Skip to main content

Network Architecture

Network Segmentation

Definition: A strategy that divides a network into multiple segments or sub-networks, each being a network segment.

Benefits:

  • Performance Enhancement: Organize systems such that those that communicate frequently are in the same segment. This boosts network efficiency.

    Placing regularly communicating systems in the same segment enhances performance.

  • Reduced Communication Issues: By controlling traffic flow, issues like network congestion and broadcast storms are contained within individual segments rather than spreading across the entire network.

  • Enhanced Security: By isolating specific traffic and restricting user access to only authorized segments, potential security threats can be minimized.

    Segmentation restricts unauthorized access to sensitive sections of the network.

Intranet

A private network designed to host internal information services, similar to those on the public internet.

Some modern services, like SharePoint, blur the traditional definition of an intranet. While SharePoint can be accessed from the internet, its private, restricted sections for company use can be considered intranet features. North Korea is considered by some to be the largest Intranet because it's isolated from the global internet. 

Extranet

A hybrid between an intranet and the public internet. It's a private network that also provides specific public access.

Common in businesses that need to share information with external stakeholders (e.g., suppliers, partners). An example might be a supplier portal where suppliers can log in to see orders, but it's still part of the company's private network.

Extranets balance between keeping internal data secure and sharing necessary info with external parties.

DMZ (Demilitarized Zone) / Perimeter Network

Definition: A network area (or subnetwork) that sits between an organization's internal network and an external network, typically the public internet. It's like a buffer zone – services that are accessible to the public (like web servers) are placed here. 

The main idea is to add an additional layer of security. If a hacker compromises a server in the DMZ, they still don't have direct access to the internal network.

Placing public-facing services directly on the internal network without a DMZ can expose the entire network to threats.

Network Architectures

SDN (Software Defined Networks)

Definition: An innovative network architecture that permits centralized and intelligent control of the network via software applications.

Key Points:

  • Offers the ability to dynamically reprogram the data plane.
  • Common use cases: SD-LAN and SD-WAN.

SDN separates the control plane from the data plane.

  • The control plane is responsible for making decisions about where the traffic is sent, i.e., routing decisions.
  • The data plane, on the other hand, is where the traffic actually flows. Separating these two allows for centralized control of the network's flow (via the control plane) while data continues to flow between devices (via the data plane).

Security Challenges:
Separating the control plane from the data plane introduces several security issues.

Vulnerabilities & Mitigation:

  • MITM (Man-In-The-Middle) and DoS (Denial of Service) attacks are potential threats.
  • Employing TLS can enhance security against these threats.

SD-WAN (Software Defined Wide Area Network)

  • Purpose: Enables remote users in branch offices to connect securely to an enterprise's central network.

  • Features:

    • Offers access to various network services like MPLS, LTE, broadband internet, etc.
    • Facilitates secure user-to-application connections.

  • Security Aspects:

    • Emphasizes IP security (IPsec)
    • Utilizes VPN tunnels, next-gen firewalls (NGFWs), and micro-segmentation for application traffic.

  • Architecture Details:

    • Adopts a centralized control function for intelligent routing.
    • Uses Secure Access Service Edge (SASE) to foster decentralized connectivity.
VXLAN (Virtual Extensible LAN)

Definition: A network virtualization tool designed to tackle network scaling limitations by enabling network segmentation at an enhanced scale.

Key Points:

  • Resolves the restriction of 4096 VLANs, which was likely due to its 12-bit design.
  • VXLANs can support millions of segments.

VXLAN is a tunneling protocol encapsulating an Ethernet frame (Layer 2) inside a UDP packet.

Security Aspects of Layer 2:

  • Attacks typically arise from within, examples include:
    • MAC spoofing
    • Flooding-induced DoS by rogue hosts

Reference Document: Attack vectors concerning VXLAN are elaborated in rfc7348.

Li-Fi (Light Fidelity)

  • Definition: A technique that modulates light intensity, primarily via LED, to transmit data.

  • Advantages:

    • Suitable for environments susceptible to electromagnetic interference.
    • Potentially offers transmission speeds of up to 100Gb/s.

  • Considerations:

    • Requires operational LED lights.
    • Operates on visible light, so it can't penetrate opaque barriers. This trait can be advantageous or disadvantageous, depending on security needs.

While Li-Fi isn't widely adopted now, it holds potential for future use.

Back to top