notes blog about

If you can’t talk to a component at all, it’s difficult to compromise.

If everything were configured absolutely perfectly, you could safely have no network controls at all.

IP whitelisting is still important as long as it isn’t the primary defense or auth method:

You place simpler, less-trusted components in DMZ (proxy, LB, static content web server); if that component is comprimised, it should not provide large advantange to the attacker.

Proxies (forward, reverse) are useful for both functional and security requirements. Although you can have proxy for almost any protocol; there are usually HTTP/HTTPS proxies.

Network features virtualization (NFV) or virtual network functions (VNFs) reflect the idea you no longer need a dedicated box for FW, router or IDS/IPS.

Overlay network is a virtual network often accomplished by encapsulation (VxLAN, GRE, IP-in-IP).

Virtual Private Cloud (VPC) despite its name generally deals only with network isolation. Allows you to keep the majority of your app in private area reachable only by you. Usually implemented via SDN and/or overlay network.

NAT is used heavily in cloud. Originally to combat shortage of IP addresses by using the same RFC1918 ipaddr in many parts of the internet and translating them to publicly routable addresses. NAT is not security but it implies existence of a FW.

IPv6 security improvements: mandatory support for IPsec transport security, cryptographically generated addresses, larger address space difficult to scan.

Prioritize network controls in the following order (don’t put bars on second-story windows before your doors have a lock).

Ecnryption in motion

FW implementations in the cloud

The first FW control you should design is a permiter of some form.

Admin access

WAF and RASP

Anti-DDoS

IDS/IPS

Egress filtering protects against data exfiltration and watering hole attack (e.g. you pull update from a malicious server).

Data loss prevention (DLP) watches for sensitive data that are imrpoperly stored or are leaving the environment.

Source: Practical Cloud Security (2019)