The document discusses infrastructure design and security. It covers common network models like OT, IT, and PERA. It also discusses why infrastructure is designed the way it is with references to cloud providers like AWS, GCP, and Azure. The document advocates defining building blocks, distinguishing traffic directions, evaluating threats for each, and reviewing IAM and AAA (authentication, authorization, and access control). It concludes by promising a practical example of these concepts.
1. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1
Lesson 1 - Overview infrastructure design
2. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security – Lesson 1
[Overview infrastructure design]
OT model
(Operation Technology)
IT model
(Information Technology)
Purdue Enterprise Reference Architecture (PERA)
Core – Distribution – Access layers
Src. Juniper’s website
3. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security – Lesson 1
[Overview infrastructure design]
The diagram jungle
Branch diagram Topology diagram Basic Network
diagram
Network diagram
Cloud diagram Database diagram...storage and way more....
4. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security – Lesson 1
[Overview infrastructure design]
Why do we design like we do?
AWS
GCP
AZURE
5. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security – Lesson 1
[Overview infrastructure design]
Let’s stop to be so obvious...
Company
Attacker
- Spoofed mail address
- Malicious link, attachment, etc
- Payload
- Session Hijacking
- Command Centre
- Persistance
- A SaaS service
- An HTML preview / DNS
- An end-point security
- A web browser
- Reverse connectivity
- End-point security
6. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security – Lesson 1
[Overview infrastructure design]
Keep my space....
Trusted response from dependencies – from L1/2 for example DHCP up to L7 Proxy/DNS
Authenticate User and Device (combine the two)
Not have direct network connectivity to avoid reverse connectivity from attacker
Isolate browser session – for example site isolation
https://support.google.com/chrome/answer/7623121 or remote browser isolation or secure browser
Micro segment resources
Not execute payloads.... Javascript DOM too... see Magecart
Don’t have race time conditions – off-line mode, AAA
Don’t have an internal threat actor
Don’t trust supply chain... especially your security provider
7. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security – Lesson 1
[Overview infrastructure design]
Define your building blocks
8. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security – Lesson 1
[Overview infrastructure design]
Always distinguish direction and evaluate threats for ech
9. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security – Lesson 1
[Overview infrastructure design]
Review your IAM and overall AAA
10. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Chapter 1 - Infra Design security – Lesson 1
[Overview infrastructure design]
Now let’s see a practical example
11. 2021 - Copyright All Rights reserved - Security Boutique is a registered trademark
Subscribe YouTube
https://www.youtube.com/channel/UCK0Z7e2riiRT8hRFvPfiMcw