Domain 4.3

Network Security - Infrastructure and network design
Published

June 11, 2026

On-premise and cloud computing

There are two main ways to have access to servers. Either buying them and maintaining them or subscribing to a cloud service provider.

On-premise data centers

When it comes to op-premise data centers, it usually requires a place like a building or a specific room with:

  • Power
    • Big data centers consume a tremendous amount of power.
    • This power need to be constant and consistent.
    • A system should include generators for bakup and batteries to take the load while the generators stabilise.
  • HVAC (Heating, ventilation, and air conditioning)
    • The recommendation for maximum uptime and hardware life is 18-27 C
    • Sensors should be placed at the top, bottom and middle of the rack
    • Not only cooling but also we should think about contaminants and noxious fumes
    • Monitoringfor water or gas leaks, sewer overlowor HVAC failure should be integrated
  • Fire suppression
    • Apropraite fire detection and suppression equipment must be considered
    • Depends on the usage. For example: water suppression sytems might be baf^d. for electronics but gas based ones would be toxic for humans
  • Redundancy
    • Critical components such as power supplies, network connections, and storage systems should be duplicated to eliminate single points of failure.
    • Redundant internet links and failover mechanisms should be implemented to ensure service continuity during hardware or network outages.

Cloud computing

“A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of contigurable computing resources (such as networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” - NIST SP 800-145

Cloud computing is scalable, elastic, and easy-to-use for the provisioning and deployment of Information Technology (IT) services.

  • Resource Pooling - cloud computing allows you to pool resources by having some principles:
    • Broad Network Access - available over the network with standard protocols, allowing access from any device with no setup
    • Rapid Elasticity - can scale up and down quickly, appearing as unlimited capacity to the user
    • Measured Service - usage is tracked and measured so you only pay for what you consume
    • On-demand Self-Service - no human interaction needed to provision resources
  • It can come as a service:
    • SaaS (Software as a Service) - fully functional applications delivered over the internet; the user just uses the app (e.g. Gmail, Slack)
    • PaaS (Platform as a Service) - provides a platform to build and deploy applications without managing the underlying infrastructure (e.g. Heroku, Google App Engine)
    • IaaS (Infrastructure as a Service) - provides raw computing resources like virtual machines and storage; the user manages everything above the hardware (e.g. AWS EC2, Azure VMs)
  • And be of different types:
    • Public - infrastructure owned by a third-party provider and shared over the internet (e.g. AWS, Google Cloud)
    • Private - infrastructure used exclusively by one organization, offering more control and security
    • Hybrid - a mix of public and private, allowing data and workloads to move between them
    • Community - shared infrastructure between organizations with common concerns (e.g. compliance, mission)
  • Redundancy
    • Cloud providers usually have multiple data centers so redundancy will come as standard practice rather than something you need to manage yourself

Managed Service Provider (MSP)

A Managed Service Provider (MSP) is a company that manages IT services and/or provides IT expertise on behalf of a business. This can include infrastructure management, support services, and staff augmentation.

Unlike a Cloud Service Provider (CSP), which provides cloud infrastructure or platforms (such as storage, computing power, or databases) that customers use and manage themselves, an MSP actively operates and manages services for the customer.

  • An MSP might handle:
    • Augmenting in-house staff for projects
    • Managing payroll services
    • Running help desk support
    • Monitoring and responding to security incidents
    • Managing IT infrastructure
    • Providing expertise for implementing products or services

Memorandum of Understanding (MOU) & Memorandum of agreement (MOA)

To enhance Business continuity and Disaster Recovery capabilities, some companies will create agreements with other similar organizations. These agreemets will allow company A to use partially company B’s infrastructure in case of disaster to maintain business continuity. These agreements will sometimes be done with competitors because the infrastructure available might be similar but it portects both sides in case of a threat to one of them.

MOA/MOU defines what can be done with a system or data at a high level. An SLA (service level agreement) is much more detailed and defines exact service expectations like uptime, response time, staffing, or data access speed.

When outsourcing (especially cloud services), SLAs matter because they spell out precise guarantees—like response times or availability. You have to be careful, because “100% access” might mean different things depending on how it’s defined. Legal review is important before agreeing.

SLA (service level agreement)

A cloud SLA is a legal agreement between a cloud provider and customer that defines measurable service levels (such as availability, performance, security, and support), along with data ownership, compliance, and procedures for failure, data handling, and service termination.

Network design

Segmented network

A network divided into smaller, isolated segments improves security, enhances performance, and limits how far an attack or traffic issue can spread. For example, a dedicated segment can be created for embedded systems (connected printers, smart TVs, HVAC controls, etc.) and another for network-enabled devices such as game consoles and smartphones.

Embedded systems and internet-connected devices are generally considered Internet of Things (IoT) devices and require special attention to ensure that their communications cannot be exploited for malicious purposes. This is particularly important because many of these systems interact with real-world utilities and processes, meaning that a compromise could result in damage to people or property. In addition, IoT devices often support multiple communication interfaces, including Bluetooth, Ethernet, and Wi-Fi, which increase the potential attack surface and require appropriate security measures.

Another challenge with IoT and embedded devices is their limited ability to receive security updates. Many of these systems run firmware stored on dedicated chips and may require physical access to apply updates and security patches. Even when remote updates are supported, patches are often released infrequently or applied with significant delays. As a result, IoT devices are typically more vulnerable than workstations and servers, which run operating systems that receive regular security updates and benefit from more mature patch management mechanisms.

Microsegmentation

Microsegmentation helps securing a network by enforcing very fine-grained control over communication between individual devices and applications, limiting lateral movement even inside the same network segment.

Example: - “Workstations vs servers vs HR vs guest” → segmentation - “HR laptop can only talk to specific HR services, not other devices even in same VLAN” → microsegmentation

VLAN

A VLAN (Virtual Local Area Network) is a logical network segment that allows multiple isolated networks to share the same physical infrastructure.

  • VLANs are configured on switches to create separate Layer 2 broadcast domains.
  • Devices within the same VLAN communicate as if they are on the same local network, even across multiple switches.
  • Communication between VLANs is not allowed by default and requires routing with explicit rules. (e.g., VLAN for datacenter cna allow connections between servers but only allow requests from outside on specific ports)
  • VLANs reduce broadcast traffic and improve network performance (e.g., separating voice-over-IP traffic from regular data traffic).
  • VLAN membership can be based on switch ports, IP subnets, MAC addresses, or protocols.
  • VLANs improve security by isolating traffic but do not guarantee it, as attacks like VLAN hopping can bypass weak configurations.
  • VLANs can be integrated with NAC (Network Access Control) to assign users dynamically to specific VLANs, including over Wi-Fi.

DMZ

A “buffer zone” network between the internet and internal network; hosts public services (like web or mail servers) while isolating the internal LAN from direct exposure.

  • Public services in the DMZ can be reached from the internet, but should not be able to initiate connections into the internal LAN unless explicitly permitted
  • The internal network can access the DMZ for management, updates, and monitoring (e.g. SSH/RDP from admin subnets)
  • If a DMZ server gets compromised, attackers are significantly restricted from pivoting into the internal network
  • DMZ servers may need to access internal data, but this should go through controlled interfaces (APIs, proxies, or tightly scoped firewall rules) using secure, encrypted channels

VPN

A VPN (Virtual Private Network) is a point-to-point connection between two hosts that enables communication over a network.

  • It is not inherently encrypted by definition; encryption depends on the security protocols configured
  • Security is achieved only when proper protocols are selected to create a trusted communication path over an untrusted network (e.g., the internet)
  • Remote access VPNs allow users to connect to their organization’s network from outside locations
    • Remote users can often access many of the same resources as if they were physically in the office
  • Gateway-to-gateway VPNs are used to connect entire networks securely over the internet

NAC (network access control)

A Network Access Control (NAC) system controls and monitors which devices and users are allowed to connect to a network based on defined security policies. While a switch connects devices, a router forwards traffic between networks, and a firewall filters traffic according to security rules, a NAC determines whether a device or user is allowed to access the network and under what conditions.

  • Network Access Control; system that checks and enforces device/user security before allowing access to the network (e.g. posture checks, authentication, permissions)
    • Today, connections are no longer strictly internal due to BYOD, IoT devices, remote work, and temporary users
    • Can enforce policies based on the operating system, patch level, antivirus status, device type, user identity, and many other attributes
    • Provides network visibility for all connected users and devices, including guests and contractors
    • Ensures devices comply with organizational security policies before granting access
    • Identifies noncompliant devices and isolates them in a quarantine network
    • Can remediate security issues automatically, such as enabling endpoint protection
    • Supports incident response through visibility into connected devices and their activities
    • Goal: allow only compliant devices and users to access the network and limit the risk posed by unmanaged or insecure systems

Defense in depth

Layered security approach that combines administrative, technical, and physical controls to reduce risk if one layer fails.

  • Data controls – protect information itself using encryption, backups, and access control (IAM, least privilege)
  • Application controls – secure applications using tools like WAFs (web application firewalls), input validation, and database activity monitoring
  • Host controls – security on individual devices/servers such as antivirus, endpoint detection and response (EDR), host firewalls, and patch management
  • Internal network controls – monitor and restrict lateral movement using IDS/IPS, NAC, and network segmentation
  • Perimeter controls – protect entry/exit points of the network using firewalls, secure DMZs, proxy gateways, and filtering systems
  • Physical controls – prevent physical access to infrastructure (locks, badges, CCTV, secured server rooms, barriers)
  • Policies, procedures & awareness – administrative controls like security policies, training, incident response procedures, and user awareness programs to reduce human risk
  • Zero Trust Network – “never trust, always verify”; every user/device is continuously authenticated and authorized, even inside the network, with strict identity-based access and micro-segmentation
    • Increasing the number of security controls (e.g., firewalls and boundary devices) creates more checkpoints to detect suspicious activity early.
    • Once inside a network, user (or attacker) can’t just roam around
    • Requires frequent reauthentication of users and devices to maintain access