Apply Security Principles to Secure Enterprise Infrastructure PDF

Summary

This document details security principles related to enterprise infrastructure. It discusses important architectural considerations for security, protocols, and solutions for secure communication. The document also covers various aspects of network security, including device placement, security zones, attack surface, and network appliances.

Full Transcript

Apply Security Principles to Secure Enterprise
Infrastructure - GuidesDigest Training

Chapter 3: Security Architecture

Ensuring that enterprise infrastructure remains secure is a top priority for organizations today.
Various architectural decisions influence the security posture, and the wrong choice can be
catastrophic.

This chapter will delve into these considerations, focusing on how to apply key security principles to
real-world scenarios.

Infrastructure Considerations
The physical and virtual components that make up an organization’s infrastructure lay the
foundation for its security. Let’s discuss the primary considerations:

Device Placement: Proper positioning of devices, such as routers, switches, and servers, is
crucial. For instance, devices handling sensitive data should be placed deeper within a
network, shielded by firewalls and other security measures.
Security Zones: These are distinct portions of a network with specific security
requirements. For example, a DMZ (demilitarized zone) is a common security zone where
public-facing servers (like web servers) are placed, isolating them from the internal network.
Attack Surface: This represents the sum of all potential vulnerabilities in a system. By
reducing the number of unnecessary services, applications, and open ports, you reduce the
attack surface and thereby the potential vectors of attack.
Connectivity: The more connections a device or system has, the more potential entry points
exist for attackers. It’s essential to regularly review and prune unnecessary network
connections.
Failure Modes:
◦ Fail-open: A system or device that, upon failing, defaults to an “open” state, possibly
allowing unrestricted access.
◦ Fail-closed: In contrast, when this fails, it defaults to a “closed” state, possibly denying
all access.
Device Attribute:
◦ Active vs. Passive: Active devices, like switches and routers, are directly involved in
data packet transmission. Passive devices, like sensors, only observe and report.
◦ Inline vs. Tap/Monitor: Inline devices directly interact with network traffic, while
tap or monitor devices only observe the traffic without interaction.
Network Appliances:
◦ Jump Server: A secure computer that spans two disparate networks and provides a
controlled means of access between them.
◦ Proxy Server: Acts as an intermediary for requests from clients seeking resources. It
can be used to control and monitor internet usage and provide a level of security by
masking the internal network.
◦ IPS/IDS: Intrusion Prevention System (IPS) and Intrusion Detection System (IDS)
monitor network traffic, with IPS being able to prevent or block malicious activities.
 ◦ Load Balancer: Distributes network or application traffic across multiple servers to
ensure no single server is overwhelmed.
◦ Sensors: Devices or applications that monitor specific conditions in the network.
Port Security:
◦ 802.1X: A standard for port-based network access control. It can be used to secure
wired and wireless networks.
◦ Extensible Authentication Protocol (EAP): An authentication framework often
used in wireless networks and point-to-point connections.
Firewall Types:
◦ Web Application Firewall (WAF): Focuses on securing web applications by
inspecting HTTP traffic.
◦ Unified Threat Management (UTM): A comprehensive solution that combines
multiple security features into one appliance.
◦ Next-Generation Firewall (NGFW): Combines traditional firewall features with
quality of service (QoS) functionalities.
◦ Layer 4/Layer 7: Refers to OSI layers, with Layer 4 firewalls making decisions based
on transport layer data, and Layer 7 firewalls making decisions based on application
layer data.

Secure Communication/Access
Secure communication is paramount in ensuring data integrity and confidentiality. Several
protocols and solutions facilitate this:

Virtual Private Network (VPN): Encrypts a user’s internet connection, ensuring that data
transmission between the user and network is secure.
Remote Access: Allows users to connect to a network from a remote location. Ensuring this
is secure prevents potential breaches.
Tunneling: A method where private network data and protocol information can be sent
across public networks.
◦ Transport Layer Security (TLS): A protocol providing communications security
over computer networks.
◦ Internet Protocol Security (IPSec): Protects data by authenticating and encrypting
each IP packet.
Software-defined wide area network (SD-WAN): Simplifies the management and
operation of a WAN by decoupling the networking hardware from its control mechanism.
Secure access service edge (SASE): A network architecture that combines WAN
capabilities with network security functions.

Selection of Effective Controls
Selecting effective controls involves determining which security measures are best suited for a given
scenario. This often requires a balance between security, usability, and cost. For instance, while
biometric authentication may be highly secure, it might be overkill for a low-risk application and
add unnecessary costs.

Case Studies
1. ABC Tech’s Remote Work Security Challenge: With the sudden shift to remote work,
 ABC Tech had to quickly ensure secure communication channels. This case delves into their
rapid deployment of VPNs and their move towards a SASE architecture.

Summary
Enterprise infrastructure is the bedrock upon which organizational IT functions are built. Ensuring
its security is paramount, given the plethora of threats in today’s digital landscape.

This chapter touched on various aspects, from network appliance selection to securing
communication channels, all aimed at bolstering the security posture of the enterprise.

Key Points
Effective device placement and connectivity management can greatly reduce an organization’s
attack surface.
Secure communication methods, like VPNs and tunneling protocols, ensure data
confidentiality and integrity.
Proper selection of network appliances and understanding their functionality can enhance an
organization’s defense mechanisms.

Practical Exercises
1. Simulate a Network: Using network simulation tools, set up a basic enterprise network,
and attempt to secure it using the principles discussed.
2. VPN Set-Up Challenge: Practice setting up a VPN and test its security using various
penetration tools.

Real-World Examples
1. The SolarWinds Breach: An exploration into how even sophisticated enterprises can fall
victim to breaches and the importance of securing every facet of the infrastructure.
2. The Shift to Remote Work: How companies globally had to rethink their secure
communication strategies with the rise of remote work due to the COVID-19 pandemic.

Review Questions
1. How does a “fail-open” system respond when a failure occurs, and in what scenarios might it
be considered a risk?
2. What is the primary purpose of a proxy server within an enterprise network?
3. Differentiate between an IPS and an IDS. Which one can actively prevent malicious activities?
4. Describe the importance and function of the Secure Access Service Edge (SASE) in modern
networks.

Study Tips
Always visualize network configurations. A clear mental map can help in understanding the
flow of data and potential vulnerabilities.
 Engage in hands-on exercises, as they cement theoretical knowledge and help in
understanding practical challenges.
Regularly review the latest real-world breaches to understand evolving threats and the
importance of securing infrastructure effectively.