3.2 Apply security principles to security enterprise infrastructure

Infrastructure considerations

decisions derived from caregul thought applied through analysis over time

Device Placement

refers to the strategic positioning and integration of servers, workstations, network devices (like routers and switches), security appliances (such as firewalls and intrusion detection systems), and more within your infrastructure.

Security Zones

allow us to break a network up into “segments” based on traffic flows and the security needs of those traffic flows

Attack surface

the total number or amount of attack vectors available to a hacker or attacker to conduct an attack of some kind.

Connectivity

a concept that applies to interconnected infrastructure that relates to overall enterprise architecture design

Failure mode (Fail-open)

Failure does not block access or use of the system when it fails. This means that when the device encounters an error, loses power, or fails for any reason, it automatically allows all traffic or access requests to pass through it without restriction.

Failure mode (Fail-closed)

access or use is blocked or disconnected and not opened until the failure is cleared or addressed

Device attribute

a characteristic or property that can describe, identify, or specify a device’s capabilities, status, or configuration

Active devices

observe, analyze, alter, and alert about traffic or the state of the network. This includes actions like blocking, modifying, redirecting traffic, as well as actively sending out requests and receiving responses. EX. (Firewalls, intrusion prevention systems (IPSs)) on

Passive devices

only observe, analyze, and alert about network traffic and never alter it in any way. They collect data and analyze traffic flows for various purposes such as detecting anomalies, monitoring, performance, and identifying potential security threats

Inline

any type of device that is placed directly in the path of network traffic. Therefore, all traffic must pass through these devices, allowing them to inspect, modify, or block traffic in real time

Tap/monitor

Devices connected to a network in such a way that they receive a copy of the traffic for analysis but do not interact with the actual traffic flow

network appliance

provides a service. Some appliances are designed to cache information, some are used for remote access, some are used to monitor traffic flows for anomalies, while others are used to balance a traffic load

jump server

a hardened system (Linux, Windows, Unix) used to provide secure remote access to resources in the network

proxy server

an intermediary infrastructure device that sits between clients and servers to enhance security and also improve performance through caching

forward proxy

controls traffic, originating from clients on the internal network, that is destined for hosts on the Internet. The client connects to the proxy, and then the proxy makes a connection to the resource on the Internet

reverse proxy

sits between users on the Internet and servers that you control to regulate traffic from Internet users to your servers. Therefore, the users on the Internet make their connection to the proxy server, and then the proxy server makes a connection on their behalf to your backend server

intrusion detection system (IDS)

designed to analyze data, identify (detect) attacks, and alert about any findings. An IDS is typically a passive tap/monitor device

intrusion prevention system (IPS)

designed to

analyze data, identify (detect) attacks, alert on findings just like an IDS, but it also has the ability to prevent attacks and malicious activity by also blocking them. An IPS is typically an active, inline device

NIDSs/NIPSs

network-based devices that monitor the packets flowing on the network.

HIDSs/HIPSs

installed on hosts (PCs/servers) and monitor packets that are flowing in and out of the network interface of the host

IDS/IPS can detect attacks in 5 ways

Signature-based, Anomaly-based, Policy-based, Stateful protocol analysis, Heuristic-based

Signature-based

Relies on a database of known threat signatures or patterns of malicious activity. Any activity that matches these signatures will trigger the device to take action

Anomaly-based

Involves creating a baseline of normal network or system activity. Any significant deviation from this baseline is flagged as potentially malicious.

Policy-based

Uses predefined security policies and rules to identify activities that violate these policies

Stateful protocol analysis

Involves analyzing communication protocols at different layers of the network stack to ensure they are correctly followed. It examines the state and attributes of network connections over time

Heuristic-based

Uses algorithms to evaluate the behavior of code, applications, or traffic to identify suspicious patterns that may indicate malicious intent, even if the specific signature or anomaly is not previously known.

load balancer

a device that takes incoming network traffic and distributes it to a pool of devices that can respond to and process it

sensor

any device or infrastructure component that is used to collect information for monitoring and alerting purposes. The sensor collects information about a network, its traffic, and any other data it is designed to collect

port security

any network security feature designed to restrict unauthorized access and protect against unauthorized or malicious activity on physical and virtual network ports

Extensible Authentication Protocol (EAP)

a framework widely used in network access authentication that supports multiple authentication methods

web application firewall (WAF)

designed to identify and protect you from web-based attacks

unified threat management (UTM)

security appliances that contain varying information security-related functions, including firewalling, spam filtering, and antimalware protection in a single platform

next-generation firewalls (NGFWs)

NGFWs are considered application-aware. This means they go beyond the traditional port and IP address examination of stateless firewalls to inspect traffic at a deeper level.

Secure communication/access

foundational elements designed to protect the confidentiality, integrity, and availability of data as it moves through and accesses various points in an enterprise infrastructure

Virtual private network (VPN)

a technology used to create a secure, encrypted connection over a less secure network, such as the Internet. This is accomplished using encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Remote access

one of the most common ways that people communicate with systems and services

Tunneling

the creation of a logical connection (using encapsulation) over an existing connection

Transport Layer Security (TLS)

a secure communications protocol that

evolved from SSL (Secure Sockets Layer), primarily used to create a secure tunnel between applications and servers by using encryption to secure traffic exchanged between them

Internet Protocol Security (IPSec)

a framework that outlines best practices and mechanisms for securing IP traffic as it flows between two devices over untrusted networks

Software-Defined Wide Area Network (SD-WAN)

enables organizations to manage network services through a decoupled infrastructure that allows for quick adjustments to changing business requirements

Secure Access Service Edge (SASE)

securely connects users, systems, endpoints, and remote networks to applications and resources in the cloud by applying security policies based on the identity of the user or device, combined with context such as location, device health, and the sensitivity of the data being accessed