← Back to domain
Domain 4 Module 4.3

Network Infrastructure

4.3 Network Security Infrastructure

← 4.2 Network Threats & Attacks | Back to Course Index

Why this module matters

Security is not only about protocols and threats. It is also about the environment where systems run, the architecture that connects them, and the cloud responsibility model that determines who must secure what. In real organizations, infrastructure failures, weak segmentation, and misunderstood cloud responsibility are frequent sources of risk.

This lesson explains on-premises resilience, network architecture patterns, VPNs, zero trust, NAC, IoT security, and cloud service models.

Learning goals

By the end of this lesson, you should be able to:

  1. Describe the major parts of on-premises infrastructure.
  2. Explain environmental and power controls.
  3. Compare fire suppression approaches.
  4. Explain segmentation, DMZs, VLANs, and micro-segmentation.
  5. Compare site-to-site and remote-access VPNs.
  6. Explain zero trust, defense in depth, and NAC/802.1X.
  7. Compare SaaS, PaaS, and IaaS.
  8. Explain the shared responsibility model.
  9. Distinguish public, private, hybrid, and multi-cloud deployments.
  10. Understand SLA uptime calculations.

On-Premises Infrastructure

On-premises environments are managed by the organization itself. The organization controls the physical building, the network gear, the servers, and much of the operational risk.

Power protection

Component Purpose Security/availability value
UPS Provides short-term battery backup Prevents abrupt shutdowns, gives time for graceful power-down
Generator Provides longer-duration backup power Keeps critical systems online during outages
PDU Distributes electrical power to devices Organizes and manages rack power delivery
Redundant feeds Multiple power sources to a device or rack Reduces single points of failure

Why power matters

When power fails unexpectedly, systems may crash, files may corrupt, and security logs may be lost. Availability is a security goal too.

Analogy:

A UPS is like a battery backup for a hospital monitor. It is not meant to run forever, but it buys time to transition safely.

Data centers

Data centers are controlled facilities designed for uptime, physical protection, and environmental stability.

Common data center features:

  • Controlled access
  • Redundant power
  • Cooling systems
  • Fire suppression
  • Network diversity
  • Monitoring and logging

HVAC

HVAC controls heating, ventilation, and air conditioning. Servers generate heat continuously, so temperature and humidity matter.

Typical target range:

  • Temperature: 68-72 F (about 20-22 C)
  • Humidity: 40-60%

Why this matters:

  • Too hot can cause failures and shorten hardware life.
  • Too cold or too dry can increase static risk.
  • Too humid can lead to condensation and equipment damage.

Fire suppression

Fire suppression systems are designed to detect and extinguish fire while minimizing damage to equipment.

Type How it works Strengths Cautions
Wet pipe Pipes are filled with water Simple and common Water can damage electronics
Dry pipe Pipes fill with water only after detection Better in cold areas More mechanical complexity
Pre-action Requires detection before water enters pipes Reduces accidental discharge More complex; often used in server rooms
Clean agent Uses gas-like suppression agents such as FM-200 Minimal residue; equipment-friendly Must be designed carefully
CO2 Displaces oxygen Effective on electrical fires Dangerous to humans; evacuation required

Fire suppression caution

CO2 systems are effective but dangerous because they reduce oxygen. They should only be used in environments where people are not present or where evacuation systems are robust.

Exam tip: Clean agent systems are preferred for data centers because they suppress fire without leaving damaging residue.

Redundancy and resilience

Redundancy means having extra components so one failure does not cause a major outage.

Examples:

  • Duplicate power supplies
  • Redundant network links
  • Multiple servers behind a load balancer
  • RAID storage systems
  • Backup generators

RAID

RAID improves storage resilience by distributing or duplicating data across multiple drives.

Important idea:

  • RAID improves availability and fault tolerance.
  • RAID is not a backup by itself.

MOU and MOA

Memorandum of Understanding (MOU) and Memorandum of Agreement (MOA) are formal documents that define cooperation, expectations, and responsibilities between parties.

Why this matters:

  • They can support shared service operations.
  • They clarify who does what during outages or maintenance.

Analogy:

An MOU/MOA is like a written understanding between two organizations that share a facility or service relationship.

Network Design

Good network design reduces attack surface, limits lateral movement, and improves visibility.

Segmentation

Segmentation divides a network into smaller zones based on trust or function.

Why segment:

  • Contain breaches
  • Protect sensitive systems
  • Reduce broadcast traffic
  • Improve policy enforcement

Common zones:

  • User network
  • Server network
  • Guest network
  • Management network
  • OT/IoT network

DMZ

A demilitarized zone is a buffer network that separates public-facing services from the internal network.

Dual-firewall architecture

In a dual-firewall design, one firewall separates the Internet from the DMZ and another separates the DMZ from the internal network.

Why this matters:

  • Public services are isolated from internal assets.
  • If a web server in the DMZ is compromised, the attacker still faces a second barrier.

DMZ analogy:

Think of a storefront lobby between the street and the private office area. Customers can enter the lobby, but not the secure back office.

VLANs

Virtual LANs create logical Layer 2 segmentation on the same physical switch infrastructure.

Benefits:

  • Isolate departments or device types
  • Reduce broadcast scope
  • Improve policy enforcement

Limitations:

  • VLANs are logical, so they depend on correct configuration.
  • They are not enough alone for strong security.

Micro-segmentation

Micro-segmentation creates very small trust zones, sometimes down to individual workloads or applications.

Why it matters:

  • Limits lateral movement
  • Supports zero trust designs
  • Protects east-west traffic inside the data center or cloud

Zero trust

Zero trust means never trust by default, always verify.

Core ideas:

  • Assume breach
  • Verify explicitly
  • Enforce least privilege
  • Continuously evaluate trust

Zero trust does not mean no trust anywhere. It means trust is dynamic and must be earned repeatedly.

Defense in depth

Defense in depth uses multiple overlapping controls so failure of one layer does not mean total compromise.

Example layers:

  1. Physical security
  2. Network segmentation
  3. Firewall rules
  4. Endpoint protection
  5. Authentication and MFA
  6. Logging and SIEM

NAC and 802.1X

Network Access Control (NAC) decides whether a device can connect to the network based on identity, posture, or policy.

802.1X is a common port-based access control standard used for authentication before granting network access.

Why it matters:

  • Prevents unauthorized devices from joining the network
  • Can enforce posture checks and role-based access

Example:

A company laptop may be allowed onto the corporate VLAN only after authenticating through 802.1X and passing endpoint checks. A personal device may be placed on a guest network instead.

IoT security

IoT devices often have limited interfaces, weak update mechanisms, and long lifecycles.

Risks:

  • Default passwords
  • Poor patching
  • Vendor lock-in
  • Insecure protocols
  • Weak segmentation

Best practices:

  • Put IoT on isolated networks
  • Change default credentials
  • Update firmware
  • Disable unnecessary services
  • Monitor traffic for anomalies

Exam tip: Micro-segmentation and zero trust reduce lateral movement. NAC/802.1X controls who gets on the network in the first place.

VPNs

A VPN creates an encrypted tunnel over an untrusted network.

Site-to-site VPN

A site-to-site VPN connects two networks, such as a headquarters office and a branch office.

Use case:

  • Permanent connection between locations
  • Secure traffic between corporate sites

Remote-access VPN

A remote-access VPN connects an individual user or device to the corporate network.

Use case:

  • Home workers
  • Traveling employees
  • Temporary secure access

IPSec vs SSL VPN

Type Typical use Strengths
IPSec Often site-to-site, but also remote access Strong network-layer security
SSL VPN Often remote access through a browser or client Easier for users, app-friendly

IPSec

IPSec protects IP traffic and is commonly used for site-to-site tunnels.

SSL VPN

SSL VPNs use TLS-style encryption to secure remote access sessions. They are often easier for end users because they work well with standard browsers or lightweight clients.

VPN analogy:

A VPN is like driving through a locked tunnel instead of on an open road. Outsiders can see you are traveling, but not the details inside the tunnel.

Exam tip: Site-to-site = network to network. Remote-access = user to network.

Cloud Security Fundamentals

Cloud computing changes the security model because infrastructure is shared and some controls belong to the provider while others belong to the customer.

Service models

Model Provider manages Customer manages Typical use
SaaS Application, platform, infrastructure User data, access, configuration Email, collaboration, CRM
PaaS Infrastructure, OS, runtime, middleware App code, data, access App development and deployment
IaaS Physical hardware, virtualization, base network services OS, apps, data, configs Custom servers, flexible infrastructure

Shared responsibility model

The shared responsibility model says security duties are split between the cloud provider and the customer.

General rule:

  • The provider secures the cloud infrastructure.
  • The customer secures what they put in the cloud.

But the exact split depends on SaaS, PaaS, or IaaS.

Simple responsibility examples

SaaS

The provider handles almost everything. The customer mainly manages users, data, and permissions.

PaaS

The provider secures the platform, while the customer secures their application and data.

IaaS

The provider secures the underlying infrastructure, while the customer must secure the operating system, patches, applications, and data.

Exam tip: The more “as a service” the model is, the more the provider manages.

Deployment models

Model Description Best fit
Public cloud Services delivered over shared provider infrastructure Elastic scale, speed, lower management burden
Private cloud Cloud dedicated to one organization Higher control, specialized compliance needs
Hybrid cloud Mix of on-premises/private and public cloud Gradual migration, workload flexibility
Multi-cloud Uses services from multiple cloud providers Resilience, vendor diversity, specialized services

Public cloud

Public cloud offers rapid provisioning and broad service catalogs. It is often the easiest place to start.

Private cloud

Private cloud is dedicated to one organization and often used when control or compliance is a priority.

Hybrid cloud

Hybrid cloud blends local and public resources. Sensitive systems may stay on-premises while scalable workloads move to the cloud.

Multi-cloud

Multi-cloud uses more than one provider. This can reduce dependence on a single vendor and support resilience.

Cloud model comparison

Model Cost Control Complexity
Public Lower upfront Lower Lower to moderate
Private Higher upfront Higher Higher
Hybrid Mixed Mixed High
Multi-cloud Mixed to high High flexibility High

SLA and Uptime

An SLA, or service level agreement, defines expected service performance, availability, and responsibilities.

Why uptime matters

Even small percentages of downtime can represent significant loss over a year.

Uptime calculations

SLA Approximate annual downtime
99.0% 3.65 days
99.9% 8.77 hours
99.99% 52.6 minutes
99.999% 5.26 minutes

How to reason about SLA questions

If the exam asks which SLA has the least downtime, choose the highest percentage.

If it asks what 99.9% means in downtime, remember the rough annual value: 8.77 hours.

Exam tip: 99.9% is not “almost perfect.” It still allows about 8.77 hours of downtime per year.

MSP and MSSP

An MSP is a Managed Service Provider. It handles IT services and operations for a client.

An MSSP is a Managed Security Service Provider. It focuses on security services such as monitoring, detection, and incident response support.

Difference

Provider Focus Example services
MSP General IT operations Help desk, patching, infrastructure management
MSSP Security operations SOC monitoring, SIEM management, threat detection

Analogy:

  • MSP = outsourced IT operations team
  • MSSP = outsourced security operations team

AI-Enhanced Network Security

AI is increasingly used to support network security operations.

Where AI helps

  • Detecting anomalies in traffic patterns
  • Correlating large numbers of alerts
  • Prioritizing suspicious events
  • Supporting phishing and malware classification
  • Helping analysts investigate faster

Important caution

AI is a tool, not magic. It improves speed and pattern recognition, but it can still produce false positives and false negatives. Human oversight remains necessary.

Example use case

An AI-assisted SIEM may notice that a workstation suddenly begins talking to unusual external IP addresses at odd hours while also sending large amounts of data. That combination may trigger a high-priority investigation.

Exam tip: AI-enhanced security usually means faster pattern recognition and anomaly detection, not perfect prevention.

Infrastructure Example

Imagine a company with one headquarters office, a branch office, and a small cloud footprint:

  • HQ has a UPS, generator, redundant links, and a clean agent fire suppression system.
  • Public web servers sit in a DMZ behind a dual-firewall setup.
  • Employee laptops must authenticate with 802.1X before joining internal VLANs.
  • Guests use a separate wireless network.
  • Remote workers use SSL VPN.
  • Databases remain in a private cloud or on-premises segment.
  • Logs flow into a SIEM monitored by an MSSP.

That is a strong example of layered infrastructure security.

Exam Tips

  • UPS = short-term battery backup.
  • Generators = long-term power backup.
  • PDUs distribute power in racks.
  • Clean agent systems protect electronics better than water-based systems.
  • CO2 suppression is effective but dangerous to humans.
  • DMZ hosts public-facing services.
  • VLANs are logical Layer 2 segmentation.
  • Micro-segmentation supports zero trust.
  • Site-to-site VPN connects networks; remote-access VPN connects users.
  • SaaS = provider manages most; IaaS = customer manages more.
  • 99.9% uptime is about 8.77 hours of downtime per year.

Practice Questions

  1. What does a UPS provide during a power outage?
  2. Which fire suppression system is most dangerous to humans?
  3. What is the purpose of a DMZ?
  4. What type of VPN connects two office networks?
  5. What does zero trust mean in one phrase?
  6. Which cloud model gives the customer the most control?
  7. What does 99.9% uptime equal approximately per year?
  8. What is the main purpose of NAC or 802.1X?
  9. Which service model leaves the customer mainly responsible for app code and data, but not the platform?
  10. What kind of segmentation reduces lateral movement between workloads?

Answers

  1. ✅ Short-term battery backup
  2. ✅ CO2
  3. ✅ To isolate public-facing services from the internal network
  4. ✅ Site-to-site VPN
  5. ✅ Never trust, always verify
  6. ✅ IaaS / private cloud style control is highest; among service models, IaaS gives the customer the most control
  7. ✅ About 8.77 hours
  8. ✅ To control which devices/users can join the network
  9. ✅ PaaS
  10. ✅ Micro-segmentation
← Previous: 4.2