Chapter 59 Β· Concepts

Network Infrastructure β€” Quick Reference

Segmentation comparison tables, VLAN mechanics, SDN plane breakdown, and cloud provisioning model.

Segmentation Approach Comparison

ApproachMechanismIsolation StrengthScalabilityDefeated ByPrimary Use Case
Air GapNo physical connection between segmentsMaximum β€” no path existsVery low β€” one switch per domainPhysical access only (USB, bridging device)Classified networks, ICS/SCADA, multi-tenant MSP isolation
Physical SegmentationSeparate physical hardware per segmentVery high β€” separate hardwareLow β€” dedicated hardware per segmentPhysical cable addition or misconfigured bridging deviceEnterprise data center tier separation, high-compliance
VLANIEEE 802.1Q logical tagging on shared physical switchHigh β€” isolated broadcast domainsHigh β€” many VLANs per physical switchVLAN hopping (switch spoofing on misconfigured access ports)Enterprise departmental segmentation, PCI CDE isolation
SDN Virtual NetworkSoftware-defined isolation in hypervisor networking layerHigh β€” enforced by hypervisorMaximum β€” thousands of virtual networks per hostHypervisor vulnerability or misconfigured security groupsCloud environments β€” VPCs, security groups, virtual firewalls

VLAN Mechanics β€” How 802.1Q Works

Port TypeVLAN MembershipFrame TaggingConnected ToSecurity Consideration
Access PortExactly one VLANUntagged β€” tag stripped before delivery to deviceEnd devices: computers, printers, serversMust be statically configured β€” disable auto trunk-negotiation (DTP) to prevent VLAN hopping
Trunk PortMultiple VLANsTagged β€” 802.1Q tag included on all framesOther switches, routers, Layer 3 switchesOnly designated uplinks β€” trunk on end-device port is an attack vector
Layer 3 Interface (SVI)One VLAN per SVIN/A β€” routes between VLANsInternal to Layer 3 switch or routerACLs applied at this interface control all inter-VLAN traffic

VLAN Use Case Map

VLANSubnetPurposeWho Can Reach ItACL Policy
VLAN 10 β€” Users192.168.10.0/24Employee workstationsInternet, VLAN 20 (web servers only, port 443)PERMIT TCP 443 to VLAN 20; DENY direct DB access; DENY management VLAN
VLAN 20 β€” Servers192.168.20.0/24Application and web serversVLAN 10 users (port 443), VLAN 30 DBs (port 3306)PERMIT TCP 3306 to VLAN 30; DENY all inbound from guest
VLAN 30 β€” Database192.168.30.0/24Database serversVLAN 20 app servers only (port 3306)DENY all except TCP 3306 from VLAN 20; IMPLICIT DENY ALL
VLAN 40 β€” Management10.0.40.0/24Network device management interfacesIT admin workstations onlyDENY all from user/server/guest VLANs; PERMIT only admin subnet
VLAN 50 β€” Guest172.16.50.0/24Visitor Wi-FiInternet onlyPERMIT internet access; DENY all access to internal VLANs
VLAN 60 β€” CDE (PCI)10.0.60.0/24Cardholder data environmentPayment processors only (authorized systems)DENY all except explicitly authorized PCI systems; strict logging

SDN Three Planes β€” Full Reference

PlaneAlso CalledRoleFunctionsPhysical EquivalentSecurity Target?
Data PlaneInfrastructure layer, forwarding planeForwards traffic based on tables built by control plane β€” the "doing" layerFrame forwarding, VLAN trunking, NAT address translation, in-line encryption/decryptionFront-panel switch ports where cables plug inLower β€” attackers typically target management or control first
Control PlaneControl layer, routing brainBuilds and maintains forwarding tables β€” the "decision" layer; does not forward traffic itselfIP routing table (static + OSPF/BGP), MAC address table, NAT state tables, session tables, dynamic routing protocol exchangeSwitch internal ASICs and CPU that builds the CAM/routing tablesMedium β€” compromised control plane redirects traffic (route injection, BGP hijacking)
Management PlaneApplication layerConfiguration and monitoring interface β€” the "administration" layerSSH CLI, HTTPS web GUI, APIs (Netconf/RESTCONF/REST), SNMP monitoringConsole port, out-of-band management interface, management IPHighest β€” management plane access = reconfigure any security control

SDN vs. Traditional Networking

CharacteristicTraditional Network DeviceSDN
All three planes locationIntegrated in one physical applianceSeparated β€” can run on different hardware or in software
Provisioning new deviceRack hardware, cable, configure manuallyAPI call β€” instantiated in seconds
Configuration methodCLI / GUI per device (per-device management)Centralized controller or API β€” push policy to thousands simultaneously
ScalingBuy, rack, cable, and configure new hardwareSpawn new virtual instance β€” seconds, no hardware
Infrastructure as CodeDifficult β€” each device configured individuallyNative β€” API management plane enables full IaC integration
Security policy consistencyManual per-device config β€” drift riskController pushes identical policy to all nodes β€” no drift
Physical requirementPhysical device in rackSoftware on commodity hardware or cloud compute

Management Plane Security Controls

RiskControlWhy Required
Unauthorized access to CLI/GUIMFA on all management access; SSH keys over passwordsPassword-only access is defeated by credential theft
Management traffic interceptedSSH and HTTPS only β€” disable Telnet, HTTP, SNMPv1/v2Telnet/HTTP transmit credentials in plaintext
Management access from arbitrary sourcesRestrict management plane to dedicated management VLAN; ACL blocks access from production VLANsAttacker on production network should not be able to reach management interface
Unauthorized configuration changesSIEM logging of all management plane events; alert on out-of-hours changesManagement changes are the mechanism for removing security controls
SNMP credential exposureUse SNMPv3 with authentication and encryptionSNMPv1/v2 community strings are plaintext β€” readable by anyone on the network path

VLAN Hopping Attack β€” Prevention Checklist

StepActionCommand Example (Cisco IOS)
1Explicitly set all end-device ports as access portsswitchport mode access
2Assign each access port to its specific VLANswitchport access vlan 10
3Disable DTP (Dynamic Trunking Protocol) auto-negotiationswitchport nonegotiate
4Only configure trunk on deliberate uplinks between switchesswitchport mode trunk (on uplinks only)
5Explicitly limit which VLANs are allowed on trunk portsswitchport trunk allowed vlan 10,20,30