We started the defense strategy in the previous chapter by reinforcing the importance of having a strong and effective security policy. Now it’s time to continue with this vision by ensuring that the network infrastructure is secure, and the first step to doing that is to make sure the network is segmented, isolated, and that it provides mechanisms to mitigate intrusion. The Blue Team must be fully aware of the different aspects of network segmentation, from the physical to the virtual, and remote access. Even if companies are not fully cloud-based, they still need to think about connectivity with the cloud in a hybrid scenario, which means that security controls must also be in place to enhance the overall security of the environment, and network infrastructure security is the foundation for that.

In this chapter, we are going to cover the following topics:

• The defense-in-depth approach
• Physical network segmentation
• Securing remote...

Although you might think that this is an old method and it doesn’t apply to today’s demands, the reality is that it still does, although you won’t be using the same technologies that you used in the past. The whole idea behind the defense-in-depth approach is to ensure that you have multiple layers of protection, that each layer will have its own set of security controls, which will end up delaying the attack, and that the sensors available in each layer will alert you to whether or not something is happening. In other words, breaking the attack kill chain before the mission is fully executed.

Below you have an example of a layered approach to defense in depth:

One of the biggest challenges that the Blue Team may face when dealing with network segmentation is getting an accurate view of what is currently implemented in the network. This happens because, most of the time, the network will grow according to the demand, and its security features are not revisited as the network expands. For large corporations, this means rethinking the entire network and possibly rearchitecting the network from the ground up.

The first step to establishing an appropriate physical network segmentation is to understand the logical distribution of resources according to your company’s needs. This debunks the myth that one size fits all. In reality, it doesn’t; you must analyze each network case by case, and plan your network segmentation according to the resource demand and logical access. For small and medium-sized organizations, it might be easier to aggregate resources according to their departments—for...

The pandemic accelerated digital transformation, and even companies that were not ready to have remote employees suddenly had to adjust their infrastructure to enable remote access to their resources. Due to the criticality of the migration, many companies skipped the planning phase of this adoption and went straight to implementation, which can have negative effects when it comes to network security.

No networking segmentation planning would be complete without considering the security aspects of remote access to your corporate network. Even if your company does not have employees that work from home, chances are that at some point, an employee will be traveling and will need remote access to the company’s resources.

If this is the case, you need to consider not only your segmentation plan but also a network access control system that can evaluate the remote system prior to allowing access to the company’s network; this...

Security must be embedded in the network design, regardless of whether this is a physical network or a virtual network. In this case, we are not talking about VLAN, which is originally implemented in a physical network, but virtualization. Let’s use the following diagram as our starting point:

Figure 11.10: A visualization of physical and virtual networks within a system

When planning your virtual network segmentation, you must first access the virtualization platform to see which capabilities are available. However, you can start planning the core segmentation using a vendor-agnostic approach, since the core principles are the same regardless of the platform, which is basically what the previous diagram is conveying. Note that there is isolation within the virtual switch; in other words, the traffic from one virtual network is not seen by the other virtual network.

Each virtual network can have its own subnet, and all VMs within...

The whole idea of zero Trust is to debunk the old mentality that there are “trusted networks.” In the past, most network diagrams were created by using a perimeter, the internal network (also known as a trusted network), and the external network (also known as an untrusted network). The zero trust network approach basically means: all networks (internal and external) are not trustworthy; all networks by nature can be considered a hostile place, where attackers may already reside.

To build a zero trust network you need to assume that threats exist, regardless of the location, and that the user’s credentials could be compromised, which means that attackers might already be inside of your network. As you can see, a zero trust network is more a concept and approach to network security than a technology per se.

Many vendors will advertise their own solutions to achieve a zero trust network, but at the end of the day, a zero trust network...

With the pandemic, cloud adoption has accelerated in the past two years. According to 2021 Cloud Adoption Research (https://www.oreilly.com/pub/pr/3333) from O’Reilly, 90% of respondents indicated that their organizations are using cloud computing. In a nutshell, it is realistic to say that your organization will have some sort of connectivity to the cloud sooner or later, and according to the normal migration trend, the first step is to implement a hybrid cloud.

When designing your hybrid cloud network, you need to take everything that was previously explained in this chapter into consideration and plan how this new entity will integrate with your environment. Many companies will adopt the site-to-site VPN approach to directly connect to the cloud and isolate the segment that has cloud connectivity. While this is a good approach, usually a site-to-site VPN has an additional cost and requires extra maintenance. Another option is to use a direct...

In this chapter, you learned about the current needs when using a defense-in-depth approach, and how this old method should be used to protect against current threats. You learned about the different layers of protection and how to increase the security of each layer.

Physical network segmentation was the next topic covered, and here you learned about the importance of having a segmented network and how to correctly plan to implement that. You learned that network segmentation is not exclusively for on-premises resources, but also for remote users and remote offices. You also learned how it can be challenging for the Blue Team to plan and design this solution without accurately knowing the current network topology, and to address this problem, you learned about some tools that can be used during this discovery process. You learned the importance of segmenting virtual networks and monitoring hybrid cloud connectivity. You learned about the strategies to create a zero trust...

• User-to-Data-Center Access Control Using TrustSec Deployment Guide: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April2016.pdf
• Security guide for Hyper-V in Windows Server 2012: https://technet.microsoft.com/en-us/library/dn741280(v=ws.11).aspx
• McAfee’s Building Trust in a Cloudy Sky report: https://www.mcafee.com/us/resources/reports/rp-building-trust-cloudy-sky-summary.pdf
• Practical Guide to Hybrid Cloud Computing: http://www.cloud-council.org/deliverables/CSCC-Practical-Guide-to-Hybrid-Cloud-Computing.pdf
• Cloud Adoption Steadily Rising Across Industries, but Managing Cost Remains a Concern, New O’Reilly Research Reveals: https://www.oreilly.com/pub/pr/3333

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet