The scope of this material is to stay aligned with best practices in the secure design of network architectures. There are a variety of emerging ideas and innovative procedures that it may be useful to examine. The reader is encouraged to use supplemental sources and to stay on top of developments in the industry as they evolve. However, the core information regarding communications and network security are found within. The introduction of the concepts begins with secure design principles in network architecture. The previous chapter detailed the five architectural principles and five design principles of ISO/IEC 19249. Additionally, we drew comparisons between the ISO 19249 principles and the fundamental but analogous principles from early academic work on security principles.
To recap briefly, two principles that most directly affect network architecture include domain separation and layering. Layering involves designing something in increasingly abstract terms, with each layer offering some aspect of security or assurance. In the context of hosts communicating over a network, the Open Systems Interconnection (OSI) model is the prevailing example. The OSI model is one of increasing abstraction, with each layer making room for varying methods of ensuring security.
Domain separation, as an architectural principle, applies to network secure design. Separating network traffic at the collision domain helps avoid network congestion. Separating network traffic into broadcast domains further inhibits an adversary from sniffing valuable clues to the network topology. Going further, separating a network into segments isolates local network traffic from traveling across routes. This again mitigates the risk of a potential adversary learning about the network design.
The security professional must understand a range of relevant subjects to adequately understand how to implement secure design principles in network architectures. It is necessary to know the OSI model in detail. Similarly, it is important to understand Transmission Control Protocol/Internet Protocol (TCP/IP), in particular IP networking, for comparison. Another significant subject is multilayer protocols where several protocols make up a group, spread across several of the OSI layers. By comparison, converged protocols are where a specialized protocol is grouped with a commonly used protocol. In addition to protocols, networking concepts are significant, beginning with the benefits of virtualized networking, termed software-defined networks (SDNs). Wireless networking is also important, including its security implications. Beyond wireless, there are commonly accepted divisions of a network as defined by areas of control, including an intranet, extranet, and the Internet. If a section of an intranet is public-facing yet partially con- trolled between the Internet and the fully protected intranet, that section is the demilitarized zone (DMZ). Lastly, the concept of a virtual local area network (VLAN) is essential, as VLANs form isolated broadcast zones to segment a network. This section and its subsections examine all of these topics.
Although this section introduces you to both the OSI and TCP/IP models, the rest of this chapter focuses on mapping the OSI model to networking/internetworking functions and summarizes the general nature of addressing schemes within the context of the OSI model.
