What is cloud network security?

Cloud network security is top end technology today we all using in the Data Center. When it comes to securing the network configuration, there is a lot to be concerned with.

Several technologies, protocols, and services are necessary to ensure a secure and reliable network is provided to the end-user of the cloud-based services.

Transport layer security (TLS) and IPSec can be used for securing communications to prevent eavesdropping.

Domain name system security extensions (DNSSEC) should be used to prevent domain name system (DNS) poisoning.

DNSSEC is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by DNS as used on Internet protocol (IP) networks.

Network Isolation

Network Isolation
Network Isolation

Before discussing the services, it’s important to understand the role of isolation. Isolation is a critical design concept for a secure network configuration in a cloud environment.

All management of the data center systems should be done on isolated networks.

These management networks should be monitored and audited regularly to ensure that confidentiality and integrity are maintained. Access to the storage controllers should also be granted over isolated network components that are non-routable to prevent the direct download of stored data and to restrict the likelihood of unauthorized access or accidental discovery.

Customer access should be provisioned on isolated networks. This isolation can be implemented through the use of physically separate networks or via VLANs.

All networks should be monitored and audited to validate separation. Access to the management network should be strictly limited to those that require access.

Strong authentication methods should be used on the management network to validate identity and authorize usage

Protecting VLANs

Protecting VLANs
Protecting VLANs

The network can be one of the most vulnerable parts of any system.

The VM network requires as much protection as the physical one. Using VLANs can improve networking security in your environment.

In simple terms, a VLAN is a set of workstations within a LAN that can communicate with each other as though they were on a single, isolated LAN.

They are an Institute of Electrical and Electronics Engineers (IEEE) standard networking scheme with specific tagging methods that allow routing of packets to only those ports that are part of the VLAN.

When properly configured, VLANs provide a dependable means to protect a set of machines from accidental or malicious intrusions.

VLANs let you segment a physical network so that two machines in the network can transmit packets back and forth unless they are part of the same VLAN.

VLAN Communication

VLAN Communication
VLAN Communication

What does it mean to say that the VLAN workstations “communicate with each other as though they were on a single, isolated LAN”?

Among other things, it means the following:

  1. Broadcast packets sent by one of the workstations can reach all the others in the VLAN.
  1. Broadcasts sent by one of the workstations in the VLAN cannot reach any workstations that are not in the VLAN.
  1. Broadcasts sent by workstations that are not in the VLAN can never reach workstations that are in the VLAN.
  1. All the workstations can communicate with each other without needing to go through a gateway.

VLAN Advantages

VLAN Advantages
VLAN Advantages

The ability to isolate network traffic to certain machines or groups of machines via association with the VLAN allows for the opportunity to create secured pathing of data between endpoints.

Although the use of VLANs by themselves does not guarantee that data will be transmitted securely and that it will not be tampered with or intercepted while on the wire, it is a building block that, when combined with other protection mechanisms, allows for data confidentiality to be achieved

Using TLS

TLS In Cloud Environment
TLS In Cloud Environment

TLS is a cryptographic protocol designed to provide communication cloud network security over a network.

It uses X.509 certificates to authenticate a connection and to exchange a symmetric key.

This key is then used to encrypt any data sent over the connection.

The TLS protocol allows client/server applications to communicate across a network in a way designed to ensure confidentiality.

 TLS is made up of two layers: 

  1. TLS record protocol: Provides connection security and ensures that the connection is private and reliable. Used to encapsulate higher-level protocols, among them the TLS handshake protocol.
  1. TLS handshake protocol: Allows the client and the server to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is sent or received.

Using DN for Cloud network security

Using DN For Cloud Network Security
Using DN For Cloud Network Security

DNS10 is a hierarchical, distributed database that contains mappings of the DNS domain names to various types of data, such as Internet protocol (IP) addresses.

DNS allows you to use friendly names, such as www.isc2.org, to easily locate computers and other resources on a TCP/IP-based network.

DNS

DNSSEC is a suite of extensions that adds cloud network security to the domain name system (DNS) protocol by enabling DNS responses to be validated. Specifically,

DNSSEC provides origin authority, data integrity, and authenticated denial of existence. With DNSSEC, the DNS protocol is much less susceptible to certain types of attacks—particularly DNS spoofing attacks.

If it’s supported by an authoritative DNS server, a DNS zone can be secured with DNSSEC using a process called zone signing.

Signing a zone with DNSSEC adds validation support to a zone without changing the basic mechanism of a DNS query and response. Validation of DNS responses occurs through the use of digital signatures that are included with DNS responses.

These digital signatures are contained in new, DNSSE Crelated resource records that are generated and added to the zone during zone signing.

Signing a zone with DNSSEC adds validation support to a zone without changing the basic mechanism of a DNS query and response. Validation of DNS responses occurs through the use of digital signatures that are included with DNS responses.

These digital signatures are contained in new, DNSSECrelated resource records that are generated and added to the zone during zone signing.

When a DNSSEC-aware recursive or forwarding DNS server receives a query from a DNS client for a DNSSEC-signed zone, it requests that the authoritative DNS server also send DNSSEC records and then attempt to validate the DNS response using these records.

A recursive or forwarding DNS server recognizes that the zone supports DNSSEC if it has a DNSKEY, also called a trust anchor, for that zone.

Threats to the DNS Infrastructure

Threats to the DNS Infrastructure
Threats to the DNS Infrastructure

Following are the typical ways in which attackers can threaten the DNS infrastructure:

  1. Footprinting: The process by which an attacker obtains DNS zone data, including DNS domain names, computer names, and IP addresses for sensitive network resources.
  1. Denial-of-service attack: When an attacker attempts to deny the availability of network services by flooding one or more DNS servers in the network with queries.
  1. Data modification: An attempt by an attacker to spoof valid IP addresses in IP packets that the attacker has created. This gives these packets the appearance of coming from a valid IP address in the network. With a valid IP address, the attacker can gain access to the network and destroy data or conduct other attacks.
  1. Redirection: When an attacker can redirect queries for DNS names to servers that are under the control of the attacker.
  1. Spoofing: When a DNS server accepts and uses incorrect information from a host that has no authority giving that information. DNS spoofing is malicious cache poisoning where forged data is placed in the cache of the name servers.

Using IPSec

IPSec uses cryptographic security to protect communications over IP networks.

IPSec includes protocols for establishing mutual authentication at the beginning of the session and negotiating cryptographic keys to be used during the session.

IPSec supports network-level peer authentication, data origin authentication, data integrity, encryption, and replay protection. You may find IPSec to be a valuable addition to the network configuration that requires end-to-end cloud network security for data while transiting a network.
The deployment and use of IPSec have two key challenges:

Configuration management: The use of IPSec is optional. As such, many endpoint devices connecting to the cloud infrastructure do not have IPSec support enabled and configured.

If IPSec is not enabled on the endpoint, then depending on the configuration choices made on the server-side of the IPSec solution, the endpoint may not be able to connect and complete a transaction if it does not support IPSec.

CSPs may not have the proper visibility on the customer endpoints or the server infrastructure to understand IPSec configurations. As a result, the ability to ensure the use of IPSec to secure network traffic may be limited.

Performance: The use of IPSec imposes a performance penalty on the systems deploying the technology.

Although the impact on the performance of an average system is small, it is the cumulative effect of IPSec across an enterprise architecture, end to end, that must be evaluated before implementation.

Leave a comment

Copy link
Powered by Social Snap