Network is the foundation of a solid, secure and stable infrastructure. That is why it is the first factor in The 10-Factor Infrastructure framework and in this article we will learn how to build a solid foundation with secure and seamless networking.
Have you ever wondered why it has always been so convenient to blame anything on the network?
Probably because it's the root of infra or there is a significant lack of awareness on how it actually works.
Imagine you are constructing your home, how would you start
First, you will need to secure your plot from trespassers with a boundary wall.
You will probably also add an entry-point to allow people who are supposed to enter and work in the property.
Once the area is secured and marked, you will start designing the master plan of your house - no. of rooms, their types, passages etc.
In all of these, you will have to ensure there is seamless connectivity across the house & at the same time it's secured from unwanted intrusion.
Building software infrastructure is similar, after all it's the house where your potential best selling software will be hosted.
"Network" is the root of infra, the stronger the root is, the healthier entire tree will be. Any loophole in it will lead to compromising the entire software infrastructure. Like in a house, a robust infrastructure needs to have secure and seamless connectivity across all systems and services.
How to build network for compliance ready modern infrastructure:
Secure & seamless network connectivity:
These demand factors i.e privacy, security, performance and accessibility can be met by following design parameters.
1. Segregated Network:
To secure connectivity Network should be segregated or subnetted with respect to incoming and outgoing access.
As in the house design example above, you have your living room accessible to all incoming people, bedroom is private to you, kitchen is visible to your guests however operated by you. Likewise identify the privacy layers in your network such as
Is it for "public" - allowing ingress traffic from outside, or "private" that has no incoming and outgoing internet access or is it "protected" by allowing only outgoing access to the internet.
Network privacy can be achieved via VPCs and subnets if you are hosted on cloud or through VLAN and DMZs if you are on premise and on legacy systems.
When using cloud ensure you have VPCs over classic or dynamic networks so that you have your own restricted and dedicated network area.
Configurations must be logically segregated or tiered with respect to usage (e.g. per product or customer).
Firewall rules must be adapted per tier/subnet.
If necessary segregate virtual machines and appliances to dedicated hardware.
Always keep separate networks for production and non-production.
2. Perimeter Security:
Now going back to the house construction example earlier, now we are in the fencing mode. So we need to build a boundary wall with a gateway trusted access. So to secure our Perimeter first up we need
Network Policies based on whitelisting.
Deny all traffic by default.
Ports or protocol level filters.
Do not allow any to any.
System to system access policy with firewall rules or network policies.
Sometimes some cloud providers tend to add external Ip sources on the network policies or security groups of the services managed by them for monitoring, management or security scanning. Make sure you validate the whitelisted sources as trusted ones.
Sometimes some cloud managed services such as database service or kubernetes service or security or monitoring services tend to add public ip addresses to your routes so they can access the agents or collectors or machines that they are managing. Ensure to confirm these sources with your cloud provider.
3. Single Secure Entrypoint:
Attacks like DDoS are inevitable when you are live on the internet. Only way out is to mitigate the impact of such attacks on your business by strengthening the application or service endpoint that is exposed to your customer via the public internet. You need to have a secure gateway that allocates a dedicated pipeline with enough bandwidth to reject these attacks so that connectivity to the actual services remains unaffected.
Make sure the device where requests land first is secure. It must be a single trusted Point endpoint exposed with IP Segregation, DNS based backend mapping, WAF features that implements OWASP policies, DDoS Protection.
You can use providers like Cloudflare, Akamai etc that helps to keep your app endpoint flexible to point to wherever you backend it. These are also widely used CDN(Content Delivery Network) services that helps in static asset storage, caching and migrations.
Configure certificate management for SSL certificate generation, renewal and offloading.
Mutual TLS is a must for establishing zero trust policy in data transmission or communication for cross service or account or third party integration.
4. Dedicated Interconnected Links:
If you are running your services in a hybrid cloud model or if you are in a traditional DC/DRC setup, you will need to have direct links between your cloud providers or data centres to help ensure :
Minimum latency, better performance If you have third party connections.
Privacy of data in transit between the sites to avoid man in the middle attacks. Be the owner of your entry points.
Fault tolerance with dual ISP links so that if one path fails, another is available.
For data replication you need to have a latency < 1 ms between both sites. This can only be achieved through a direct dedicated connection. For example, MPLS, GCP Direct Connect, Alicloud Express Connect etc.
Sometimes its assumed that, having a site-to-site vpn is sufficient to connect two locations. Well that's not enough. VPNs over the internet will only provide with secure connectivity over an encrypted channel but not the underlying network is still over the internet. Hence the latency is the same an any internet based connection.
Compliance Ready Network:
A robust infrastructure needs to have secure and seamless network connectivity across all systems and services.
To secure connectivity network should be segregated or subnetted with respect to incoming and outgoing access using Firewall Policies to secure perimeter. There should be a Single Secure Entry point for traffic landing from the internet.
For seamless connectivity Dedicated Private Links should be used for peer to peer connectivity and data transmission.
If you like this article, I am sure you will find the 10-Factor Infrastructure even more useful. It compiles all these tried and tested methodologies, design patterns & best practices into a complete framework for building secure, scalable and resilient modern infrastructure.
Don’t let your best-selling product suffer due to an unstable, vulnerable & mutable infrastructure.
Thanks & Regards
Kamalika Majumder
Comments