Chapter 59 · Security Advisory

Network Infrastructure Concepts

Physical isolation and air gaps, logical segmentation with VLANs, and Software Defined Networking — the three planes that make cloud networking possible.

NET-2024-001
Physical Isolation and Physical Segmentation
Severity: High

The Lateral Movement Problem

One of the core risks in any networked environment is lateral movement: an attacker who gains access to one device using that foothold to access other devices across the same network. If all devices share a flat, fully connected network, a single compromised endpoint potentially provides a path to every other endpoint. The fundamental defense is separation — building barriers that prevent or complicate the movement from one system to another.

The strongest possible form of separation is physical: if two devices have no physical connection, there is no path between them. An attacker who fully controls one cannot reach the other through any network-based technique. This is the air gap principle, and it is the baseline against which all other segmentation approaches are measured.

Physical Isolation — The Air Gap

Physical isolation means that two systems are separated by an air gap — there is literally no cable, no wireless link, and no intermediary device connecting them. Switch A and Switch B exist in the same building, but if there is no connection between them, a device on Switch A has no path to a device on Switch B through any network-based means.

This is the strongest segmentation boundary available. It is used in environments where the security consequence of any cross-segment communication would be catastrophic:

  • Web servers vs. database servers: All web servers in one rack connected to Switch A; all database servers in a separate rack connected to Switch B with no connection between the switches. Direct web-to-database communication is impossible at the network level — the application architecture must provide the controlled path.
  • Multi-tenant managed service providers: Customer A's devices on Switch A; Customer B's devices on Switch B. No cable between the switches. No configuration error, no VLAN misconfiguration, and no software vulnerability can create a path between Customer A and Customer B — because there is no path to create.
  • Classified or industrial networks: A classified network air-gapped from an unclassified network; an industrial control system air-gapped from the corporate IT network. These boundaries exist specifically to prevent network-based attacks against systems where compromise would have safety or national security consequences.
Air gap limitations: An air gap only prevents network-based lateral movement. An attacker with physical access — a malicious employee who plugs a USB drive into an air-gapped system, or an adversary who physically bridges the gap with a device — can bypass the air gap entirely. Air gaps are strong network boundaries, not physical security controls. They are also the least scalable approach: true isolation requires one switch (or set of switches) per isolated domain.

Physical Segmentation

Physical segmentation extends the isolation concept by using entirely separate infrastructure for each segment — separate switches, separate routers, separate cabling runs, and separate network equipment. Unlike a pure air gap, segments may be connected through controlled routing or bridging devices that enforce traffic rules between them, but each segment operates on its own dedicated hardware.

Physical segmentation provides a strong security boundary with clear, auditable infrastructure. An organization can physically inspect the cabling and verify which systems are connected to which switches. There is no software configuration that can accidentally bridge two segments — the physical infrastructure enforces the boundary.

The significant drawbacks are cost and scale. Building and maintaining separate physical infrastructure for each segment requires:

  • Multiple physical switches (one per segment minimum)
  • Separate cabling infrastructure between racks and network closets
  • Duplicate power feeds, UPS systems, and management ports
  • Physical space in data center racks for each isolated switch

For a managed service provider with 100 customers requiring isolation, physical segmentation means 100 separate physical switches minimum. Scaling to 1,000 customers would require 1,000 switches. This is the fundamental scalability ceiling of physical approaches, and it is the reason that logical segmentation technologies were developed.

ApproachIsolation StrengthScalabilityCostPrimary Use Case
Air gap (physical isolation)Maximum — no path existsVery low — one switch per domainHighClassified networks, ICS/SCADA, highest-security CDE environments
Physical segmentationVery high — separate hardwareLow — hardware per segmentHighEnterprise data center tier separation, high-compliance environments
NET-2024-002
Logical Segmentation with VLANs
Severity: High

Solving the Scalability Problem

Physical segmentation works but does not scale. The solution is to provide the security properties of physical separation while keeping all devices connected to the same physical switch hardware. This is what VLANs accomplish: Virtual Local Area Networks create logically isolated broadcast domains within a shared physical switch.

Instead of buying a separate switch for each segment, an administrator configures certain ports on a single physical switch as belonging to VLAN 10, and other ports as belonging to VLAN 20. From a network communication perspective, devices in VLAN 10 and devices in VLAN 20 behave exactly as if they were on physically separate switches. They cannot communicate with each other directly — there is no Layer 2 path between them. They are in separate broadcast domains.

The technical mechanism is IEEE 802.1Q tagging: the switch adds a VLAN identifier tag to each Ethernet frame, and frames tagged for VLAN 10 are only ever forwarded to ports that belong to VLAN 10. A device connected to a VLAN 20 port never sees frames from VLAN 10, and vice versa — even though both are physically plugged into the same switch hardware.

The Layer 3 Requirement

VLANs create isolated Layer 2 domains. Communication between VLANs — inter-VLAN routing — requires a Layer 3 device: a router or a Layer 3 switch. This is a critical distinction for the exam and for network design.

VLAN 10 (Users): 192.168.10.0/24
VLAN 20 (Servers): 192.168.20.0/24
VLAN 30 (Management): 10.0.30.0/24

User device (VLAN 10) → Server (VLAN 20):
  Cannot communicate directly (different Layer 2 domains)
  Packet must be routed through the Layer 3 device
  The Layer 3 device can apply ACLs at the routing step:
  PERMIT src:192.168.10.0/24 dst:192.168.20.10 TCP 443 (web server HTTPS)
  DENY src:192.168.10.0/24 dst:192.168.20.0/24 TCP 3306 (no direct DB access)
  IMPLICIT DENY ALL

This routing requirement is a security feature as much as a technical constraint: every packet crossing a VLAN boundary must pass through a Layer 3 device where access control lists can be applied. The Layer 3 device is the enforcement point for inter-VLAN traffic policy — it decides what communication is permitted between segments and what is not.

VLAN Use Cases in Enterprise Networks

VLANs are the standard enterprise segmentation tool. Common deployment patterns:

  • Department separation: Finance, HR, Engineering, and Guest each on separate VLANs. Users in Finance cannot reach Engineering systems directly — all traffic must be routed, where ACLs enforce policy.
  • Three-tier application architecture: Users on VLAN 10, application servers on VLAN 20, database servers on VLAN 30. Only the application servers can reach the database VLAN — the ACL on the Layer 3 device enforces this.
  • PCI-DSS Cardholder Data Environment (CDE): Payment systems isolated on a dedicated VLAN, with ACLs strictly controlling which systems can reach the CDE. VLAN segmentation reduces PCI audit scope to only the CDE VLAN.
  • Management VLAN: Network device management interfaces (switch CLI, router management port, IPMI/iDRAC) on a dedicated management VLAN reachable only by IT staff. Production traffic cannot reach management interfaces.
  • Guest network: Visitor Wi-Fi on a VLAN that has only internet access — no path to corporate resources regardless of what the guest user attempts.

VLAN Security Limitation — VLAN Hopping

VLANs are strong when correctly configured. The key misconfiguration risk is VLAN hopping — an attack technique where a device in one VLAN gains access to another VLAN's traffic without going through the Layer 3 routing device.

The most common method is switch spoofing: a malicious host sends 802.1Q trunk negotiation frames, causing the switch to establish a trunk link to the attacker's machine. A trunk port carries traffic for all VLANs — the attacker's machine then receives frames from every VLAN on the switch, not just the VLAN it should be isolated to.

Prevention: disable trunk auto-negotiation on all access ports. Ports connected to end-user devices should be statically configured as access ports for a specific VLAN — not as trunk ports and not as auto-negotiating ports. Only deliberately configured uplinks between switches should be trunk ports.

Physical vs. VLAN isolation: A physical air gap cannot be defeated by software misconfiguration — there is no cable to exploit. A VLAN separation can be defeated by misconfiguration. For systems where the consequence of any cross-segment communication is catastrophic (classified data, industrial control systems, payment HSMs), physical isolation remains the appropriate control regardless of VLAN capability.
NET-2024-003
Software Defined Networking — The Three Planes
Severity: Critical

Why SDN Exists

Traditional network devices — switches, routers, firewalls — are purpose-built hardware appliances. They perform multiple functions simultaneously, all tightly integrated in one physical box: forwarding packets, making routing decisions, and accepting configuration commands. This integration made sense when every network was physical, but it creates a problem for modern cloud environments: how do you have a "router" or a "firewall" in a data center where there is no physical device to place?

Software Defined Networking (SDN) answers this by separating the different functions of a network device into distinct logical layers — called planes — that can be implemented independently in software. Once the functions are separated, each can be coded as software and run on commodity hardware or in a cloud environment. The physical device becomes optional; the functions it performed become software running on general-purpose compute.

SDN breaks every network device into three planes of operation:

The Data Plane — Infrastructure Layer

The data plane is where actual network traffic is processed and forwarded. It is the "doing" layer — when a packet arrives at a device, the data plane handles the mechanics of moving it forward. Everything in the data plane happens at high speed with minimal decision-making: the decision about where to send traffic has already been made by the control plane; the data plane simply executes it.

Data plane functions:

  • Frame and packet forwarding: Receiving a packet on one interface and sending it out another. Layer 2 switching (MAC address table lookups), Layer 3 routing (IP forwarding table lookups).
  • Trunking: Handling IEEE 802.1Q VLAN tags — adding tags to frames leaving on trunk ports, stripping tags from frames arriving on access ports.
  • Network Address Translation (NAT): Translating source and destination IP addresses as packets flow through the device — replacing private IP addresses with public ones for internet-bound traffic.
  • Encryption: On devices that perform in-line encryption (VPN concentrators, MACsec-capable switches), the data plane handles the encrypt/decrypt operations on each packet as it flows through.

On a physical switch, the data plane is represented by the front-panel interfaces — the ports that cables plug into. Traffic flows in on one port and out another. That is the data plane in operation.

The Control Plane — Control Layer

The control plane is the decision-making layer. It does not forward traffic itself — instead, it builds and maintains the tables and policies that tell the data plane how to forward traffic. The control plane is the brain; the data plane is the hands.

Control plane functions:

  • Routing table management: Building and maintaining the IP routing table that tells the data plane which outbound interface to use for each destination network. Populated by static routes (manually configured) or dynamic routing protocols (OSPF, BGP, EIGRP).
  • Dynamic routing protocol updates: Participating in routing protocol exchanges with neighboring devices — advertising routes, receiving routes, calculating best paths, and updating the routing table accordingly.
  • MAC address table (CAM table): On a Layer 2 switch, learning and storing the mapping between MAC addresses and switch ports so that frames can be forwarded directly to the correct port rather than flooded.
  • NAT translation tables: Maintaining the state of active NAT translations so that return traffic from an external destination can be correctly translated back to the internal host that initiated the connection.
  • Session tables: On stateful firewalls and routers, maintaining records of active sessions so that traffic belonging to established connections is handled correctly.

The Management Plane — Application Layer

The management plane is the configuration and administrative interface layer. It is how network administrators interact with the device to define its behavior — setting up routing protocols, creating VLANs, writing ACLs, updating firmware, and monitoring device health. Changes made in the management plane flow down to update the control plane's tables, which in turn change how the data plane forwards traffic.

Management plane interfaces:

  • SSH (Secure Shell): CLI access to the device's command-line interface. Standard for Cisco IOS, Junos, and most enterprise network operating systems. Encrypted command-line session for configuration and monitoring.
  • Web browser (HTTPS): GUI-based management interface provided by many devices — firewalls (Palo Alto, Fortinet), wireless controllers, and appliances with web consoles.
  • API (Application Programming Interface): Programmatic access for automation — Netconf, RESTCONF, and vendor-specific REST APIs that allow scripts and orchestration tools to configure network devices at scale. Essential for SDN controllers and infrastructure-as-code workflows.
  • SNMP (Simple Network Management Protocol): Used for monitoring — reading device status, interface statistics, and operational data. SNMP v3 with authentication and encryption is required; earlier versions transmit community strings in plaintext.
Management plane security: The management plane is a high-value target — an attacker with management plane access can reconfigure the device to remove ACLs, create backdoor routes, or disable security features. Management interfaces should be accessible only from a dedicated management VLAN, protected with MFA, using encrypted protocols (SSH/HTTPS, not Telnet/HTTP), and monitored by the SIEM. All configuration changes logged and alerting on out-of-hours activity.

How the Three Planes Work Together — Physical Switch Example

PlanePhysical Location on SwitchWhat It DoesExample Action
Data PlaneFront-panel interfaces — the ports that cables connect toReceives frames on one port; forwards them out another based on the MAC tableFrame arrives on Gi0/1 destined for MAC 00:1A:2B:3C:4D:5E → data plane looks up the MAC table → forwards out Gi0/4
Control PlaneInternal ASICs/CPU — builds and maintains forwarding tablesLearns MAC addresses; runs dynamic routing protocols; builds the tables the data plane usesReceives OSPF Hello on Gi0/24 → control plane processes it → updates routing table → data plane now knows to route 10.0.20.0/24 out Gi0/24
Management PlaneConsole port / management interface / out-of-band managementAccepts administrator configuration commands; stores and applies configurationAdmin SSHes to switch IP → enters "ip route 10.0.30.0 255.255.255.0 10.0.1.1" → management plane stores the config → control plane adds the static route → data plane uses it

SDN and Cloud Networking

The separation of planes is what makes SDN possible — and SDN is what makes cloud networking possible. In a cloud data center, there is no physical router or firewall to configure. Instead, SDN software running on general-purpose servers provides all of these functions: the data plane (packet forwarding), the control plane (routing decisions), and the management plane (API-driven configuration) all exist as software processes.

This enables capabilities that physical hardware cannot match:

  • Dynamic provisioning: A cloud customer can click a button (or make an API call) and immediately create a new virtual firewall between their load balancer and their web servers. There is no hardware to rack, cable, or configure manually — the SDN layer instantiates the firewall in software within seconds.
  • Elastic scaling: As traffic increases, additional virtual network devices can be spawned instantly. When traffic decreases, they can be terminated. Physical hardware cannot scale this way.
  • Infrastructure as Code: Because SDN exposes API-based management plane interfaces, the entire network configuration can be written as code (Terraform, CloudFormation) and deployed through automated pipelines. Every virtual firewall rule, every security group, every routing table — version-controlled and repeatable.
  • Consistent security policy at scale: An SDN controller can push identical security policy to thousands of virtual switches simultaneously — a configuration change that would require manually logging into thousands of physical devices is done in one API call.

Example — Cloud SDN provisioning flow:

Initial state: Internet → Load Balancer → Web Server A, Web Server B → Database

Security requirement: add firewalls to control traffic

SDN action (API call or console click):
  Create virtual firewall FW-1 between Internet and Load Balancer
    Rule: PERMIT inbound TCP 80, 443 → DENY ALL ELSE
  Create virtual firewall FW-2 between Web Servers and Database
    Rule: PERMIT src:web-servers TCP 3306 → DENY ALL ELSE

Result: Internet → [FW-1] → Load Balancer → Web A, Web B → [FW-2] → Database
Time to provision both firewalls: seconds
Physical hardware required: none