Cybersecurity Architecture Series: Network Security

Introduction

• Previous topics: Identity Management and Endpoint Security
• Current focus: Network Security
• Elements of Network Security:
  • Firewalls
  • Segmentation
  • Virtual Private Networks (VPNs)
  • Secure Access Service Edge (SASE)

Firewalls

• Concept Origin: Analogous to physical firewalls preventing the spread of fire.
• Function: Create isolation and protection from dangerous events in networks.
• Basic Architecture:
  • Internet-facing firewall
  • Internal-facing firewall
  • Packet Filtering: Filters based on source address, destination address, and port.
  • Allows standard (port 80) and encrypted (SSL/TLS) web traffic.
  • Prevents spoofing and direct access to sensitive areas like databases.

Stateful Packet Inspection

• Inspects not just packets but their context and payload.
• Allows for more sophisticated security than simple packet filtering.

Proxies

• Acts as a middleman for inspecting traffic.
• Can be used for security and privacy.

Network Address Translation (NAT)

• Translates internal IP addresses to a routable address.
• Provides a layer of protection by preventing direct outside access to internal devices.

Segmentation

• Bastion Host: Not recommended; exposes a web server directly to the Internet.
• Tri-homed Network: Uses a single firewall with three interfaces for different zones.
• Basic DMZ: Two firewalls creating a red (untrusted), yellow (semi-trusted), and green (trusted) zone.
  • Advantage: Defense in depth.
• Multi-tiered DMZ: Adds more firewalls for granular security and further defense in depth.

Virtual Private Networks (VPNs)

• Purpose: Secure channel over an untrusted network.
• Encryption: Provides confidentiality by encrypting data.
• Types of VPNs:
  • Application Layer: Secure Shell (SSH)
  • Transport Layer: TLS/SSL
  • Network Layer: IPsec
  • Data Link Layer: Point-to-Point Tunneling Protocol (P2PTP) and Layer 2 Tunneling Protocol (L2TP)
• Trends: Movement towards application-specific VPNs for more control and granularity.

Secure Access Service Edge (SASE)

• Definition: Network security plus WAN, delivered from the cloud.
• Components:
  • Network security: Firewalls, secure web gateways, DLP
  • WAN: Software-defined WAN
  • Cloud: Scalability and agility
• Integration: Combines security and networking into a single cloud-delivered service.

Conclusion

• Covered: Network Security elements - Firewalls, Segmentation, VPNs, SASE
• Topics not covered: 5G, Wi-Fi, and their network security aspects.
• Upcoming topics: Application Security

Note: Stay tuned for more videos in the series by liking, subscribing, and hitting the notification button.