Virtual Switch: Allows for connecting multiple network segments that are virtual.
Virtual Bridge: Allows you to connect a VM to a physical LAN adapter.
Virtual Host Adapter: Allows the VMs to communicate with the host computer.
NAT: Allows a connection to an external network when the adapter has only a single IP address.
DHCP Server: Provides IP addresses to virtual machines.
Ethernet Adapter: Any physical adapter installed on the hosts that connect to the network.
SDN: Software Defined Network. Functional separation of traffic based on software-defined configuration. Network virtualization through configurations of routes, protocols, and other network properties. Can be programmed for automation to allow adaptive routing based on network topology.
Virtual Network Configuration Options:
- Routers or Routing Tables
- CSP Regions or Zones
- Traffic Filters
Ports and Protocols
Well Known: 0 to 1,023
- Specific port numbers are most vulnerable to attacks.
Registered Ports: 1,024 to 49,151
- Too system-specific for direct target by attackers, but they might scan for open ports in this range. Registered with ICANN
Dynamic or Private Ports: 49,152 to 65,535
- Constantly changing and cannot be targeted by number (PAT – Port Address Translation)
- 21 – FTP
- 22 – SSH
- 25 – SMTP
- 53 – DNS
- 80 – HTTP
- 110 – POP3
- 139 – NETBIOS
- 443 – SSL/TLS (HTTPS)
- 3389 – RDP Remote Desktop
Port and Protocol Security when Deploying to the Cloud
Below is a guide to help determine port security:
- Application and service configuration guides.
- CSP security and deployment guides.
- Deployment guides from third-party consulting agencies.
- Use port scanning tools to determine which ports are used.
- A cipher is an algorithm used to encrypt and decrypt data.
- Plaintext to ciphertext is enciphering. Ciphertext to plaintext is deciphering.
- Ciphers alter single letters or bits to encrypt a message.
- Crypt Analysis is a term used when breaking codes or ciphers.
Network Security Options in the Cloud
- Flood Guards: Protect network against DDoS attacks (traffic storm).
- Loop Protection: Prevents packets getting forwarded over and over again.
- Port Security: Disable unnecessary services and closing unused ports.
- Secure Router Configurations: Ensure that all routers are properly secured.
- Network Separation: Splitting networks into two or more logical networks helps separate critical network functions from lower priority functions.
- VLAN Management: Ability to quickly manage network to mitigate security risks.
- Implicit Deny: Deny access by default to network resources.
- Log Analysis: Regular monitoring.
Network Encryption Technologies
- IPSec – Secures data as it travels across a network or the internet. Tunnel mode and transport mode and commonly used by VPN.
- PPTP – Microsoft layer 2 protocol that increases security of PPP.
- L2TP – Internet standard protocol.
- SSH – Used for secure remote login and secure transfer of data.
- PKI – Public key encryption (CA, certificates, software, services, etc.)
- Digital Certificate – Electronic document that associates credentials with a public key.
- HTTPS – Secure version of HTTP that supports web commerce by providing a secure connection between a browser and a server.
- TLS and SSL – Security protocols that combine digital certificates for authentication with public key encryption.
VPNs (Virtual Private Networks)
- Remote Access
Network Segmentation and Security
Common network segmentation implementations for cloud deployments:
- DMZ (De-Militarized Zone)
- VXLan (Virtual Extensible LAN) – VLAN only allows 4,096 network IDs to be assigned at any given time. The goal of VXLAN is to extend the VLAN addresses to over 16 million.
- Segmentation – Management traffic, operations traffic, and virtual machine production traffic.
- Micro-Segmentation – Divide into logical groups with one firewall. Advantage is it’s software controlled. Provides consistent protection.
Network Security Software and Devices
- IDS (Intrusion Detection System) – Alerts of threats.
- NIDS (Network Intrusion Detection System)
- WIDS – Wireless IDS scans the radio frequency spectrum for possible threats.
- IPS (Intrusion Prevention System)
- NIPS ( Network Intrusion Prevention System) – Blocks threats.
- Web Security Gateways – Blocks internal access to predefined websites and categories.
- HIPS (host-based intrusion prevention system)
- WAF (Web Application Firewall)
- NTP (Network Time Protocol)
- A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
- PII (Personal Identify Information)
Types of Network Monitoring
- Signature-Based – Predefined set of rules provided by software.
SLA Security Considerations
- Ownership: SLA agreements need to address data and digital assets. Who maintains custody and control of data?
- Availability of Services: Details about monitoring and response times.
- Baseline Services: Regulatory and common practice guarantees.
- Chain of Custody Guarantees: Collection, analysis and storage, presentation in court, and disposal. SLA should define chain of custody in case of data breach that needs to proceed to litigation.
Cloud Patches and Maintenance for Network Security
Depending on cloud provider and SLA, patches and maintenance may need to be managed by the client.
- Create a detailed inventory database and keep current.
- Standardize systems as much as possible.
- Make a map of security software and devices in place.
- Have a reliable system for collecting vulnerability alerts (SIEM).
- When alerts are generated, compare them to inventory to quickly identify systems that may be impacted.
- Assess risks based on alerts to determine mission critical patches.
- Keep documentation up-to-date.
Managed Cloud Services
CSP manages hardware and host operating systems. Clients manage services and applications on the providers hosts and physical equipment.
Cloud provider manages and maintain security aspects of service and is customized based on agreed upon SLA.
Advantages of Security-as-a-Service:
- Security software to manage, monitor, and secure systems.
- Skilled security staff that continues to obtain up-to-date certifications including new security certifications.
- Able to automate patching and other security processes.
Planning Identity Management in Cloud Deployments
Identification: Single Sign On (SSO)
AAA of Security:
- Authentication (Identification)
- Authorization (Access Control)
- Accounting (Auditing)
- Something you are (physical characteristics including fingerprints and retina pattern).
- Something you have (token or access card).
- Something you know (password).
- Somewhere you are/are not (IP address or geo-location).
- Multi-factor Authentication (MFA)
- Password Authentication Protocol (PAP)
- Challenge-Handshake Authentication Protocol (CHAP)
- Extensible Authentication Protocol (EAP) – commonly used in cloud environments.
- Terminal Access Controller Access Control System (TACACS, XTACACS, TACACS+) – Legacy and outdated protocol.
- Remote Authentication Dial-In User Service (RADIUS) – Provides a central database that allows authentication of remote users. Commonly used in cloud environments.
- DIAMETER – Used to overcome the shortcomings of RADIUS and take advantage of high speed communications in use today.
Authorization is the process of determining what rights and privileges a users has access to. After a user has been identified through authentication, a system can then determine what access and privileges that user has.
- Files: What access do users need? What rights should they have such as create, modify, edit, and delete?
- Systems: What systems can users log into? What rights should the user have within that system?
- Apps: Who should have access to the app? What features should the user be able to access?
Federation and SSO (Single Sign On)
- Identity Federation – Linking a single identity across multiple identity management systems.
- SSO – a subset of identity federation that eliminates the need to sign in to federated systems more than once.
Principle of Least Privilege – Giving users with the least amount of privileges to perform their job.
Account Policy Considerations in Cloud Deployments
Common policy statements include:
- Who can approve account creations.
- Who is allowed to use a resource.
- Whether or not users can share accounts or have multiple accounts.
- When and how accounts should be disabled or modified.
- If a user account should expire at a set time period.
- What rules should be enforced for password strength, history, and reuse.
- When to lock out an account (multiple failed login attempts).
- When and how to recover an account after deletion.
- Continuous monitoring.
Access Control Methods
- Mandatory Access Control (MAC): Strictest for of access control primary used by the government.
- Discretionary Access Control (DAC): Allows each user to control access to their own data.
- Role-Based: Based on users job function.
- Rule-Based: Access is allowed or denied based on defined rules by the system admin.
RBAC – Role Based Access Control
Effect of Cloud Service Models on Security Implementations
- SaaS – Manages access to cloud-based apps.
- PaaS – Resource access and utilization.
- IaaS – Managing virtual machines and containers.
- Public Cloud – Bigger target for attacks.
- Private Cloud – Same security concerns as public clouds while also having to manage on-premise security.
- Hybrid Cloud – Mix of private and public with some management concerns. Compliance needs to be considered when moving between public and private clouds. Federated ID should be considered with a hybrid cloud environment.
User Account Provisioning Methods
- Discrentionary account provisioning
- Self-Service account provisioning
- Workflow-Based account provisioning
- Automated account provisioning (Best for cloud environments)