Skip to main content

Network Segmentation and Architectures

 


Network Segmentation


 


Definition: A strategy that divides a network into multiple segments or sub-networks, each being a network segment.

Benefits:

  • Performance Enhancement: Organize systems such that those that communicate frequently are in the same segment. This boosts network efficiency.

    Placing regularly communicating systems in the same segment enhances performance.

  • Reduced Communication Issues: By controlling traffic flow, issues like network congestion and broadcast storms are contained within individual segments rather than spreading across the entire network.

  • Enhanced Security: By isolating specific traffic and restricting user access to only authorized segments, potential security threats can be minimized.

    Segmentation restricts unauthorized access to sensitive sections of the network.


Intranet

A private network designed to host internal information services, similar to those on the public internet.

Some modern services, like SharePoint, blur the traditional definition of an intranet. While SharePoint can be accessed from the internet, its private, restricted sections for company use can be considered intranet features. North Korea is considered by some to be the largest Intranet because it's isolated from the global internet. 


Extranet

A hybrid between an intranet and the public internet. It's a private network that also provides specific public access.

Common in businesses that need to share information with external stakeholders (e.g., suppliers, partners). An example might be a supplier portal where suppliers can log in to see orders, but it's still part of the company's private network.

Extranets balance between keeping internal data secure and sharing necessary info with external parties.


DMZ (Demilitarized Zone) / Perimeter Network

Definition: A network area (or subnetwork) that sits between an organization's internal network and an external network, typically the public internet. It's like a buffer zone – services that are accessible to the public (like web servers) are placed here. 

The main idea is to add an additional layer of security. If a hacker compromises a server in the DMZ, they still don't have direct access to the internal network.

Placing public-facing services directly on the internal network without a DMZ can expose the entire network to threats.

WirelessNetwork TechnologiesArchitectures

Wireless StandardFrequencyMaximum Data RateDescription
IEEE 802.11 (original)2.4 GHz2 MbpsInitial Wi-Fi standard from 1997
IEEE 802.11a5 GHz54 MbpsEarly high-speed standard
IEEE 802.11b2.4 GHz11 MbpsPopular early standard, superseded by 802.11g
IEEE 802.11g2.4 GHz54 MbpsBackwards compatible with 802.11b
IEEE 802.11n2.4 GHz & 5 GHz200+ MbpsMIMO tech for increased speeds
IEEE 802.11ac5 GHz1 GbpsWidely adopted for high-speed networks
IEEE 802.11ax (Wi-Fi 6)2.4 GHz & 5 GHz10 GbpsNext-generation Wi-Fi with improved efficiency



SSIDSDN Broadcast(Software Defined Networks)

DefinitionDefinition:: An innovative network architecture that permits centralized and intelligent control of the network via software applications.

Key Points:

  • Offers the ability to dynamically reprogram the data plane.
  • Common use cases: SD-LAN and SD-WAN.

SDN separates the control plane from the data plane.

  • The SSIDcontrol (Service Set Identifier)plane is responsible for making decisions about where the nametraffic is sent, i.e., routing decisions.
  • The data plane, on the other hand, is where the traffic actually flows. Separating these two allows for centralized control of athe wirelessnetwork's network.flow (via the control plane) while data continues to flow between devices (via the data plane).

Security Challenges:
Separating the control plane from the data plane introduces several security issues.

Vulnerabilities & Mitigation:

  • MITM (Man-In-The-Middle) and DoS (Denial of Service) attacks are potential threats.
  • Employing TLS can enhance security against these threats.

SD-WAN (Software Defined Wide Area Network)

  • BroadcastPurpose: Mechanism:Enables Wirelessremote networksusers periodicallyin announcebranch theiroffices SSIDto usingconnect asecurely beacon frame.

    The beacon frame regularly advertises the network's SSID.

  • Automatic Detection: When the SSID is broadcast, any device withto an "automaticenterprise's detect" setting can discover and potentially connect to thecentral network.

  • HiddenFeatures:

    SSID
    • Offers access to various network services like MPLS, LTE, broadband internet, etc.
    • Facilitates secure user-to-application connections.
  • Security Aspects::

    Concealing
      the
    • Emphasizes SSIDIP issecurity (IPsec)
    • Utilizes VPN tunnels, next-gen firewalls (NGFWs), and micro-segmentation for application traffic.
  • Architecture Details:

    • Adopts a techniquecentralized knowncontrol asfunction "securityfor throughintelligent obscurity."routing.
    • While
    • Uses itSecure mightAccess deterService casualEdge users, the SSID can still be detected via client traffic by those who know how(SASE) to look.

      foster decentralized connectivity.

TKIPVXLAN (TemporalVirtual KeyExtensible Integrity Protocol)LAN)

DefinitionDefinition:: TKIPA network virtualization tool designed to tackle network scaling limitations by enabling network segmentation at an enhanced scale.

Key Points:

  • Resolves the restriction of 4096 VLANs, which was introducedlikely asdue to its 12-bit design.
  • VXLANs can support millions of segments.

VXLAN is a safertunneling alternativeprotocol toencapsulating WEPan withoutEthernet necessitatingframe hardware(Layer replacements.2) inside a UDP packet.

Security Aspects of Layer 2:

  • Attacks typically arise from within, examples include:
    • MAC spoofing
    • Flooding-induced DoS by rogue hosts

Reference Document: Attack vectors concerning VXLAN are elaborated in rfc7348.


Li-Fi (Light Fidelity)

  • ImplementationDefinition:: IncorporatedA intotechnique thethat 802.11modulates standardlight underintensity, theprimarily designationvia "WPA"LED, (Wi-Fito Protectedtransmit Access).data.

  • Advantages:

    • Suitable for environments susceptible to electromagnetic interference.
    • Potentially offers transmission speeds of up to 100Gb/s.
  • Considerations:

    • Requires operational LED lights.
    • Operates on visible light, so it can't penetrate opaque barriers. This trait can be advantageous or disadvantageous, depending on security needs.

While TKIP/WPALi-Fi wasisn't anwidely improvementadopted over WEP,now, it washolds later surpassed by more secure protocols.


CCMP (Counter Mode with Cipher Block Chaining Message Code Protocol)

Definition: Developed to succeed both WEP and TKIP/WPA, offering a more robust encryption method.

  • Technical Details: Utilizes the AES encryption algorithm with a 128-bit key.

  • WPA2: Introduced CCMP as its encryption scheme, based on AES. Marked a significant improvement over WEP and WPA.

WPA2 with CCMP/AES became the gold standardpotential for Wi-Fifuture security.use.