top of page

How to build network security: Cloud vs On-premise

Sep 13, 20245 min read

Updated: Oct 9, 2024

Key to building network security: Cloud vs On-premise

Imagine you are building your house, what do you start with - first of all you will secure your land area from trespassers with a boundary wall. You will probably also add an entry point to allow people who are supposed to enter and work in the property. Once the property is secured and marked, you will start designing the master plan of your house - no. of rooms, their types, passages etc. You will have to ensure there is seamless connectivity across the house at the same time it's secured from unwanted elements.


Building software infrastructure is similar, after all it's the house where your potential best selling software will be deployed.


Network is the root of infra, the stronger the root is, the healthier entire tree will be. Any loophole in it will lead to compromising the entire software infrastructure. Like in a house, a robust infrastructure needs to have secure and seamless connectivity across all systems and services.


Segregated Network:

  • To secure connectivity, the network should be segregated or subnetted with respect to incoming and outgoing access. 

  • Network privacy can be achieved via VPCs and subnets if you are hosted on cloud or through VLAN and DMZs if you are on premise and on legacy systems. You should have VPCs over classic or dynamic networks.

  • Configurations must be logically segregated or tiered with respect to usage (e.g. per product or customer).

  • Firewall rules must be adapted per tier/subnet.

  • If necessary segregate virtual machines and appliances to dedicated hardware.

  • Always keep separate networks for production and non-production.


Perimeter Security:

  • Network Policies based on whitelisting.

  • Deny All by default.

  • Apply ports/protocol level filters.

  • Do not allow any to any.

  • System to system access policy with firewall rules or network policies.

  • Sometimes some cloud providers tend to add external IP sources on the network policies or security groups of the services managed by them for monitoring, management or security scanning.

  • Make sure you validate the whitelisted sources as trusted ones. For example: cloud managed database service or managed kubernetes service or vulnerability scanners. Make sure to confirm these sources with your cloud provider.


Single Secure Entry point:

  • Make sure the device where requests land first is secure. It must be a single trusted Point endpoint exposed with IP Segregation, DNS based backend mapping, WAF features that implements OWASP policies, DDoS Protection.

  • You can use services like Cloudflare, Akamai. These also come with CDN that helps keeping your app endpoint flexible to point to wherever you backend it, helps in static asset migrations.

  • Configure certificate management for SSL certificate generation, renewal and offloading.

  • Mutual TLS to establish zero trust policy with any third party application endpoint.


Dedicated interconnected Links:

If you are running your services in a hybrid cloud model or if you are in a DC and DR setup you need to have direct links between your clouds or sites. These help ensure:

  • Minimum latency, better performance If you have third party connections.

  • Privacy of data in transit between the sites to avoid man in the middle attacks. Be the owner of your entry points.

  • Fault tolerance with dual ISP links so that if one path fails, another is available.

  • For data replication you need to have a latency < 1 ms between both sites. This can only be achieved through a direct dedicated connection. For example, MPLS, GCP Direct Connect, Alicloud Express Connect etc.

  • Some people think a site to site vpn is sufficient to connect two locations, thats not enough. Remember VPN over internet can give you secure connectivity but not the latency.


Let's delve into the comparison between cloud and on-premise networking, while addressing specific considerations such as subnet and VLAN configuration, hardware limitations, management complexities, and more.


Cloud v/s On-Premise:

Cloud Networking

On-Premise Networking

Pros:

  1. Scalability: Cloud networking offers unparalleled scalability, allowing businesses to swiftly expand or contract their infrastructure based on demand. With Virtual Private Clouds (VPCs) readily available in all packages, scaling up becomes seamless without the need for additional hardware procurement.

  2. Ease of Management: Cloud providers handle the majority of network management tasks, from configuring VLANs to managing backups and ensuring redundancy. This alleviates the burden on internal IT teams and reduces the risk of human error.

  3. Cost Efficiency: Cloud networking eliminates the need for upfront hardware investments and ongoing maintenance costs associated with on-premise solutions. Businesses pay only for the resources they consume, making it a cost-effective option, especially for startups and small enterprises.

  4. Global Accessibility: With cloud networking, geographic barriers are virtually nonexistent. Data and applications can be accessed from anywhere with an internet connection, facilitating remote work and enhancing collaboration across distributed teams.

Pros:

  1. Data Localisation and Security: On-premise networking provides businesses with greater control over data localisation and security compliance. Critical data remains within the organisation's physical premises, reducing the risk of unauthorised access or data breaches.

  2. Customisation and Control: On-premise solutions offer unparalleled customisation and control over network configurations, allowing businesses to tailor infrastructure according to specific requirements and compliance standards.

  3. Predictable Performance: By eliminating reliance on external network providers, on-premise networking can deliver more predictable performance, particularly for latency-sensitive applications or industries with stringent uptime requirements.

  4. Infrastructure Ownership: Businesses retain ownership of hardware components, providing greater flexibility in hardware upgrades, maintenance schedules, and lifecycle management.

Cons:

Cost of Operation: Cloud services typically operate on a subscription-based model, requiring ongoing payments for usage and support. 

While this eliminates the need for upfront hardware purchases, businesses must budget for recurring expenses and ensure timely renewal of licenses and warranties to maintain service continuity.

Cons:

  1. Limited Scalability: While on-premise networking offers control and customisation, scalability can be a significant challenge. Adding new subnets requires manual configuration of VLANs on hardware firewalls, which can be time-consuming and prone to errors. Additionally, hardware limitations, such as switch port capacity, may impose constraints on expansion.

  2. Management Complexity: Self-management of network infrastructure, from switches to firewalls and backup ISP links, can be complex and resource-intensive. IT teams must possess the necessary expertise to configure, monitor, and troubleshoot the entire network stack effectively.

  3. Cost and Resource Overhead: On-premise networking entails upfront capital expenditures for hardware procurement, as well as ongoing costs for maintenance, upgrades, and license renewals. Infrastructure development and testing can be costly and time-consuming due to the heavy licensing of virtualisation software for networking devices.

  4. Hardware Failure Risks: With on-premise networking, businesses assume the risk of hardware failures, which can disrupt operations and require prompt resolution to minimise downtime. Redundancy measures must be carefully implemented to mitigate the impact of potential failures.


Key Points For Network Security:

  • For every new subnet a new VLAN must be configured on the hardware firewall manually and then ports need to be mapped and then it can be used in the virtualisation platform.

  • Limitation of ports in switches, while VPCs are free with all the packages.

  • From switches to firewalls to backup ISP links, everything self-managed 

  • Packet drops between software switches & firewalls.

  • Bandwidth & latency limitation.

  • Warranty and license renewal.

  • Most virtualisation for networking devices such as routing, switching, firewall, vpns  are limited and heavily licensed. This makes infrastructure development and testing very costly and time consuming.

  • Although On-premise has some advantages over cloud such as data localisation, security, when it comes to scalability it becomes a bottleneck rather than an accelerator.


In conclusion, the choice between cloud and on-premise networking hinges on various factors, including scalability requirements, security concerns, budget considerations, and performance expectations.


While cloud networking offers agility, cost efficiency, and global accessibility, on-premise networking provides greater control, customisation, and data security.


Businesses must evaluate their unique needs and priorities to determine the most suitable approach for their networking infrastructure, weighing the trade-offs between convenience, control, and cost-effectiveness.


If you like this article, don't forget to like 👍 and share by reposting ♻️ in your network. Follow Kamalika Majumder for more. 


 

www.10factorinfra.com


 


Thanks & Regards

Kamalika Majumder

3 views0 comments

Recent Posts

See All

Comments

Join the 10factorinfra Club

Learn about secure, scalable & sustainable modern infrastructure development & delivery.

Thank You for Subscribing!

©2024 by Staxa LLP. All Rights Reserved.

bottom of page