implement an infrastructure using open standards, SDN allows you to simplify the network design and eventual operation. This is because the instructions aren’t vendor-locked but are obtained from SDN controllers.
CISSP Training – Resources (InfoSec)
The converged protocol model promotes the carriage and transmission of various types of data/traffic, such as voice, data, video, images, etc.) over a single converged network.
FIBER CHANNEL OVER ETHERNET (FCoE):
The FCoE, or fiber channel over Ethernet, is a sophisticated storage protocol that enables fiber channel communications to run directly over Ethernet. All the fiber channel traffic can be moved across the already deployed Ethernet infrastructures. More information on the protocol can be found here.
MULTI-PROTOCOL LABEL SWITCHING (MPLS):
MPLS is a technique by which the performance of telecommunication networks can be enhanced using sophisticated data carrying techniques. It directs data from one node to the next, depending on the short path labels instead of the cumbersome network addresses. This avoids tedious routing table lookups. The labels can do virtual link (path) identification between the far-apart nodes instead of endpoints.
VOICE OVER IP (VOIP):
As the name indicates, voice over Internet protocol (VOIP) is a technology that allows voice calls to be made using an Internet connection (instead of a phone line). Some services of VoIP might only allow you to call people that use the same service but others allow you to call anybody who can be accessed via a telephone number (including long-distance calls and international numbers). VoIP works by encapsulating audio into data packets via a codec, transmitting them across an IP network and un-encapsulating them back into audio at the receiver end. The endpoints in a VoIP network include softphone applications (running on computers), WebRTC-enabled browsers, mobile devices and VoIP phones.
The security and integrity of communications over a network can be ensured only if the standardized network design principles have been kept in mind by the engineer while setting up the network infrastructure.