Network Design Principle Security – ZNDP 088

ZNDP 088: Network Design Principle Security

Zig Zsiga:

[0:00] Network design principle security episode 88.

[0:05] Network design principles we have to know them and leverage them in every Network design decision we make now here's the question though is security a network design principle

well find out today in this episode of the zigbits network design podcast.

Welcome back my friends nerds geeks and ziglets out there we have another episode of the zigbits network design podcast where zigabytes are faster than those gigabytes.

We strive to provide real-world.

[0:33] Around technology what is up everybody I hope everyone is doing great zsiga here and welcome to episode 88 of the zigbits network design podcast once again my name is zsiga and I'm here to help you with network engineering

Network design and network architecture and today we are going to highlight the network design principle

hey before we jump in I want to let you know that I have opened up my network design course yes it is open it is titled designing and network architectures and ensuring business success

the purpose of this course is to make you the best network designer you can be.

It's targeting everyone in this amazing networking industry no matter if you're just starting out of college or high school or if you've been in the industry for 30 years at your veteran and network engineer this course is going to change your career and your life hey if you're interested

and want to hear more

go to zigbits dot text last DNA and until April 30th 2021 use the discount code best network designer one word all caps to save 10% at checkout.

If you have any questions you can reach out to me and Discord or we can email me at zsiga to zigbits Dot.

So historically security hasn't been identified as a network design principle and honestly I always wondered why what happens to your business if your network is compromised.

[1:53] What happens to your business if the Integrity of your data is compromised these are super super simple questions with very impactful profound answers.

Some of those answers would be your business reputation sulfur's customers lose trust in your business your business loses money and Revenue.

What about this one your business is no longer meeting compliance standards and can be fined or shut down

now that's an extreme case but you could literally go out of business if you don't

have your compliance standards in place some other terms that go into this topic our risk management and zero trust architecture just to name a couple now at a high level.

I've kind of categorized security as 3

models there's three security models over the last 20 years right and we've been shifting between these models okay so the first model is what I like to call the turtle shell security model which is really the Legacy way of doing security with the firewall

at the perimeter your turtle shell their firewall is your turtle shell and you have.

[3:00] A whole bunch of security capabilities on this firewall that limit will can get into your network and what can leave your.

[3:08] Now what happens when something gets in though in this model that that attack or that malicious activity when they get in if they can get in they have full

east to west lateral movement between users and resources all those things all those squishy soft things inside that turtle shell they have full access there are no other security mechanisms in place

to catch these threats

Insider threats as well become prevalent here I've had a ton of customers not know that one other critical applications was sending data now I'm going to be sensitive

business and customer data to other countries which they again they had no idea the application was doing this again this comes down to there's no visibility of what is being done in these environments there was no least privileged access.

Then I harp you should only allow what is needed for a user group not what they want to have access to you or want to be able to do

no matter their roles in the company or organization specifically that's calling out the CEO or the CEO of those sea level personnel

it doesn't matter if they want to have full access they get access based on what they should have not you know what they need to have not what they want to have.

[4:19] And I would drive this further.

Because this is like the user based kind of idea user segmentation user access role-based access and identifying what you should have access to you what you need to have and limiting it based on that but I would drive this concept even further into the applications and services in servers and devices and if I run

a tech company out of New York City for example

I have security cameras to track who's going in and out of my office space those security cameras should not be sending data outside of my network.

[4:50] Now that's a very simple example right.

Another one my printers at my network should not be able to access the internet they also should not be able to access other printers or Services other than the print server.

These are just generalized things right and you validate them those are great examples of isolating devices and applications and what they can do and what they should be able to access.

These are extremely easy items to address and implement but this turtle shell model this turtle shell approach just doesn't provide the mechanisms to do this.

So this goes into the next model our second model which we've transition to right so this is the session and transaction-based security Mom this is the evolution

of that turtle shell concept

now we can lock those down those printers those applications with security cameras we just talked about we can secure the east and west traffic dynamically based on what the device is like who.

Who is using it what why are they using it where are they using it and what they need to have access to

now this mood leads to a 100% authentication model and then a 100% authorization of each session and transaction now this doesn't necessarily

this isn't the necessarily Easy Button though you set to the vine Define your policies and Implement them in a network access control system.

[6:14] You need to also determine how you want the authenticate these sessions now you can use a number of different authentication protocols and techniques within this construct you can do a whole bunch of a 2.1 x topics

Peep and Emmas chap version 2 etls you'll also do map.

Right these are all different authentication options and there are pros and cons to each of these methods of authentication now once once you have authenticated.

[6:40] Right once your publication polish determine and then you need to identify what I like to call your use cases my example

earlier about printers and security cameras are great and relevant

easy examples of what I call a use case when I am defining these use cases I ask myself what does this resource need not want need to operate in most cases it's less taxes than they have today.

The other item you get when the security model is relative not real relative visibility for some of this this will look like full visibility but is truly not

there is no data captures here there are no analytics tools here you get the visibility of what is on your network when and where the devices and users are connecting and how they are connected

and you also get to predetermine how you're going to handle them when they connect.

This is this visibility is again not real-time or near real-time some of the vendor specific Solutions out there are pretty quick what their dashboards and can show this information within 30 to 60 Seconds.

But I want to make it very clear.

[7:45] This isn't real time visibility this is not real time analytics either of what is on your network these capabilities come to the next character model.

[7:54] Now once this model is completed most organizations have a good understanding of their users and their end devices.

Not their employees at their applications not their services so I like to emphasize that you need to derive the same process with the same capabilities into the applications services and servers.

[8:14] So going into our third model here our third paradigm shift

for security is zero trust the third security model right this model brings an even a larger shift from a security standpoint know what we had so far zero trust ads real-time captures.

Analytic tools those capabilities to this mix now this allows for real-time artificial intelligence machine learning decision-making I'm talking real time decision making based on the data that's being fed back into the system

I don't want this to come off as the computer makes its own decision now.

Heaven forbid right but yeah the computer doesn't make its own decision while you sure you sure could set this up that way if you wanted.

[8:56] I stopped seeing I still have not yet seen in organization fully allow a zero trust engine make changes without human interaction.

[9:05] The larger concept within this model is that every device every user application server service resource even the data itself is assigned a trust.

Distrust score changes based on what the analytics engine that zero trust engine seized.

Now this could be a static change like a physical location or connectivity model a good example might be I connect from a coffee shop or over a VPN connection so I get a lower trust score and thus less access then if I can't get a company location.

Now there are a number of dynamic addresses with this model as well which the zero trust engine will leverage to.

Kind of on the Fly increase or decrease that trust score

this could be as simple as the time of day the day of week what type of data the user is sending it can also be as complex as you're sending a different type of data you've never sung before or you are sending a higher amount of data than normal think of

on a normal day to day you send maybe a hundred Meg's data from your computer you know.

Out to the internet or something like that you know that traffic going up got you know uploading to the internet and then.

[10:13] That's not a realistic option but I don't know how much data people send up to the Internet these days you know but again not just in this hypothetical situation you're sending on average a hundred Meg's of data and then you come in to the office and then you send

two gigs of data right or 10 gigs of data you know that's a huge flag that's your anomaly that the analytics engine is going to say hey this is weird something's wrong.

That's either fly gear or deny it there's a lot there's a lot that goes into zero trust architecture and this is not meant to get into the weeds of zero trust architecture here the concept is that.

This is a big shift

for how we do things but it's more than just how we do things from a technology perspective it's also how organizations businesses govern

their environment their governance model has to shift to be able to leverage a zero trust architecture solution some of the concepts here you're going to have a inventory system of some sort inventory capability

if that policy engine capability you're going to have a policy enforcement point.

[11:16] You're going to have a analytics engine machine learning engine a kind of AI driven

engine that has that trust core has those resource scores that you can identify them on the Fly and make real-time changes to those scores as needed but then you also have your kind of data plane where you have your switches and your routers and your firewalls and then you also have your end devices your users your computers

you're a printers so this is the whole model and how it works and there's a whole bunch of thick goes into it.

[11:46] That is more than just high level zero trust architecture

hey would you let me know just quick pull there if anyone wants me to dive into a dedicated zero trust architecture session go ahead and send me a quick email

Zig at zigbits dot Tech just let me know that you would love a dedicated zero trust architecture section where we dive under the hood of what zero trust architecture is vendor agnostic lie of course what capabilities are in place how do you get those capabilities where can you see

start and then how do you move forward into that really zero trust architecture world.

Let me know send me that email love to hear more on if you want it I will go into a good detail session on it maybe get a couple guests to talk about it.

At length security is a network design principle it is

it truly is and if we don't know that now you know it right if you didn't know that before this session this this podcast episode well now you know it security is truly a network design Principle as you move forward you should keep security at the top of your mind.

Wherever possible

we want to include security capability capabilities to ensure we meet the confidentiality integrity and availability requirements of our businesses and our customers

remember to think this keyword is business Assurance a business cannot fulfill its goal

it's outcome or Mission at the business or its data is compromised by think of the implication there right a lot of businesses.

We'll make decisions on their data so they're getting data from whatever source.

[13:15] And are making real-time decisions on that data now that data is compromised and something in that date has been changed and you have no idea that the Integrity of your data is gone

and you make a decision based on inaccurate data what's the implications to your business now.

[13:33] And you could go through all the different scenarios right you can talk about the government world and the implications there you can talk about the financial world and the implications is there you can talk about like the stock market in the implications there there's a lot of implications here if the data is not Integrity but it's the Integrity of the data is not

it's compromised the implications are very very large

this is also where you'll find compliance requirements like HIPAA nest in PCI again if a business is not compliant they can they can be disconnected in fully brought down

hey friends nerds geeks and ziglets that's going to close out today's episode of the zigbits network design podcast or we talked about.

The network design principle security and it truly is a network design principle Today's Show notes will be at zigbits dot text / 88 hey I have opened up.

Doors to my network design course Kolb designing Network architectures and ensuring business success if you are interested to hear more about my course or ready to enroll right now visit zigbits dot text is DNA.

[14:34] Don't forget this is key don't forget to use the discount code best network designer all one word all caps at checkout to save 10%

if you want to have live Network design kind of conversations right now with me

other fellow zigbits fans you can join the zigbits Discord Community there are a ton of Highly skilled experts ready to help you with your network design questions you go to

zigbits. Tech / Discord to join and again this is 100% free community.

[15:04] If you like today's episode let us know you can find more zigbits network engineering Network design and network architecture content including technical podcasts monthly webinars YouTube videos and a dedicated community on Discord

all of this content I just mentioned is free find all this and much more at zigbits dottotech

follow us on Twitter at zigbits and find us on LinkedIn sign up for our free Weekly Newsletter the network design digest filled with a best network design content and network engineering at zigbits dot text / newsletter.

As always I appreciate you and thank you for listening now don't forget

to attack your goals I attack the day attack your life and make progress my friends until next time bye for now.