探討 ka 資安原則運用到企業基礎設施的方法。

1. Infrastructure Considerations

1.1 Device Placement

定義一个網路如何自我保護、通訊佮運作。
ka 分成三个 separate zones：

• Local Area Network(LAN)
• screened subnet
• Wide Area Network(WAN)
  每一个裝置會依伊的資安需求囥 其中一个 zone 內底。

1.2 Security Zone

是網路內底不 款的 segments 抑是 partitions。每一个 zone 有伊家己的資安政策、access controls 佮 trust levels。
主要特點：

• Segmentation
• Data protection
• Access control
• Monitoring and logging
• Isolation
• Compliance
• Incident containment
• Operational efficiency
• Defense in depth

1.3 Attack Surface

包括攻擊者透過網路的點，無得到授權就會得提取、操縱資料抑是打斷網路執行。
主要 attack surface：

• Endpoints
• Network services
• Ports and protocols
• User accounts and credentials
• Third-party integrations
• Cloud services
• Human factor

如何 ka 威脅減到上低：

• Vulnerability assessment
• Access control
• Network segmentation
• Single point of failure
• Security updates
• Strong authentication
• Regular auditing
• Security awareness

1.3 Connectivity

• Scalability
• Security
• Redundancy
• Complexity
• Remote work

1.4 Failure Modes

• fail-closed
• fail-open

1.5 Device Attribute

• Active devices
• Passive devices
• Inline
• Tap/monitor

1.6 Network Appliances

• Jump server
• Proxy server(forward proxy)
  主要功能:
  1. URL filtering
  2. Content filtering
  3. Web page caching
  4. Reverse proxy server
  5. IPS
  6. IDS
  7. Load balancer
     Load balancer 執行伊的責任的方法：
     • Least utilized host
     • Affinity
     • DNS round robin
     • Sensors

1.7 Port Security

限制 access to the switch 的方法：

• Sticky MAC
• Disabling ports
• 802.1x authentication
• Extensible Authentication Protocol(EAP)

1.8 Firewall Types

• Web Application Firewalls(WAFs)
• Unified Threat Management(UTM) systems
• Next-Generation Firewalls(NGFWs)

比較 Layer 4 佮 Layer 7 firewalls

• Layer 4
• Layer 7

2 Secure Communication/Access

無 形式的安全通訊：

2.1 Virtual Private Network(VPN)

2.2 Remote Access

• SSH
• RDP

2.3 Tunneling

• TSL
• IPSec
  一个 IPSec packet 有兩个部分：
  • Authenticated Header(AH)
  • Encapsulated Security Payload(ESP)

2.4 Software-Defined Wide Area Network

2.5 Secure Access Service Edge

3. Selection of Effective Controls

兩種主要的 controls：

• Preventative controls
• Detective controls