Chapter 59 Β· Examples

Network Infrastructure in Practice

Air gap and physical segmentation tradeoffs, VLAN hopping attacks, SDN management plane compromise, and hybrid cloud network design walkthroughs.

Example 1 Β· Air Gap vs. VLAN β€” The MSP Customer Isolation Decision

A managed service provider (MSP) manages IT infrastructure for 80 business customers. The MSP hosts customer virtual machines, manages customer firewalls, and stores customer backup data. Each customer's data and network traffic must be isolated from every other customer β€” a breach of one customer's environment must not be able to compromise another.

The MSP's security architect is evaluating two isolation approaches:

Option A β€” Physical isolation (air gap):
  Each customer gets dedicated physical switches
  No cable between any two customers' switches
  80 customers Γ— 2 switches (primary + backup) = 160 switches minimum
  Additional switches required as customers grow
  Isolation: maximum β€” no network path between customers
  Cost estimate: 160 Γ— $3,000/switch = $480,000 in switch hardware alone
  Adding customer 81: purchase and rack 2 new switches

Option B β€” VLAN logical segmentation:
  Each customer assigned dedicated VLANs on shared switch infrastructure
  802.1Q tagging isolates customer broadcast domains
  ACLs on Layer 3 devices block all inter-customer traffic
  4 high-density switches (48-port) serve all 80 customers
  Isolation: strong β€” isolated Layer 2 domains, ACL-enforced inter-VLAN policy
  Cost estimate: 4 Γ— $8,000/switch = $32,000 in switch hardware
  Adding customer 81: assign new VLAN IDs in software β€” no hardware purchase

The architect's decision and reasoning:

The MSP chooses VLAN segmentation for the following reasons: The $448,000 hardware cost difference is prohibitive. The isolation strength of VLANs is sufficient for the risk profile β€” the MSP is not handling classified government data or industrial control systems. VLAN hopping risk is mitigated by disabling DTP on all access ports and restricting trunk negotiation to deliberate uplinks only.

However, for one specific customer β€” a healthcare organization handling PHI under HIPAA β€” the MSP provisions physical segmentation: dedicated switches, no shared infrastructure with other customers. The regulatory and liability exposure of a healthcare data breach between customers justifies the additional hardware cost for that single customer.

The key takeaway: Air gaps and physical segmentation are not always the answer β€” they are the answer when the consequence of any cross-segment communication is catastrophic. For standard commercial isolation needs, VLAN segmentation with proper configuration is the accepted industry approach.

Example 2 Β· VLAN Hopping Attack β€” Switch Spoofing

A university network has three VLANs: VLAN 10 (students), VLAN 20 (faculty and staff systems), and VLAN 30 (research data servers containing grant data and research files). The network was configured to prevent students from reaching the research VLAN. A student in a network security course learns about VLAN hopping and attempts the attack from their dorm room workstation.

The attack β€” switch spoofing:

Student workstation is connected to access port on Switch 3, assigned to VLAN 10

Step 1: Student installs a Linux tool that sends 802.1Q trunk negotiation frames (DTP frames)
Step 2: Switch 3 is configured with default settings β€” auto trunk-negotiation enabled on all ports
Step 3: Switch 3 receives DTP frames from student workstation, believes it is connecting to
  another switch, and establishes a trunk link to the student's machine
Step 4: Student's machine now receives frames tagged for VLAN 10, VLAN 20, AND VLAN 30

From VLAN 30 access:
  Student scans 192.168.30.0/24 β†’ discovers research-server-01, research-server-02
  research-server-01 has SMB shares accessible without authentication (misconfigured)
  Student mounts SMB share β†’ downloads 14 GB of grant proposal data

Why the attack succeeded:

Prevention β€” two configuration changes that would have blocked the attack:

  1. Disable DTP on access ports: switchport nonegotiate on all ports connected to end devices prevents the switch from responding to trunk negotiation frames. The student's DTP frames would have been ignored.
  2. Explicitly configure port mode: switchport mode access forces the port to access mode regardless of what frames it receives β€” it will never become a trunk port regardless of the connected device's behavior.

Example 3 Β· SDN Management Plane Compromise

A financial services company runs its trading platform on a private cloud environment using SDN-based networking. The SDN controller manages virtual firewalls, routing, and security groups for 400 virtual machines across production, staging, and development environments. The SDN controller is accessible via a REST API and HTTPS management console.

During a penetration test, the security team discovers that the SDN controller's management console is accessible from the production VLAN β€” not just from the dedicated management VLAN as it should be. A developer's workstation in the production VLAN is compromised via a phishing attack.

Attacker pivot from compromised developer workstation (VLAN 10 Production):

Step 1: Port scan from VLAN 10 β†’ discovers SDN controller at 10.0.10.50, port 443
Step 2: Tries default credentials admin/admin β†’ rejected
Step 3: Performs credential spray with list of 20 common enterprise passwords
Step 4: admin/Netw0rk2024! succeeds β†’ full SDN controller access

Actions from SDN management plane:

Action 1: Disable firewall rule blocking production VLAN β†’ database VLAN communication
  Before: DENY src:VLAN10 dst:VLAN30 (database)
  After: PERMIT src:VLAN10 dst:VLAN30 (attacker removed the deny rule)

Action 2: Create new management account for persistent access
Action 3: Disable logging for VLAN 10 β†’ VLAN 30 traffic (cover tracks)
Action 4: Begin exfiltrating database contents (now directly reachable)

What the management plane compromise enabled: By gaining access to the SDN controller (management plane), the attacker could instantly reconfigure the security policy for all 400 virtual machines β€” removing firewall rules, creating backdoor routes, and disabling logging. The entire VLAN segmentation architecture became meaningless because the attacker could simply remove the access control rules.

Controls that would have prevented this:

  1. Management VLAN restriction: The SDN controller should be accessible only from the dedicated management VLAN (VLAN 40), not from production VLANs. A firewall rule blocking production VLAN access to the management interface would have prevented the initial discovery.
  2. MFA on management access: Password spray would not have succeeded if the management console required a second factor. Even with the correct password, the attacker would need the MFA token.
  3. Default credential elimination: Any account with admin/Netw0rk2024! should not exist in a financial services environment. A password audit would have identified this weak credential before attackers did.
  4. SIEM alerting on management plane changes: Firewall rule deletions are high-severity events. An alert on any ACL removal or rule modification during business hours β€” and immediate escalation for out-of-hours changes β€” would have detected the attack before database exfiltration completed.

Example 4 Β· SDN Data vs. Control vs. Management Plane in Practice

A network engineer is troubleshooting a routing problem. A virtual machine in Subnet A (192.168.10.0/24) cannot reach a server in Subnet B (192.168.20.0/24) in an SDN environment. The engineer must understand which plane each symptom and fix belongs to.

Symptom: VM A (192.168.10.5) cannot ping Server B (192.168.20.10)

Diagnosis step 1 β€” Management Plane:
  Engineer SSHes to SDN controller (management plane access)
  Checks configured routing policy and security group rules
  Discovers: no route configured from 192.168.10.0/24 to 192.168.20.0/24

Diagnosis step 2 β€” Control Plane:
  Engineer queries routing table on virtual router (control plane state)
  Confirms: 192.168.20.0/24 is not in the routing table
  Control plane has no path entry β†’ data plane cannot forward traffic

Fix β€” Management Plane:
  Engineer adds static route via management plane API:
  POST /api/routes {"dest":"192.168.20.0/24","next-hop":"192.168.20.1"}

Propagation β€” Control Plane:
  SDN controller updates routing table: 192.168.20.0/24 via 192.168.20.1
  Control plane distributes updated table to relevant virtual switches

Result β€” Data Plane:
  Virtual switch now has routing entry in forwarding table
  VM A sends packet β†’ data plane looks up 192.168.20.10
  Finds route β†’ forwards packet to Server B β†’ ping succeeds

The plane interaction pattern: The administrator interacts with the management plane (SSH/API) β†’ the management plane updates control plane state (routing table) β†’ the control plane provides updated forwarding information to the data plane β†’ the data plane forwards actual traffic. This top-down flow applies to every network configuration change: the change is always entered through the management plane and eventually expressed as data plane forwarding behavior.

Exam Scenario Β· Hybrid Network Architecture Design

Scenario: A healthcare organization is designing a network architecture for a new data center. They have four requirements: (1) Medical devices on the clinical network must be completely isolated from the corporate IT network; (2) Finance, HR, and Engineering must be segmented from each other but can communicate through controlled paths; (3) Cloud workloads must integrate with on-premises infrastructure; (4) All network device management interfaces must be inaccessible from user workstations. Answer the following:

A. What segmentation approach should be used for the medical device network?

Physical isolation (air gap). Medical devices are safety-critical systems β€” a compromised medical device could have direct patient safety consequences. The healthcare organization should provision dedicated physical switches for the clinical network with no physical connection to the corporate IT network. This cannot be defeated by software misconfiguration. VLAN segmentation is insufficient for this boundary because a VLAN configuration error, DTP misconfiguration, or compromised SDN controller could create an unintended path β€” unacceptable when patient safety is at stake.

B. What technology should be used for Finance, HR, and Engineering segmentation?

VLANs with a Layer 3 device enforcing inter-VLAN access policy. Finance gets VLAN 10, HR gets VLAN 20, Engineering gets VLAN 30. The Layer 3 device applies ACLs at the routing boundary: Finance can reach Engineering on specific approved ports (e.g., HR systems on 8443), but Engineering cannot directly reach Finance systems. This is the cost-effective, scalable standard for enterprise departmental segmentation. Physical segmentation for three internal departments would be cost-prohibitive and offers no additional security benefit given the comparable isolation of properly configured VLANs.

C. What technology enables the cloud integration requirement?

SDN in the cloud environment, combined with a dedicated private connection (AWS Direct Connect / Azure ExpressRoute) for the on-premises-to-cloud link. The cloud environment uses SDN to provision virtual firewalls, routing, and security groups programmatically. On-premises VLANs map to cloud VPC subnets via the private connection. The SDN management plane exposes APIs that allow the organization to manage cloud and on-premises network policy through unified IaC tooling. Critical: the cloud SDN controller and management plane must be restricted to the on-premises management VLAN, not reachable from user VLANs.

D. How is the management interface isolation requirement implemented?

A dedicated management VLAN (e.g., VLAN 99, 10.0.99.0/24) accessible only to IT staff workstations on the IT admin subnet. ACLs on the Layer 3 device block all access to 10.0.99.0/24 from user VLANs (Finance, HR, Engineering). Switch CLIs, router management ports, SDN controller consoles, and IPMI/iDRAC interfaces are all placed in VLAN 99. Any attempt to reach a management interface from a user VLAN is dropped at the Layer 3 device. SIEM alerts on any traffic attempting to cross from a user VLAN into the management VLAN, even if dropped.