How to Implement Secure Design Principles in Network Architecture

This section addresses the design aspects of networking, focusing on security. While networking’s primary function is to
enable communication, security will ensure that the communication is between authorized devices only and the
communication is private when needed.

• Open System Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP) models. The Open Systems Interconnection (OSI) model is the more common of the two prevailing network models. However, in the context of CISSP, you must also be aware of the TCP/IP model and how it compares to the OSI model. The TCP/IP model uses only four layers, while the OSI model uses seven. The following table summarizes
  the layers of each model.

 

• Layer Number                   OSI Model                     TCP/IP Model
  7                                           Application
  6                                           Presentation                  Applications
  5                                           Session
  4                                           Transport                      TCP (host to host)
  3                                           Network IP
  2                                           Data link                        Network access
  1                                            Physical

 

• Many people use mnemonics to memorize the OSI layers. One popular mnemonic for the OSI layers is “All People Seem To Need Data Processing.”

 

• Internet Protocol (IP) networking. IP networking is what enables devices to communicate. IP provides the
  foundation for other protocols to be able to communicate. IP itself is a connectionless protocol. IPv4 is for 32-bit addresses, and IPv6 is for 128-bit addresses. Regardless of which version you use to connect devices, you then typically use TCP or UDP to communicate over IP. TCP is a connection-oriented protocol that provides reliable communication, while UDP is a connectionless protocol that provides best-effort communication. Both protocols use standardized port numbers to enable applications to communicate over the IP network.

 

• Implications of multilayer protocols. Some protocols simultaneously use multiple layers of the OSI or TCP/IP model to communicate, and traverse the layers at different times. The process of traversing theses layers is called encapsulation. For example, when a Layer 2 frame is sent through an IP layer, the Layer 2 data is encapsulated into a Layer 3 packet, which adds the IP-specific information. Additionally, that layer can have other TCP or UDP data added to it for Layer 4 communication.

 

• Converged protocols. Like encapsulation, converged protocols enable communication over different mediums. For example, FCoE sends typical fibre channel control commands over Ethernet. Voice over IP (VoIP) sends SIP or other voice protocols over typical IP networks. In most cases, this provides simplicity, since the same infrastructure can be used for multiple scenarios. However, it can also add complexity by introducing more protocols and devices to manage and maintain on that same infrastructure.

 

• Software-defined networks. As networks, cloud services and multi-tenancy grow, the need to manage these networks has changed. Many networks follow either a two-tier (spine/leaf or core/access) or a three-tier (core, distribution, edge/access) topology. While the core network might not change that frequently, the edge or access devices can communicate with a variety of devices types and tenants. Increasingly, the edge or access switch is a virtual switch running on a hypervisor or virtual machine manager. You must be able to add a new subnet or VLAN or make other network changes on demand. You must be able to make configuration changes programmatically across multiple physical devices, as well as across the virtual switching devices in the topology. A software-defined network enables you to make these changes for all devices types with ease.

 

• Wireless networks. Wireless networks can be broken into the different 802.11 standards. The most common protocols within 802.11 are shown in the table below. Additional protocols have been proposed to IEEE, including ad, ah, aj, ax, ay and az. You should be aware of the frequency that each protocol uses.

 

• 802.11 protocol                              Frequency                            Data stream rate
  a                                                               5 GHz                                         Up to 54 Mbps
  b                                                               2.4 GHz                                     Up to 11 Mbps
  g                                                               2.4 GHz                                     Up to 54 Mbps
  n                                                               2.4–5 GHz                                Up to 600 Mbps
  ac                                                              5 GHz                                       Up to 3466 Mbps
  You should also be familiar with the wireless security standards:
• Wired Equivalent Privacy (WEP). WEP is a legacy security algorithm for wireless networks. Originally, it
  was the only encryption protocol for 802.11a and 802.11b networks. WEP used 64-bit to 256-bit keys, but
  with a weak stream cipher. WEP was deprecated in 2004 in favor of WPA and WPA2. Today, WEP should be avoided.

 

• Wi-Fi Protected Access (WPA). WPA uses Temporal Key Integrity Protocol (TKIP) with a 128-bit per-packet key. However, WPA is still vulnerable to password cracking from packet spoofing on a network. WPA typically uses a pre-shared key (PSK) and Temporal Key Integrity Protocol (TKIP) for encryption. This is known as WPA Personal (which is typically used in a home environment). There is also a WPA Enterprise which can use certificate authentication or an authentication server (such as a RADIUS server).

 

• Wi-Fi Protected Access II (WPA 2). WPA2 is the current standard for wireless encryption. WPA2 is based
  on the Advanced Encryption Standard (AES) cipher with message authenticity and integrity checking. AES is stronger than TKIP. Like WPA, WPA2 offers a PSK mode (for home or small business) and an enterprise
  mode (known as WPA2-ENT). WPA2-ENT uses a new encryption key each time a user connects. The password is not stored on the client devices (unlike PSK mode, which stores the passwords locally on
  clients). Regardless of the security method you use, you should also use TLS or IPsec for network communication. Finally, remember that wireless networks use collision avoidance, instead of the collision detection used on wired networks.

 

Learn More:

• Training and Solutions