Network Architecture: Virtualization, Cloud Computing, and Security

Posted on Dec 15, 2024 in Technology

Network Architecture

October 11, 2024

Objectives

  • Describe and explain virtualization technologies, including how virtual machines connect with a network and how networking infrastructure devices can be virtualized.
  • Describe cloud computing categories and models, and discuss concerns regarding cloud connectivity and security.
  • Secure network connections using encryption protocols.
  • Configure remote access connections between devices.

Virtualization

Virtualization Definition

Host

  • A virtual, or logical, version of something rather than the actual, or physical, version.
  • Physical computer “hosting” a virtual machine.

Guest

Hypervisor

  • Each virtual machine.
  • Creates and manages a VM.
  • Manages resource allocation and sharing between a host and any of its guest VMs.

Type 1 Hypervisor

Type 2 Hypervisor

  • It installs on a computer before any OS and is called a bare-metal hypervisor.
  • It installs in a host OS as an application and is called a hosted hypervisor.

Customize the VMs

Elements of Virtualization

  • A guest OS.
  • Amount of memory.
  • Hard disk size.
  • Processor type and other options.

AD_4nXdbyJEvzY_v8IsBRBOVugOAFjxHtuABVehbJElrYYDxwCJcPaW9OecTN9hYwynfzW48DEawcEn0o6adO97prCPMNVtlpoMIAKzFgtagACNPH3APqjKK_Y4Ks8TGGD8oGU3OtoK6KHw6Mu8gjvroc_GFor1q?key=mzG_zHXEw7btck8Y9A8qJuGS

AD_4nXet_evNMgvVvYlVmlMDOt1sdRLI7S7tFMBRIbC0WZNUzZvieOtKDp-UYLzGXvbMzICEI3X3n7NXdAKa8t1xZ91kM9ssWpHfZzUlYzfQOBBoBrIOCThOt90T0fsWviod5fpGlALU5Aj0oZJHM2XpeJNd6fCP?key=mzG_zHXEw7btck8Y9A8qJuGS

Advantages: Efficient use of resources, cost and energy savings, fault and threat isolation, simple backups, recovery, and replication.

Disadvantages: Compromised performance, increased complexity, increased licensing costs, single point of failure.

Network Connection Types

1 VM = 1 vNIC (virtual NIC)

VM’s vNIC is selected

Every VM has its own vNIC (virtual NIC):

  • Can connect the VM to other machines.
  • Operates at the Data Link layer.
  • Hypervisor creates a connection between that VM and the host.
  • Connection might be called a bridge or switch (vSwitch).

1 VM = Several vNICs

1 Host = Multiple vSwitches

Each VM can have several vNICs.

  • The maximum number depends on the limits imposed by the hypervisor.
  • Controlled by the hypervisor.

Host-Only Mode

  • VMs on one host can exchange data with each other and the host.
  • Cannot communicate with nodes beyond the host.
  • Never receive or transmit data with the host’s physical NIC.

Images

AD_4nXefydBcoxcCzjyETB6rgzoXdJQ8IJ0p7jDxJ-8qFi3Z0C-Cs54mBu1_Bs4SmOvcNZT1k3q7iv26NWV1JxajLVNIGyk11Jp4AT1OFn-SpUGqekf8f8HfmBAeNDUCWolYGt4GfUzPeU7E3qp-zTbXm0j6q2mf?key=mzG_zHXEw7btck8Y9A8qJuGS

AD_4nXe3RFNK4oesQkF3VjuZL1avMq_Mx-cvTQtXIMC7T-Q9QW7QtAfme7SqnfFiuoOZ2ZpSq_fHHuQk7MBU_bieMWXZpdrxfts9ZTiSlrjTr1nW8i5hhmfCFbbjAPY9Toa9A16ULkJlf15mtbCmYJjyfyo89L9a?key=mzG_zHXEw7btck8Y9A8qJuGS

Cloud Computing

Flexible provision of data storage, applications, and services to multiple clients over a network.

Features

vDesktops, Server Info

  • On-demand service.
  • Support for multiple platforms.
  • Resource pooling and consolidation.
  • Metered service.
  • Elastic services and storage.
    • Storage capacity can quickly or automatically be scaled up or down.
  • Can provide virtual desktops.
    • Operating environments hosted virtually.
  • Developers can load any kind of software on the servers and test it from afar.
    • Cloud services providers can make sure the development servers are secure, regularly backed up.
  • Most cloud service providers use virtualization software to supply multiple platforms to multiple users.

Characteristics

4 Categories

AD_4nXc0BrJl6HtDojLvOw0c7Z_QInYUg50O8ZMq469DnbEGx5bzbTcDaxXp3fVuvFdTp05j24Dm8knfpuEgR6yK4n2DEIbz9ipHHZxJRpQv-i-XtpAYuoLOXNdu6WubSJ9BpIHxFQLCAcbD04c-UG1S65eEETNr?key=mzG_zHXEw7btck8Y9A8qJuGS

Cloud computing service models are categorized by the types of services provided:

  • Traditional.
    • All hardware, software, and everything else is located and managed at the organization’s location.
  • IaaS (Infrastructure as a Service).
    • Hardware services and network infrastructure devices are provided virtually.
    • Including end-user interfaces such as HVDs (hosted virtual desktops).
  • PaaS (Platform as a Service).
    • OS, runtime libraries or modules the OS provides to applications, and the hardware on which the OS runs. Ex. Google Cloud, Microsoft Azure, AWS, IBM Cloud, Oracle Cloud Platform (OCP).
  • SaaS (Software as a Service).
    • Applications.
  • XaaS (Anything as a Service or Everything as a Service).
    • A broader model.
    • Cloud can provide any combination of functions.

AD_4nXeE3whayLLBh574t5Ho0OqFn78Vju-bGgRfqc9_hrBXN6mLOoMRUoDGpafyZcZ2of0yWbzaFtYsjNQ7jao57Eytr4J1JPMoC8mY0khY5CHlVPWY5lBXlcmFCFx10s_Qi6x4HhIkMSqK-LZTcnO0OkJtWGA?key=mzG_zHXEw7btck8Y9A8qJuGS

AD_4nXfr_wpY-ZROLuWomeAEIc8nO08VSVXgHLFA6lV4U7FM3toorTkw_kX1n9k0mnVBkjOh3E7H6YQWo1j2ybevHrgHtBfUn-gNjHuRIsJEOQ4yyR9ZbrLJafscDHXZaUPZq8LEDXCXZw?key=mzG_zHXEw7btck8Y9A8qJuGS

AD_4nXdlMwwX9e0PDg51f6RBbxT1ddZ3v21TOiG2L8pOnLvqhaDy5RplwUghs-kuW45hoWoCedH0J0lAcc6o47iaIM2xTdCDlcVSB1JcsBYeXXilElqloNG_jSGpkawjaBAHPKlEcnSPX623fN8aFXZVcSUYlo9v?key=mzG_zHXEw7btck8Y9A8qJuGS

Cloud Computing Service Models

AD_4nXfc4IJaBfH0Fh9YWGVrG8IamSZ7Iho_0_hZ09gBuRrhXbi7fYMhcj3DaCiS3V021y3IvC7Q359whzYprr988r9EXbyF-P2Xmt_jhZBxIrOJduYs45tx_mkAKQgPXMGo_OBjQ34KlBmqfZQs15aSzPVAUSaR?key=mzG_zHXEw7btck8Y9A8qJuGS

Deployment Models

Cloud services are delivered in a variety of deployment models.

Public Cloud

Private Cloud

  • Service provided over public transmission lines.
  • Service established on an organization’s own servers in its own data center.

Community Cloud

Hybrid Cloud

  • Service shared between multiple organizations.
  • Combination of the other service models into a single deployment.

Encryption Protocols

Use mathematical code, called a cipher, to scramble data into a format that can only be read by reversing the cipher.

  • Used to keep information private.
  • Primarily evaluated by three benchmarks (CIA Triad = principles of standard security model):
    • Confidentiality.
    • Integrity.
    • Availability.

Key:

  • Random string of characters.
  • Woven into original data’s bits.
  • Generates unique data block called ciphertext.
  • Created according to a specific set of rules (algorithms).

Key encryption can be separated into two categories:

  • Private key encryption.
  • Public key encryption.

Key pair = Combination of public and private keys.

Asymmetric encryption = Requires two different keys.

Digital certificate = Holds identification information and the user’s public key.

CA (certificate authority) = Issues, maintains digital certificates.

PKI (Public Key Infrastructure) = Use of certificate authorities to associate public keys with certain users.

Private Key Encryption

Public Key Encryption

  • Data is encrypted using a single key.
    • Known only by the sender and receiver.
  • Symmetric encryption.
    • Same key used during both encryption and decryption.
  • Data encrypted using two keys.
    • Private key: The user knows.
    • Public key: Anyone may request.
  • Public key server:
    • Publicly accessible host.
    • Freely provides users’ public keys.

IPsec (Internet Protocol Security)

Encryption protocol suite that defines rules for encryption, authentication, and key management for TCP/IP transmissions.

5-Step IPsec Secure Connection

  • IPsec initiation.

  • Key management.

  • Security negotiations.

  • Data transfer.

  • Termination.

SSL and TLS (Secure Sockets Layer and Transport Layer Security)

  • Both are methods of encrypting TCP/IP transmissions, including Web pages and data entered into Web forms.
  • Both protocols work side by side and are widely known as SSL/TLS or TLS/SSL.
  • When a client and server establish a SSL/TLS connection, they establish a unique session.
  • Association between client and server.
    • Defined by agreement.
    • Specific set of encryption techniques.
  • Created by SSL handshake protocol.
  • Handshake protocol.
    • Allows client and server to authenticate.
    • Similar to a TCP three-way handshake.

Remote Access

Service that allows a client to connect with and log on to a server, LAN, or WAN in a different geographical location. Requires a type of RAS (remote access server).

2 types of RAS:

  • Dedicated devices.
  • Software running on a server.

Types of remote access:

  • Point-to-point over a dedicated line.
    • A Data Link layer protocol; Directly connects 2 WAN endpoints.
    • Negotiate and establish a connection between two computers.
    • Use an authentication protocol to authenticate a client to a remote system.
  • Terminal emulation.
    • Also called remote virtual computing.
    • Allows a user on 1 computer to control another computer across a network connection.
    • Examples of command-line software:
      • Telnet
  • A terminal emulation utility that allows an administrator or other user to control a computer remotely.
  • Provides little security for establishing a connection (poor authentication).
  • Provides no security for transmitting data (no encryption).
    • SSH (secure shell)
  • A collection of protocols that provides for secure authentication and encryption.
  • Guards against a number of security threats:
    • Unauthorized access to a host.
    • IP spoofing.
    • Interception of data in transit.
    • DNS spoofing.
  • Developed by SSH Communications Security: Version requires a license fee.
  • Open source versions available: Open SSH.
  • Secure connection requires SSH running on both client and server.
  • Allows for password authentication using public and private key generation.
  • Configuration options:
    • Use 1 of several encryption types.
    • Require client password.
    • Perform port forwarding: Redirect traffic that would normally use an insecure port to a SSH-secured port.
    • Examples of GUI-based software:
      • Remote Desktop for Windows.
      • join.me
      • VNC.
      • Team Viewer.
  • Virtual private network (VPN).

AD_4nXdrfhztAGTrYQ8X2yWgV4Uy4FXflYFqqGoG0gz5cTSs99qvid7QAYuzZzF4aRRm_opyuw2ClYqBL69Ny_XmE6Zmq2J25NapUMHbXczuFjX21Vef9cVqt_gzUPs0C_xSQVXCEp6j7pUqctrGntR6FUqfEZjn?key=mzG_zHXEw7btck8Y9A8qJuGS

AD_4nXdgZw_EYw4XWjBFFfA_rCOZFbb5SePO6w7DywQJpiHcnd23hNFulvIWsqlGbqc1TyK2wMcune8sCK7D3mD4LrnKk9PA4iD3IQVUxnh89rgG3LjlNKqZZnpi4oI5C8iyljG6rDk-Ej2AY1ZnhBAAPxg5CvfN?key=mzG_zHXEw7btck8Y9A8qJuGS

VPNs (Virtual Private Networks)

A VPN is a network connection encrypted from end to end that creates a private connection to a remote network, sometimes referred to as a tunnel.

VPNs can be classified according to 3 models:

  • Site-to-site VPN.
  • Client-to-site VPN.
    • Also called host-to-site VPN or remote-access VPN.
  • Host-to-host VPN.

A router-based VPN is the most common implementation on UNIX-based networks.

  • Server-based VPNs are most often found on Windows networks.

VPN concentrator:

  • Authenticates VPN clients.
  • Establishes tunnels for VPN connections.
  • Manages encryption for VPN transmissions.

2 primary encryption techniques used by VPNs:

  • IPsec.
  • SSL.

AD_4nXfAiGY7jA6TJZb5sLorrafu9a6d3x1wY_AC1z6I3NHAIMdZLTG7JSVm8iwiW6pD1MLPPLc-ZVBHYXvAZLrIycl3EV-OPM8ofD8WFsuikNYOu4AHrrZjYdx2jTWHe4yXY7O47-LFCUX9fbAJI-XhJ--nvTZ6?key=mzG_zHXEw7btck8Y9A8qJuGS

AD_4nXdId1BmgyrwY2k3YsHUYLHJUNb8GNc1fpNnoAYBcpa2sa9NORjEFCt5Dx9K9f8_wgyYL9EG-4suOEL2bzMvVqqIzYsBDn64dpZYCL-2yClK8aiC_z2o3I0ZD6eG35I0lfbKUkzQgvSUr_mesnw5z_omGyQb?key=mzG_zHXEw7btck8Y9A8qJuGS

AD_4nXfmqeO-0DnoiQc6VKnABNcUgxkJwIaDU9XxUsTBdN6f7OJhxirLCmO_jd-beE8GlQp112G6clg6THfes9HnVCIRNau8F3r--09cABFFVOU6SAiDDffhbdRcHQWrnow9lufvGjkYCltPmmYnPf-nxMCsSjnj?key=mzG_zHXEw7btck8Y9A8qJuGS

VPN Tunneling Protocols

To ensure VPNs can carry all types of data securely. Special VPN protocols encapsulate higher-layer protocols in a process known as tunneling.

  • Many VPN tunneling protocols operate at the Data Link layer.
    • Encapsulate the VPN frame into a Network layer packet.
  • Some VPN tunneling protocols work at Layer 3.
    • Enables additional features and options.
  • PPTP (Point-to-Point Tunneling Protocol).
    • A Data Link layer protocol that directly connects two WAN endpoints.
    • PPP can:
      • Negotiate and establish a connection between two computers.
      • Use an authentication protocol to authenticate a client to a remote system.
  • L2TP (Layer 2 Tunneling Protocol).
  • GRE (Generic Routing Encapsulation).
  • Open VPN.
  • IKEv2.

CARP (Common Address Redundancy Protocol), which allows a pool of computers or interfaces to share one or more IP addresses. This pool is known as a group of redundancy or redundancy group. When using CARP, one device, acting as the group master, receives requests for an IP address, then parcels out the requests to one of several devices in the group.

In-Class Friday

October 11, 2024. There is no lab this week. Will introduce the group projects over reading week.