Infrastructure Considerations

(OBJ 3.2)

Device Placement

• Proper placement of routers, switches, and access points is crucial
• Correct placement ensures
  • Optimal data flow,
  • Minimizes latency
  • Enhances security
• Routers at the network's edge help filter traffic efficiently
• Strategic placement of access points ensures coverage and reduces interference
• Switches should be located for easy connection to network segments
  • If placing devices in the wrong places, it could lead to:
    • Network bottlenecks
    • Vulnerability points
    • Areas without connectivity

Security Zones and Screened Subnets

• Security Zones
  • Distinct segment within a network
  • Isolate devices with similar security requirements
  • Often created using a firewall or other security device
  • Example:
    • A company might have different zones for
      • Public-facing services
      • Internal employee resources
      • Sensitive data storage
    • Each will be configured with different access controls or security policies
• Screened Subnets
  • Act as buffer zones between internal and external networks
  • Hosts public-facing services, protecting core internal networks
    • Web servers
    • Email servers
    • DNS servers
  • Safeguards against security breachers by preventing attackers from gaining direct access to the sensitive core internal network
  • Use the term "screened subnet" instead of "DMZ (Demilitarized Zone)" for modern configurations

Attack Surface

• Refers to points where unauthorized access or data extraction can occur
• A larger attack surface increases the risk of vulnerabilities
  • "There are more opportunities for malicious actors to exploit weaknesses and vulnerabilities in your systems"
    • Improper device placement
    • Improperly configured devices
    • Outdated software
    • Unnecessary open ports
    • Weak access controls
• Identify and mitigate vulnerabilities to reduce the attack surface
• Regularly assess and minimize the attack surface for network security

Connectivity Methods

• Connectivity: Refers to how different components of a network communicate with each other and with other external networks
• Choose connectivity methods that influence network performance, reliability, and security of your systems
• Wired (e.g., Ethernet) offers stability and speed but restricts mobility
  • Fiber optics excel in speed, reliability, and signal quality for robust connectivity
• Wireless (e.g., Wi-Fi) provides flexibility but may suffer from interference and security issues if not properly configures
  • Wi-Fi
  • Microwave links
  • Satellite Connections
• Hybrid method: Combines various forms of connectivity to leverage strengths of each different technology that is being used in order to ensure additional layers of redundancy
• Consider factors like scalability, speed, security, and budget constraints when choosing connectivity methods

Device Attributes

• Consider whether devices are active or passive, and if they are inline or tapped
• Active devices (e.g., intrusion prevention systems)
  • monitor and act on network traffic.
  • Make real-time decisions based on the network current state.
• Passive devices (e.g., intrusion detection systems)
  • observe and report without altering traffic
• Inline devices are in the path of network traffic
  • An inline device sits in the network traffic path, and is able to control or block traffic as it passes through this device
  • Examples:
    • Firewall
    • Router
    • IPS
  • Critical tool for tasks like filtering malicious traffic or optimizing data flows
• Taps and monitors capture data without disruption
  • Operate discreetly outside the network path, capturing data for analysis without impacting traffic
  • Makes them ideal for monitoring network
    • Health
    • Performance
    • Security
• Align device choices with network goals and challenges
  • Focus more on monitoring or path optimization?

Failure Mode

• Choose between "fail-open" and "fail-closed" modes to handle device failures
• Fail-open
  • Allows traffic to pass during a failure, maintaining connectivity but reducing security
  • Ensures no disruption to the network service
  • But now the firewall/switch/router that failed-open will no longer provide you with any kind of security when it's operating in this condition
• Fail-closed
  • Blocks all traffic during a failure, prioritizing security over connectivity
  • Maintains security of your data and your network but this will fully interrupt your network connectivity and prevent any normal firewall operations to occur during this failed state.
• The choice depends on the organization's security policy and the criticality of the network segment protected by a device
• Example:
  • A data center that's used to store all the organization's sensitive financial data might opt to use a failed-closed mode to maintain the security of the data
  • A guest wireless network might prefer a fail-open mode to ensure continuity