Network Infrastructure Security

Title: V i r t u a l N e t w o r k B a s i c s

Introduction to Virtual Network:

 Virtual Networking enables the communication between multiple computers, virtual
machines (VMs), virtual servers, or other devices across different office and data
center locations.

 It uses virtualized versions of traditional network tools, like switches and network
adapters, allowing for more efficient routing and easier network configuration changes.

Factors Physical Network Virtual Network

Hardware Requires physical hardware such
as cables, routers, switches, and
servers
Software Requires less software such as
drivers and protocols
ConnectivityConnects computers and devices
through cabling and other
hardware
Management Requires more manual
configuration and maintenance of
hardware
Flexibility Less flexible and scalable as it
depends on the availability of
hardware resources
Requires minimal hardware such as a
host server and a physical NIC
Requires more software such as
Switch, network adapter, firewalls, and
security
Connects computers and virtual
machines through software and
wireless technology
Requires more software-based
configuration and management of
network services
More flexible and scalable as it can
create multiple virtual networks on a
single physical network

1. Virtual Switches

Definition: A virtual switch is a software-based network switch that allows virtual

machines (VMs) to communicate with each other and with external networks. It
operates at Layer 2 (Data Link Layer) of the OSI model.

 Key Features:
 Isolation: Virtual switches can isolate traffic between different VMs, ensuring
that data is not inadvertently shared between them unless explicitly
configured.
1
Network Infrastructure Security

 Traffic Management: They can manage traffic flows, apply Quality of Service
(QoS) policies, and monitor network performance.

 Integration with Hypervisors: Virtual switches are typically integrated with

hypervisors (like VMware ESXi, Microsoft Hyper-V, or KVM), allowing them to
connect VMs to the physical network.

 Types: Common types of virtual switches include:

 Standard Virtual Switches: Basic functionality for connecting VMs to each
other and to the external network.

 Distributed Virtual Switches: Provide centralized management for multiple

hosts, allowing for consistent network policies across a cluster of hypervisors.

2. Virtual Routers

Definition: A virtual router is a software-based router that performs routing functions

for virtual networks. It operates at Layer 3 (Network Layer) of the OSI model.

 Key Features:
 Routing Capabilities: Virtual routers can route traffic between different subnets,
manage IP address assignments, and implement routing protocols (like OSPF,
BGP).

 Network Address Translation (NAT): They can perform NAT to allow VMs to
access external networks while hiding their internal IP addresses.

 Firewall and Security: Virtual routers often include firewall capabilities to control
traffic flow and enhance security.

 Scalability: Virtual routers can be scaled up or down based on demand, allowing

for flexible network architectures.

3. Virtual Network Interfaces

Definition: A virtual network interface (often referred to as a virtual NIC or vNIC) is a

software-based representation of a physical network interface card (NIC) that allows
VMs to connect to virtual networks.

2
Network Infrastructure Security

 Key Features:
 Multiple Interfaces: VMs can have multiple virtual NICs, allowing them to
connect to different networks or subnets.

 MAC Address Assignment: Each virtual NIC is assigned a unique MAC

address, enabling proper network communication.

 Configuration: Virtual NICs can be configured with different network settings,

such as IP addresses, VLAN tags, and security policies.

 Performance Monitoring: Virtual NICs can be monitored for performance

metrics, such as bandwidth usage and packet loss.

Use Cases
 Data Centers: Virtual switches and routers are essential for managing the complex
networking needs of modern data centers, enabling efficient resource utilization and
isolation.

 Cloud Services: Cloud providers use virtual networking to offer customers isolated
environments, allowing for secure and scalable applications.

 Development and Testing: Developers can create virtual networks to test

applications in isolated environments without the need for physical hardware.

Virtualization:

Virtualization is the creation of virtual computer systems known as virtual machines

(VMs) that can be deployed, managed, and moved freely across infrastructure without
being constrained by hardware dependencies.

Types Of Virtualization:

 Application virtualization – Deploying applications within a VM makes it possible for

them to run on hardware with an otherwise incompatible operating system. Users can
access virtualized applications remotely on any connected device, allowing for a more
flexible and mobile work experience while keeping management centralized.

 Storage virtualization – Multiple physical storage devices can be consolidated and

managed as a single pool, allowing more flexible and efficient use of their combined
capacity. With data virtualization, a related technology, a virtual layer integrates data
from different sources to provide a unified view for the applications that use it.

 Desktop virtualization – Users access their applications and files in a centrally

stored and managed virtual desktop rather than the local desktop on their physical
3
Network Infrastructure Security

endpoint. As with application virtualization, this enables greater flexibility in where

people work and the hardware they use while simplifying IT.

Server virtualization – A single physical server is partitioned into multiple virtual

servers that can run independently of each other while sharing RAM, CPU, and
storage resources. The benefits of server virtualization extend from optimized capacity
utilization to better uptime, making it one of the most valuable and commonly adopted
forms of virtualization technology.

Network virtualization – Hardware and software network functionality is abstracted

into a virtual network with a simplified representation of nodes and links. Multiple LANs
can be combined into a single virtual network (VLAN), and a single LAN can be
subdivided into multiple VLANs. You also can use network virtualization to emulate a
physical network within a single server.

6 Top Benefits Of Virtualization:

i. Lower expenses:
 By enabling multiple VMs – each with its own self-contained operating system
– to share the compute, memory, and storage resources of a single physical
server, organizations can reduce the total number of servers needed to run
their workloads.

 In turn, this also lowers costs for power, cooling, and data center space.

ii. Rapid flexibility and scalability:

 In the hardware-based days, it could take weeks or months for a company
to deploy a new server or shift workloads from one location to another.

 That’s much too slow to keep pace with variable demand and changing
business requirements. Now, organizations can spin up and move VMs in
minutes whenever and wherever they’re needed.

iii. Improved disaster recovery and continuous business:

 When a physical device goes down, it can take hours or days to repair it –
leaving a gap in the organization’s available resources. When a VM fails,
on the other hand, IT can simply deploy a clone and resume normal
operations.

 High-availability configurations no longer call for a pool of duplicate

physical servers to sit idle; instead, the business can keep duplicate VMs
on standby for deployment on any available server capacity.

4
Network Infrastructure Security

iv. Increased IT efficiency and productivity:

 IT teams used to spend endless hours installing, updating, maintaining,
and backing up software device by device across the organization.

 One key benefit of virtualization is the ability to shift most of these tasks to
centrally stored and managed VMs.

v. Better performance and availability:

 Balancing workloads across physical resources and mitigating the impact
of failed devices can be a full-time job.

 With virtualization, IT Ops teams can move VMs easily across the IT
infrastructure to load-balance workloads and resolve bottlenecks.

vi. Faster development:

 Developers can’t move at agile speed if they have to wait for IT to
provision physical servers for development and testing.

 A key advantage of virtualizing services is the ability of DevOps teams to

quickly spin up VMs replicating the production environment for
development and testing.

Tools for Creating Virtual Network’s

1. Virtual Box
Description: An open-source virtualization software that allows users to run
multiple operating systems on a single machine.

Features:
 Supports various guest operating systems.
 Offers features like snapshots, shared folders, and virtual networking.
 Allows the creation of internal networks, host-only networks, and NAT
networks.
2. VMware
Description: A suite of virtualization products, including VMware Workstation
and VMware Fusion that enables users to run multiple operating systems on a
single machine.

Features:
 Advanced networking options, including NAT, bridged, and host-only
networking.
 Support for virtual switches and VLANs.
 Integration with VMware vSphere for enterprise-level virtualization.

5
Network Infrastructure Security

3. Hyper-V
Description: A virtualization platform built into Windows Server and Windows 10/11
Pro and Enterprise editions.

Features:
 Supports virtual switches for network configuration.
 Offers features like virtual network adapters and network isolation.
 Integration with Windows networking features.

4. OpenStack
Description: An open-source cloud computing platform for creating and managing
large groups of virtual machines.

Features:
 Provides networking services through Neutron.
 Supports advanced networking features like load balancing, VPN, and
firewalls.
 Suitable for building private and public clouds.

Network Access Control Concepts

1. Network Access Control (NAC):

 NAC is a security solution that enforces policies for controlling access to
network resources based on the identity and compliance of devices
attempting to connect to the network.

2. Authentication and Authorization:

 Authentication: Verifying the identity of a user or device (e.g., using
usernames, passwords, certificates).

 Authorization: Granting or denying access to resources based on the

authenticated identity and defined policies.

3. Protocols:
 802.1X: A network access control protocol that provides an authentication
mechanism for devices wishing to connect to a LAN or WLAN. It uses EAP
(Extensible Authentication Protocol) for communication between the client,
the authenticator (e.g., a switch or access point), and the authentication
server.

6
Network Infrastructure Security

 RADIUS (Remote Authentication Dial-In User Service): A protocol used for

remote user authentication and accounting. It is often used in conjunction with
802.1X to authenticate users and devices.

4. Role-Based Access Control (RBAC):

 A method of regulating access to network resources based on the roles of
individual users within an organization. Users are assigned roles, and each
role has specific permissions.

5. MAC Address Filtering:

 A security access control method whereby the network allows or denies
access to devices based on their MAC addresses. While it can provide a
basic level of security, it is not foolproof as MAC addresses can be spoofed.

6. Guest Network Isolation:

 A practice of creating a separate network for guests to ensure that they do not
have access to the internal network resources. This helps protect sensitive
data and systems from unauthorized access.

Diagram Of Network Access Control(NAC)

Figure1.1 NAC

7
Network Infrastructure Security

Security Zones and Network Segmentation

1. Research the Concept of Security Zones:
 Demilitarized Zone (DMZ): A DMZ is a physical or logical subnetwork that
contains and exposes an organization’s external-facing services to an
untrusted network, typically the internet.

 The purpose of a DMZ is to add an additional layer of security to an

organization’s local area network (LAN). By segregating the external services
from the internal network, organizations can better protect sensitive data and
resources.

 Internal Zone: This zone contains the organization's internal resources, such
as databases, file servers, and internal applications. Access to this zone is
typically restricted to authorized users and devices.

 External Zone: This zone represents the untrusted network, usually the
internet. It is where external users and systems reside, and it is critical to
implement strict controls to prevent unauthorized access to internal
resources.

2. Study the Benefits of Network Segmentation:

 Limiting Lateral Movement: By segmenting the network, organizations can
restrict the ability of attackers to move laterally within the network. If an
attacker gains access to one segment, they may be unable to access other
segments without additional credentials or permissions.

 Improved Containment: In the event of a security breach, segmentation can

help contain the incident to a specific zone, minimizing the impact on the
overall network.

 Enhanced Monitoring and Compliance: Segmented networks allow for

more focused monitoring and logging of traffic, making it easier to detect
anomalies and comply with regulatory requirements.

 Tailored Security Policies: Different segments can have customized

security policies based on the sensitivity of the data and the level of risk
associated with that segment.

3. Explore Tools for Implementing Segmentation:

 Firewalls: Firewalls can be used to enforce security policies between
different zones, controlling traffic flow and preventing unauthorized access.

 Virtual Local Area Networks (VLANs): VLANs allow for logical

segmentation of networks within the same physical infrastructure. By
grouping devices into VLANs, organizations can isolate traffic and apply
specific security policies.
8
Network Infrastructure Security

 Software-Defined Networking (SDN): SDN enables dynamic management

of network resources and can facilitate segmentation by allowing for the
creation of virtual networks that can be easily adjusted based on security
needs.

 Micro-segmentation Tools: These tools provide granular control over

network traffic, allowing organizations to create secure zones within their data
centers or cloud environments.

Key Concepts:
1. Demilitarized Zone (DMZ) and Its Purpose:
 The DMZ serves as a buffer zone between the internal network and the
external network.

 It typically hosts services that need to be accessible from the internet, such as
web servers, email servers, and DNS servers.

 By placing these services in a DMZ, organizations can protect their internal

network from direct exposure to external threats.

2. Micro-segmentation for Enhanced Security:

 Micro-segmentation involves dividing the network into smaller, more
manageable segments, often at the workload level.

 This approach allows for more precise control over traffic flows and security
policies, reducing the attack surface and limiting the potential impact of a
breach.

3. Segmentation in Cloud Environments:

 In cloud environments, segmentation can be achieved through the use of
virtual networks, security groups, and access control lists (ACLs).

 Cloud providers often offer tools and services that facilitate segmentation,
allowing organizations to implement security measures that align with their
specific needs.

 Proper segmentation in the cloud helps protect sensitive data and

applications from unauthorized access and potential breaches.

9
Network Infrastructure Security

Case Study: Network Segmentation Preventing a Real-World

Breach
Network segmentation plays a crucial role in enhancing security by creating isolated
zones within a network. This case study examines how a prominent state university
successfully implemented network segmentation to protect its building automation
systems as part of a statewide smart campus initiative.

Implementation of Network Segmentation:

 Segregation of Systems:
 The university divided its network into distinct segments, including separate
zones for building automation systems, administrative functions, and public
access areas. This segregation ensured that sensitive systems were isolated
from less secure areas of the network.

 Access Controls:
 Strict access controls were enforced, allowing only authorized personnel to
access critical systems. This limited the potential for unauthorized access and
reduced the attack surface.

 Monitoring and Alerts:

 Continuous monitoring of network traffic was established, with alerts
configured to notify security teams of any suspicious activity. This proactive
approach enabled quick responses to potential threats.

Benefits Realized:
 Reduced Risk of Lateral Movement:
 By segmenting the network, the university effectively limited the ability of
attackers to move laterally within the network. In the event of a breach in one
segment, the attackers would face barriers preventing them from accessing
other critical systems.

 Enhanced Incident Response:

 The segmentation allowed for more focused incident response efforts. If a
security incident occurred, the university could quickly isolate the affected
segment, minimizing the impact on the overall network.

 Improved Compliance:
 The implementation of segmentation helped the university meet regulatory
compliance requirements by ensuring that sensitive data was adequately
protected and access was controlled.

10
Network Infrastructure Security

Basic Firewall Concepts

 Firewalls prevent unauthorized Internet users from accessing private

networks connected to the Internet, especially intranets

 A firewall is software or hardware based network security system that

controls the incoming and outgoing network traffic by analyzing the data
packets and determining whether they should be allowed through or not,
based on applied rule set.

Figure 1.2: Firewall

Types of Firewalls

1. Packet-Filtering Firewalls:
 Function: These firewalls inspect packets at the network layer. They allow or
block traffic based on predefined rules such as IP addresses, port numbers,
and protocols.

 Pros: Simple and fast; minimal impact on network performance.

 Cons: Limited in functionality; cannot track the state of connections.

11
Network Infrastructure Security

Figure1.3: Packet Filtering Firewall

2. Stateful Firewalls:
 Function: These firewalls maintain the state of active connections and make
decisions based on the context of the traffic (i.e., whether a packet is part of
an established connection).
 Pros: More secure than packet-filtering firewalls; can track the state of
connections.
 Cons: More complex and resource-intensive than packet-filtering firewalls.

Figure1.4 Stateful Firewall

12
Network Infrastructure Security

3. Next-Generation Firewalls (NGFW):

 Function: These firewalls combine traditional firewall capabilities with
additional features such as deep packet inspection, intrusion prevention
systems (IPS), and application awareness.
 Pros: Provide comprehensive security; can identify and block sophisticated
threats.
 Cons: More expensive and require more resources to manage.

Figure1.5 Next-Generation Firewall

Firewall Rule Creation and Management

 Rule Creation:
 Rules are created to define what traffic is allowed or denied. Each rule
typically includes:
 Source IP address
 Destination IP address
 Protocol (TCP, UDP, etc.)
 Source and destination ports
 Action (allow or deny)
 Rule Management:
 Order of Rules: Rules are processed in order, so the sequence can
affect the outcome. More specific rules should be placed before
general rules.

 Testing and Validation: Always test rules in a controlled environment

before deploying them to production.

 Regular Review: Periodically review and update rules to adapt to

13
Network Infrastructure Security

changing network conditions and threats.

Inbound vs. Outbound Traffic Rules

 Inbound Traffic Rules:
 Control the traffic coming into the network from external sources.
 Commonly used to protect servers and services exposed to the
internet (e.g., web servers, email servers).

 Outbound Traffic Rules:

 Control the traffic leaving the network to external destinations.
 Important for preventing data exfiltration and controlling user
access to external resources.

Application-Layer Filtering
 Function: This involves inspecting the data within the packets at the
application layer (Layer 7 of the OSI model).

 It allows firewalls to make decisions based on the content of the traffic, such
as blocking specific applications or protocols (e.g., blocking peer-to-peer file
sharing).

 Benefits: Provides a higher level of security by understanding the context of

the traffic, allowing for more granular control.

Logging and Monitoring Firewall Activity

 Logging: Firewalls can log traffic data, including allowed and denied connections,
which is crucial for auditing and troubleshooting.

 Monitoring: Continuous monitoring of firewall logs helps identify unusual patterns or

potential security incidents.

 Alerts: Configuring alerts for specific events (e.g., repeated denied access attempts)
can help in proactive threat detection.

14
Network Infrastructure Security

15