Skip to main content

1: Introduction to Network Architectures

Objective

  • Implement secure design principles in network architectures.
  • Secure network components.
  • Implement secure communication channels according to design.

Recent updates in Domain 4 stress the assessment and implementation of secure design principles.

Key Concepts in Network Architectures:

  1. Micro-segmentation: Splits the data center into logical segments, enhancing security and boosting efficiency.

  2. Software Defined Networks (SDN): A flexible and programmable network technology fostering efficient resource management.

  3. Virtual eXtensible Local Area Network (VXLAN): Employs encapsulation for network virtualization, addressing scalability challenges.

  4. Encapsulation: A method wherein data packets are enveloped with protocol data.

  5. Software-Defined Wide Area Network (SD-WAN): An advanced strategy for optimizing WAN management and functioning.

Network Architectures

SDN (Software Defined Networks)

Definition: An innovative network architecture that permits centralized and intelligent control of the network via software applications.

Key Points:

  • Offers the ability to dynamically reprogram the data plane.
  • Common use cases: SD-LAN and SD-WAN.

SDN separates the control plane from the data plane.

  • The control plane is responsible for making decisions about where the traffic is sent, i.e., routing decisions.
  • The data plane, on the other hand, is where the traffic actually flows. Separating these two allows for centralized control of the network's flow (via the control plane) while data continues to flow between devices (via the data plane).

Security Challenges:
Separating the control plane from the data plane introduces several security issues.

Vulnerabilities & Mitigation:

  • MITM (Man-In-The-Middle) and DoS (Denial of Service) attacks are potential threats.
  • Employing TLS can enhance security against these threats.

SD-WAN (Software Defined Wide Area Network)

  • Purpose: Enables remote users in branch offices to connect securely to an enterprise's central network.

  • Features:

    • Offers access to various network services like MPLS, LTE, broadband internet, etc.
    • Facilitates secure user-to-application connections.

  • Security Aspects:

    • Emphasizes IP security (IPsec)
    • Utilizes VPN tunnels, next-gen firewalls (NGFWs), and micro-segmentation for application traffic.

  • Architecture Details:

    • Adopts a centralized control function for intelligent routing.
    • Uses Secure Access Service Edge (SASE) to foster decentralized connectivity.

VXLAN (Virtual Extensible LAN)

  • Definition: A network virtualization tool designed to tackle network scaling limitations by enabling network segmentation at an enhanced scale.
  • Key Points:
    • Resolves the restriction of 4096 VLANs, which was likely due to its 12-bit design.
    • VXLANs can support millions of segments.

VXLAN is a tunneling protocol encapsulating an Ethernet frame (Layer 2) inside a UDP packet.

  • Security Aspects of Layer 2:
    • Attacks typically arise from within, examples include:
      • MAC spoofing
      • Flooding-induced DoS by rogue hosts

Reference Document: Attack vectors concerning VXLAN are elaborated in rfc7348.

Li-Fi (Light Fidelity)

  • Definition: A technique that modulates light intensity, primarily via LED, to transmit data.

  • Advantages:

    • Suitable for environments susceptible to electromagnetic interference.
    • Potentially offers transmission speeds of up to 100Gb/s.

  • Considerations:

    • Requires operational LED lights.
    • Operates on visible light, so it can't penetrate opaque barriers. This trait can be advantageous or disadvantageous, depending on security needs.

While Li-Fi isn't widely adopted now, it holds potential for future use.

Back to top