Security Architecture

Objectives: By the end of this topic, you will be able to…

Identify weaknesses in network and system architecture

Use basic tools to validate network exposures

Apply secure design principles

Propose well-founded structural improvements

Principles of secure architecture

Security architecture consists of applying design principles that protect systems and networks from their conception:

Defense in depth: multiple layers of security. If one fails, another stops the attacker
Separation of privileges: dividing critical functions among different roles or components
Least privilege: each component, process, or user should only have necessary privileges
Minimal exposure: reducing exposed services, open ports, and publicly accessible code
Fail-safe defaults: in case of error, the system defaults to a secure state (deny access)
Continuous auditing: logging security events and monitoring anomalous behaviors

Firewalls: fundamentals and operation

A firewall is a network security system that monitors and controls incoming and outgoing traffic based on predetermined security rules.

Types of firewalls

Type	Description	Example
Packet Filtering (Stateless)	Examines individual packets in isolation by IP, port, protocol	Basic `iptables` rules
Stateful Inspection	Tracks connection state, allows return traffic for established connections	`iptables` with conntrack
Application Layer (L7)	Inspects packet content, understands HTTP/FTP/DNS	WAF, proxy firewalls
Next-Generation (NGFW)	Combines traditional firewall with IPS, DPI, SSL inspection	Palo Alto, FortiGate

Firewall architectures

Bastion Host: single hardened system as the main external contact point
Screened Subnet (DMZ): multiple firewalls creating isolated network zones for public-facing services
Dual-Homed Host: computer with two network interfaces acting as gateway

Firewall rule design principles

Default Deny (recommended): block all traffic by default, explicitly allow only necessary traffic. More secure, requires careful planning, reduces attack surface.

Rule ordering: rules are processed sequentially top to bottom, first match wins.

1. Allow SSH from admin subnet to server
2. Deny SSH from all other sources
3. Allow HTTP/HTTPS from anywhere to web server
4. Allow DNS from internal network to DNS server
5. Deny all other traffic (default deny)

Linux firewall tools

iptables — most common Linux firewall utility:

iptables -A CHAIN -s SOURCE -d DESTINATION -p PROTOCOL --dport PORT -j ACTION

ufw — user-friendly frontend for iptables (default on Ubuntu). firewalld — dynamic manager with zones and services (default on CentOS/RHEL). nftables — modern replacement for iptables with better performance.

Network zones (segmentation)

Zone	Description
Public zone	Accessible from the internet (public web servers)
DMZ	Intermediate between internal network and outside, hosts public-facing services
Internal zone (intranet)	Private network with restricted access for sensitive data
Management zone	Exclusive network for system administration with strict access controls

Each zone is separated by firewalls allowing differentiated policies.

Access control models

Model	Description
DAC	Owner decides who has access. Flexible but error-prone
MAC	Centrally defined policies based on security classifications
RBAC	Access defined by roles (e.g., “auditor” role has specific permissions)

Secure network design

Best practices:

Use of perimeter and internal firewalls
Network segmentation by function and sensitivity
VPN for secure remote access
Disabling unnecessary services and applying ACLs
Isolation of critical services (databases, auth servers)
Redundancy and fault tolerance
Regular updates and patches
IDS/IPS systems alongside firewalls
Regular firewall rule audits
Centralized logging and monitoring

Common architectural failures

Lack of segmentation: everything on a single network; lateral movement is trivial
Unnecessary access: services or users with more permissions than required
Exposure of internal services: databases or admin panels accessible from internet
Lack of monitoring: intrusion attempts go undetected
Poor default configuration: default passwords, unnecessary enabled services
No firewall or misconfigured firewall: fundamental security control missing
Single layer of defense: relying only on perimeter firewall

Hands-on lab

Requirements: 3 Kali Linux VMs (firewall/gateway, web server, attacker)

Part 1: Firewall fundamentals and planning

Analyze the provided network diagram and answer:
- What traffic should be allowed from internet to internal servers?
- What should be blocked between internal zones?
- What ports need to be open?
- What default policies should apply?
Design a firewall rule table with: Rule #, Source, Destination, Port/Protocol, Action, Justification

Part 2: Firewall implementation and testing

Configure firewall VM with iptables:

# Enable IP forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
 
# Default policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
 
# Allow loopback and established connections
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
# Allow SSH from admin subnet
sudo iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
 
# Allow HTTP/HTTPS to web server
sudo iptables -A FORWARD -p tcp --dport 80 -d <webserver_IP> -j ACCEPT
sudo iptables -A FORWARD -p tcp --dport 443 -d <webserver_IP> -j ACCEPT

Start web server on VM2:

sudo systemctl start apache2

Test from attacker VM:

nc -zv <webserver_IP> 80
nmap -sT -p 1-1000 <webserver_IP>
curl http://<webserver_IP>

Part 3: Advanced rules and attack simulation

Implement rate limiting and scan protection:

# SSH brute force protection
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
 
# Anti-scan rules
sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 
# Logging
sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPT-INPUT-DROP: "

Launch attacks from VM3 and verify protection:

sudo nmap -sS -T4 <target_IP>
hydra -l root -P /usr/share/wordlists/rockyou.txt.gz ssh://<target_IP>

Monitor in real-time:

sudo tail -f /var/log/kern.log | grep IPT
watch -n 1 'sudo iptables -L -v -n'

Submission

Initial firewall rule table with justifications
Command history from all three VMs
Screenshots of scans before/after firewall, blocked attacks, allowed traffic
Short report (2-3 pages): architecture, attacks attempted, firewall responses, recommendations

Key concepts

Term	Definition
Firewall	System that monitors and controls network traffic based on rules
DMZ	Intermediate network zone that hosts isolated public-facing services
RBAC	Access control based on roles assigned to users
DAC	Access control where the owner decides who has access
iptables	Linux utility for configuring firewall rules
IPS	Intrusion detection and prevention systems

Test yourself

Design: Draw a network architecture with a DMZ, internal zone, and management zone. Where would you place firewalls and what rules would you apply between each zone?
iptables: Write the iptables rules needed to: allow incoming HTTP/HTTPS, block all SSH access except from 10.0.0.0/8, and deny everything else.
Failures: A company has a database server directly accessible from the internet on port 3306. What secure architecture principles is it violating and how would you fix it?

Navigation: ← Previous | Home | Next →

Quartz 4

Explorer

12 - Security Architecture